TTechclick ⚡ XP 0% All lessons
Netskope · Threat Protection · Malware · Sandbox · CFW · RBIInteractive · L1 / L2 / L3

Netskope Threat Protection — Malware, Sandbox, CFW, RBI & GenAI

A user clicks a link, a file lands on the laptop, and now you have seconds to decide: known-bad, zero-day, or fine? This lesson is Netskope’s threat-defense layer — the anti-malware scan, the Cloud Sandbox that detonates the unknown, the Cloud Firewall for non-web ports, RBI for sketchy sites, UEBA for odd behaviour, and AI Guardrails for what your people paste into ChatGPT.

📅 2026-06-05 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Netskope Threat Protection for L1/L2 engineers: malware detection profiles, the Cloud Sandbox hold-for-verdict, Cloud Firewall (FWaaS), IPS Alert vs Block, RBI isolation, UEBA/UCI analytics, and GenAI AI Guardrails — with real console paths and gotchas.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Malware & Sandbox

Scan profiles + the sandbox that detonates the unknown.

 2

CFW & IPS

Non-web ports and signatures — without breaking prod.

 3

RBI & UEBA

Isolate risky sites; spot abnormal user behaviour.

 4

GenAI Guardrails

DLP on prompts + jailbreak/prompt-injection block.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. An unknown file (never seen before) is downloaded. What catches it?

Answered in Malware & Sandbox.

2. A user needs to open a sketchy, uncategorized website. Safest option?

Answered in RBI & UEBA.

3. Where would you stop staff pasting client PII into ChatGPT?

Answered in CFW & IPS.

Most engineers think…

Most engineers assume “Threat Protection = anti-virus in the cloud” — a signature scanner that blocks known bad files and that’s it.

Wrong, and it leaves you exposed to the attacks that actually land. Signatures only catch what’s already known. Real Threat Protection adds a Cloud Sandbox that detonates unknown files before they reach the user, a Cloud Firewall + IPS for non-web ports, RBI to neutralise risky sites, UEBA to catch compromised users, and AI Guardrails for GenAI. It’s a layered defense, not one scanner.

① Anti-malware + the Cloud Sandbox — stopping the unknown

Threat Protection is Netskope’s defense layer: it inspects files and traffic for badness on the same single-pass engine that does web, SaaS and private-app control. The first job is malware. A classic signature scan backed by threat intelligence catches what is already known. But the attacks that hurt are the ones nobody has seen yet.

You don’t build malware controls inline. You build a reusable Malware Detection Profile first, then apply it inside a policy. The path is Policies → Threat Protection → Malware Detection Profiles tab → New Malware Detection Profile. The wizard goes Threat Scan (“The Netskope malware scan” is selected by default and can’t be changed) → Allowlist (a file profile of known-good hashes) → Blocklist → Set Profile (name it) → Save Malware Detection Profile → Apply Changes.

👉 So far: TP rides the single-pass engine; you build a Malware Detection Profile, then apply it. Next: the sandbox that handles files signatures can’t.
Figure 1 — The threat-defense layers
Threat Protection is layered defense on one engine — a file must clear them all to reach the user A single download flows left to right through four inline threat defenses — anti-malware scan, IPS, Cloud Firewall, and the Cloud Sandbox for unknown files — all riding on the Netskope single-pass engine, with RBI isolating risky sites and UEBA plus AI Guardrails watching from below. Only a clean verdict reaches the user. One file, many checkpoints — Threat Protection rides the single-pass engine downloadunknown.exe Anti-malwarescan + threat intelIPSsignature blockCloud Firewallnon-web portsCloud Sandboxdetonate unknown userclean only RBI (Isolate)risky/uncategorized → pixels only UEBA / Behaviour Analytics watches the userinsider · compromised device · stolen credentials AI Guardrails inspect every GenAI promptChatGPT · Copilot · Gemini — DLP + jailbreak block untrusted / malwaretrusted / inspectedinspection / policykey ideaallowed
Look at the chain: a file must clear anti-malware, IPS, Cloud Firewall and (if unknown) the Sandbox before a clean verdict reaches the user. RBI, UEBA and AI Guardrails sit alongside.

For the unknown file, you need the Cloud Sandbox (also called dynamic threat analysis). It runs the file in an isolated VM, watches its behaviour across 30+ file types (PE, Office, PDF, archives, scripts), and returns a report mapped to MITRE ATT&CK. The killer feature is hold-for-verdict (the “Patient Zero” protection).

Figure 2 — Hold-for-verdict (Patient Zero)
Hold-for-verdict protects Patient Zero — the unknown file waits in the sandbox, the user waits at the door A download of an unknown file is held by Netskope while the Cloud Sandbox detonates it in an isolated VM. If the verdict is malicious the file is blocked; if benign it is released to the user. The first victim, Patient Zero, never receives the file before the verdict. Patient Zero is held at the door until the sandbox returns a verdict Sneha (L1)10.50.6.20 downloads unknown.xlsm Netskope holds file"Block till benign verdict" detonate (~2 min, up to 10) Cloud Sandboxisolated VM · MITRE ATT&CK30+ file types verdict? malicious → BLOCKuser never receives it benign → RELEASEdelivered after verdict Key idea: the FIRST victim is protected, not just everyone after untrusted / malwaretrusted / inspectedinspection / policykey ideaallowed
Watch the unknown file get held at the door while the sandbox detonates it (~2 min, up to 10). Malicious → blocked; benign → released. The FIRST victim is protected.

▶ Follow one unknown file: Sneha downloads invoice.xlsm

Watch hold-for-verdict protect Patient Zero, end to end. Press Play for the healthy path, then Break it to see the failure.

① DownloadSneha (10.50.6.20) downloads invoice.xlsm — never seen before
② Scan missAnti-malware signature = no match (it’s a zero-day macro)
③ Hold + detonatePolicy holds file; Cloud Sandbox runs it in a VM (~2 min)
④ VerdictSandbox: malicious → BLOCK; Sneha never receives it
Press Play to step through the healthy path. Then press Break it.
🖥️ This is the screen you’ll use to apply the profile — Netskope tenant → Policies → Real-time Protection → New Policy → Threat Protection. The advanced toggle is what turns on hold-for-verdict. (Recreated for clarity — your tenant matches this.)
tenant.goskope.com · Policies → Real-time Protection → Threat Protection
1
Policy Name
Block malware + sandbox unknowns
Users / Groups
All Users
2
Activity
Upload / Download
3
Threat Protection profile
Default Malware Scan (predefined)
4
Action (per severity)
Block
5
Advanced
Block till benign verdict by dynamic threat analysis
Save & Apply Changes
Common mistake — building the profile and thinking you’re done

Symptom: you created a Malware Detection Profile but malware still gets through. Cause: a profile does nothing on its own — it must be consumed inside a Real-time Protection → Threat Protection policy with Activity = Upload/Download and Action = Block. Students mix up the two screens. Fix: build the profile in Threat Protection, then apply it in Real-time Protection.

Quick check · Q1 of 10

Sneha created a Malware Detection Profile a week ago, but a known-bad file just got downloaded and ran. What’s the most likely cause?

Correct: a. A Malware Detection Profile is just reusable config — it does nothing until it’s consumed by a Real-time Protection → Threat Protection policy (Activity Upload/Download, Action Block). The profile-vs-policy split is the classic trap. The sandbox/feeds/size answers don’t explain a known-bad file slipping past a profile that was never enforced.

Pause & Predict

Predict: a large legitimate download from a trusted vendor keeps “hanging” for ~3 minutes before it completes. Is this a bug? Type your guess.

Answer: No — it’s hold-for-verdict working. “Block till benign verdict by dynamic threat analysis” holds an unknown file (~2 min typical, up to 10) while the sandbox detonates it, then releases it once benign. To stop the hang for trusted vendors, add their file hashes to the Allowlist file profile so they skip detonation.

② Cloud Firewall (FWaaS) + IPS — beyond the web

A web proxy only sees ports 80/443. But threats and data move on other ports too — SSH, SMTP, custom TCP/UDP, DNS. That’s what Cloud Firewall (FWaaS) is for: cloud-delivered L3/L4 control for the non-web traffic SWG ignores. You write rules at Policies → Real-time Protection → New Policy → Firewall.

A firewall rule’s destination can be a cloud app, a DPI app, or a Custom Firewall Application (IP/CIDR/FQDN/wildcard + port/protocol). The default Non-Web Policy is block-all, editable via the pencil icon. One gotcha that bites everyone: set the Destination before the Source — doing it in the wrong order can drop your data in the form.

Common mistake — FQDN firewall rules that silently never match

Symptom: your Cloud Firewall rule for *.vendor.com:8443 never fires over a branch tunnel. Cause: FQDN/wildcard destinations only resolve when traffic is steered via the Netskope Client (NSClient) — IPsec/GRE tunnels see only IP addresses, so the L7 name is invisible. Fix: use IP/CIDR Custom Firewall Apps for tunnel-steered sites, reserve FQDN rules for NSClient endpoints, and block DoH/DoT (TCP 853) so DNS resolution can’t hide.

IPS rides on top, at Settings → Threat Protection → IPS Settings. You set IPS Status to Alert or Block, pick the traffic scope (Non-Web needs CFW; Cloud Apps & Web; Private App Segments need NPA), and maintain three allowlists — Source IP, Domain (FQDN/wildcard), Destination IP. The golden rule: never go straight to Block.

Figure 3 — Standard vs Advanced Threat Protection
Standard TP catches the known; Advanced TP plus Sandbox catches the unknown A two-column comparison. Left: Standard Threat Protection uses Fast Scan and signatures, catching known malware instantly but missing zero-day files. Right: Advanced Threat Protection adds Deep Scan plus the Cloud Sandbox with hold-for-verdict, catching unknown and zero-day files at the cost of a short delay. Which licence stops a zero-day? Only the one with the sandbox Standard Threat Protection Fast Scan · signatures · threat intel ✓ Known malwareblocked instantly by hash/signature✓ Threat intel feedsknown bad URLs / IPs / hashes✗ Zero-day / unknown filepasses — never detonated✗ Patient Zerofirst victim is NOT protectedSpeedno hold — instant verdict Advanced Threat Protection Deep Scan + Cloud Sandbox + ML ✓ Everything Standard doesplus full deep analysis✓ Zero-day / unknown filedetonated in sandbox VM✓ Patient Zeroheld until verdict — first victim safe✓ MITRE ATT&CK reportwhat the file actually didSpeedshort hold (~2 min) on unknowns
Compare the two licences: Standard (Fast Scan, signatures) blocks known malware instantly but lets a zero-day through. Advanced adds the sandbox + hold-for-verdict, so even unknown files are caught.

Karthik at Wipro faces this

Karthik, an L2 engineer, flips IPS Status to Block on day one. Within an hour, the nightly finance sync from 10.22.4.18 to a partner on TCP 8443 stops working and the helpdesk lights up.

Likely cause

A single IPS signature false-positive matched the finance flow. Going straight to Block mode kills real business the moment any signature mis-fires — there was no Alert-only tuning window to catch it first.

Diagnosis

In Skope IT → Alerts he filters Alert Type = IPS and sees the 10.22.4.18 → partner:8443 flow tagged Action: Block by one noisy signature ID.

Settings → Threat Protection → IPS Settings (status/allowlists) + Skope IT → Alerts (filter Alert Type = IPS)
Fix

Set IPS Status back to Alert, run alert-only for 2–4 weeks, add 10.22.4.18 to the IPS Source IP Allowlist (and the partner FQDN to the Domain Allowlist), escalate the bad signature ID to Netskope support, then flip to Block.

Verify

In Skope IT the 10.22.4.18 → partner:8443 flow now shows Action: Alert (not Block); the finance sync completes; after the tuning window, Block is re-enabled with the allowlist in place.

Pause & Predict

Predict: a teammate says “let’s turn IPS to Block now so we’re protected immediately.” Why push back? Type your guess.

Answer: Because IPS in Block on day one blocks legitimate traffic the moment any signature false-positives — and you have no tuning data. Netskope’s guidance is Alert (alert-only) for 2–4 weeks, tune the Source IP / Domain allowlists, escalate bad signatures, then flip to Block. Protection that breaks prod gets switched off.
Quick check · Q2 of 10

You need to control SSH (TCP 22) and SMTP (TCP 25) traffic from users to the internet. SWG isn’t catching it. Which control fits?

Correct: b. SSH and SMTP are non-web ports — outside SWG’s 80/443 lane. Cloud Firewall (FWaaS) handles non-web ports/protocols via Custom Firewall Applications (IP/CIDR/FQDN + port). URL categories and DLP-on-upload are web/data controls; RBI isolates risky websites, not raw ports.

③ RBI for risky sites + UEBA for risky users

Sometimes you can’t cleanly block or allow. A user genuinely needs to open an uncategorized or Security Risk site. Blocking stops the work; allowing risks malware. The answer is Remote Browser Isolation (RBI): the site runs in a cloud container and the user gets only a pixel stream. No active code (scripts, exploits, drive-by malware) ever reaches the laptop.

You enable it by setting a Real-time Protection policy action to Isolate at Policies → Real-time Protection → New Policy. Targeted RBI auto-isolates the Uncategorized and Security Risk categories. One current requirement bites people: every Isolate policy now needs the Source = Browser access-method criterion (the Netskope Client can’t isolate, only browsers can) — leave it off and matching requests are silently “not isolable” and passed through. Inside the isolated session you can block file upload/download and limit copy/paste/print — so even if a page is hostile, it can neither infect the endpoint nor exfiltrate data.

Figure 4 — Pick the control by the threat
Start from the threat, not the product — this tree routes you to the right control A decision tree. Ask what the threat is: a known-bad file goes to the Malware Profile; an unknown file goes to the Cloud Sandbox; a non-web port goes to Cloud Firewall plus IPS; a risky or uncategorized website goes to RBI Isolate; abnormal user behaviour goes to UEBA; and a data leak into a GenAI app goes to AI Guardrails plus DLP. "What am I defending against?" → pick the control What is the threat? Known-bad fileMalware Detection ProfileUnknown fileCloud Sandbox (hold)Non-web portCloud Firewall + IPSRisky websiteRBI — IsolateOdd user behaviourUEBA / UCI scoreLeak into GenAIAI Guardrails + DLP
Use this decision tree: name the threat first (known file, unknown file, non-web port, risky site, odd behaviour, GenAI leak) and the right control falls out.

RBI defends against the site. UEBA (Behaviour Analytics) defends against the user turning bad. It has three categories — Insider Threat, Compromised Device, Compromised Credentials — built on rule-based policies at Policies → Insider Threats & Advanced Compromise → Rule-Based. The Compromised-Credentials DB is refreshed daily (≈2-day detection of leaked creds). The UCI (User Confidence Index) is the score that drives adaptive action.

Four threat-defense ideas worth memorising

Tap each card — these come up in interviews and on the job.

🧪
Hold-for-verdict
tap to flip

Hold an unknown file until the sandbox returns a verdict. Protects Patient Zero — the FIRST victim, not just everyone after.

🛡️
RBI Isolate
tap to flip

Risky/uncategorized site runs in the cloud; user sees only pixels. No active code touches the endpoint. Set action = Isolate.

📈
UCI score
tap to flip

User Confidence Index — a per-user risk score. Drops when behaviour looks compromised, driving coach → alert → block automatically.

🚦
Alert before Block
tap to flip

IPS (and new controls) go Alert-only for 2–4 weeks, tune allowlists, THEN Block. Protection that breaks prod gets disabled.

Quick check · Q3 of 10

A user must open a newly-registered, uncategorized vendor portal you can’t verify. You want them productive but safe. Best action?

Correct: d. RBI Isolate runs the risky/uncategorized site in a cloud container and streams pixels only — no active code reaches the endpoint, and you can disable up/download and copy/paste. Blocking kills productivity; allowing risks malware; a firewall allowlist is for ports, not browser-borne web threats.

Pause & Predict

Predict: UEBA flags a user’s UCI score dropping sharply right after their email appeared in a breach dump. Which UEBA category is firing, and roughly how fast? Type your guess.

Answer: Compromised Credentials. Netskope refreshes its compromised-credentials database daily, so a leaked credential typically surfaces within about 2 days; the matching user’s UCI drops, which can trigger coach/alert/block via the rule-based policy.

④ GenAI governance with AI Guardrails — and your path forward

The newest threat surface isn’t a file — it’s the prompt. People paste source code, client PII and secrets into ChatGPT, Copilot and Gemini every day (about 72% use personal GenAI accounts, not the sanctioned one). Netskope’s answer, GA since March 2026, is AI Guardrails.

AI Guardrails inspects every prompt and response (in 29 languages), applies your existing DLP profiles to what users type, and stops prompt injection and jailbreaking. It plugs into the same DLP + Threat Protection you’ve already built. The key shift: in Netskope, typing a prompt into a chat box steers as the Post activity — so you must inspect Post (and Download for the reply), not just Upload. The most common GenAI-DLP miss is a policy that only watches uploads, so pasted PII in a prompt sails straight through.

Figure 5 — Threat Protection cheat-sheet
Netskope Threat Protection at a glance — pick the control by the threat you face A nine-tile cheat sheet mapping each Netskope Threat Protection control to the threat it handles and its console home: Malware Detection Profile, Threat Protection Policy, Cloud Sandbox, Cloud Firewall, IPS, RBI, UEBA, AI Guardrails, and Skope IT for events. Threat Protection — your one-glance control map Malware Profilereusable scan + allow/block listsTP Policyapplies profile to Upload/DownloadCloud Sandboxdetonate unknown · hold-for-verdictCloud Firewallnon-web ports & protocols (L3/L4)IPSsignature block — run Alert firstRBI (Isolate)risky/uncategorized → pixel streamUEBAinsider · device · stolen creds (UCI)AI GuardrailsGenAI prompt DLP + jailbreak stopSkope ITevents, sandbox reports, incidents
Your one-card map: each control, the threat it handles, and where it lives in the console. Screenshot this before your next interview.
Pro tip — the mental model that sticks

When any Threat Protection question lands, ask two things: (1) what is the threat? known file → Malware Profile, unknown file → Sandbox, non-web port → Cloud Firewall + IPS, risky site → RBI Isolate, odd user → UEBA, GenAI leak → AI Guardrails; (2) did I deploy it safely? new signature-based controls go Alert-first, then Block. Almost every config maps onto that grid.

Common mistake — GenAI DLP that only watches Upload

Symptom: client PII still leaks to ChatGPT even though you “turned on DLP.” Cause: the policy inspects the Upload activity only, not the Post activity — the prompt a user types into the chat box — or the personal app instance isn’t steered. Fix: apply DLP to Upload, Download and Post; turn on AI Guardrails for prompt-injection/jailbreak; block personal GenAI instances and steer the sanctioned one.

Prove you’ve got the threat-defense model

You should be able to take any real event — “a user downloads an unknown macro file from a newly-registered site” — and name the layers: Malware Profile (signature miss) → Cloud Sandbox hold-for-verdict (detonate) → RBI if the site were merely risky → Skope IT to read the MITRE ATT&CK report. If you can narrate that chain, you’re ready for Lesson 8.

Read a Cloud Sandbox verdict from the Netskope REST API (Skope IT alerts)
GET /api/v2/events/dataexport/alerts/malware?timeperiod=86400 \
  -H "Netskope-Api-Token: $NS_TOKEN"

# (or in the UI: Skope IT → Alerts → Malware → click the file → Sandbox report)
Expected output
severity      : high
file_name     : invoice.xlsm
file_type     : MS Office (macro)
sandbox_status: malicious
threat_match  : Dynamic.Analysis (MITRE T1059.005)
action        : blocked
user          : sneha@wipro.com  (UCI: 412 — low)
Next: CSPM, SSPM & DSPMRelated: Netskope Private Access (NPA)
Quick check · Q4 of 10

Two designs to stop client data leaking into ChatGPT: (A) block chat.openai.com entirely at SWG; (B) AI Guardrails with DLP on the prompt + jailbreak detection. Which is the stronger default and why?

Correct: d. Blocking the domain just pushes users to personal accounts and unsanctioned tools (shadow AI), and it kills legitimate productivity. AI Guardrails inspects the real prompt/response with your DLP profiles in 29 languages and blocks prompt-injection/jailbreak — you get safe, governed GenAI instead of a blunt block that gets bypassed.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Netskope docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What does the Cloud Sandbox’s “hold-for-verdict” feature protect?

Correct: c. Hold-for-verdict (“Block till benign verdict by dynamic threat analysis”) holds an unknown file from the user until the sandbox returns a verdict, so even the very first victim — Patient Zero — is protected. It’s not about firewall rules, DLP dictionaries or POPs.
Q6 · Apply

Priya must allow staff to open uncategorized partner microsites without risking drive-by malware. Best Real-time Protection action?

Correct: d. RBI Isolate runs the uncategorized site in a cloud container and streams pixels only — no active code reaches the endpoint, so drive-by malware can’t land while the user stays productive. Block kills the work; Allow risks infection; Alert-only just logs without protecting.
Q7 · Apply

A nightly finance sync to a partner on TCP 8443 must be controlled by Cloud Firewall, but it’s steered via an IPsec tunnel (not NSClient). How should you define the destination?

Correct: a. FQDN/wildcard destinations only resolve under NSClient steering; an IPsec tunnel sees only IP addresses, so an FQDN rule would never match. Define the destination by IP/CIDR in a Custom Firewall Application. URL categories and DLP profiles aren’t how Cloud Firewall destinations are set.
Q8 · Analyze

After enabling IPS in Block mode this morning, a partner API integration over a custom port suddenly fails, while web traffic is fine. Most likely root cause?

Correct: b. Going straight to IPS Block with no tuning window means the first false-positive signature blocks real business. The fix is Alert-first for 2–4 weeks plus a Source IP/Domain allowlist for the partner. The sandbox, DLP licence and RBI don’t explain a non-web partner flow breaking the moment IPS Block was enabled.
Q9 · Analyze

UEBA drops a user’s UCI score sharply two days after a public breach dump leaks their email/password. Which UEBA category and signal is this?

Correct: c. Compromised Credentials matches a user against a leaked-credential database that Netskope refreshes daily (≈2-day detection), dropping their UCI and driving adaptive policy. Insider Threat is about exfiltration behaviour and Compromised Device about device anomalies — neither is the breach-dump match here.
Q10 · Evaluate

To stop client PII leaking into ChatGPT/Copilot/Gemini while keeping sanctioned use, which approach is the stronger default and why?

Correct: a. AI Guardrails inspects the actual prompt/response with your DLP profiles (29 languages) and blocks injection/jailbreak, so you get governed GenAI rather than a blunt block that drives shadow AI to personal accounts. Domain blocking pushes users to unsanctioned tools; disabling the Client removes all protection; monthly log review never prevents the leak.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why does a signature-only anti-malware engine fail to stop a brand-new zero-day file, and what fixes it? Then compare to the expert version.

Expert version: A signature scan only matches files it has seen before, so a never-seen zero-day has no signature and passes; the fix is the Cloud Sandbox with hold-for-verdict, which detonates the unknown file in an isolated VM and holds it from the user until a verdict comes back — protecting even Patient Zero.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Threat Protection (TP)
Netskope’s malware/threat-defense layer. Standard (Fast Scan, signatures) vs Advanced (Deep Scan + Cloud Sandbox).
Malware Detection Profile
A reusable scan config (Netskope malware scan + allowlist/blocklist file profiles) you apply inside a policy.
File Profile
A set of file hashes/types used as an allowlist or blocklist inside a malware profile.
Cloud Sandbox
Dynamic threat analysis — detonates an unknown file in an isolated VM and reports behaviour mapped to MITRE ATT&CK.
Hold-for-verdict / Patient Zero
Holds an unknown file from the user until the sandbox verdict (≤10 min) so the first victim is protected, not just everyone after.
Cloud Firewall (CFW / FWaaS)
Cloud-delivered L3/L4 firewall for non-web ports and protocols (SSH, SMTP, custom TCP/UDP, DNS).
Custom Firewall Application
A firewall destination defined by IP/CIDR, FQDN or wildcard plus port/protocol. FQDN needs NSClient steering.
IPS
Intrusion Prevention System — signature-based exploit detection. Two modes: Alert (log) and Block.
RBI
Remote Browser Isolation — renders a risky/uncategorized site in the cloud and streams only pixels to the endpoint. Set action = Isolate.
UEBA / Behaviour Analytics
ML anomaly detection in three categories — Insider Threat, Compromised Device, Compromised Credentials.
UCI
User Confidence Index — a per-user risk score (lower = riskier) that drives adaptive policy (coach/alert/block).
AI Guardrails
Netskope One GenAI governance (GA Mar 2026) — DLP on prompts/responses + prompt-injection / jailbreak blocking, 29 languages.

📚 Sources

  1. Netskope Docs — “Creating a Malware Detection Profile” & “Creating a Threat Protection Policy for Real-time Protection”. docs.netskope.com
  2. Netskope Docs — “Advanced Threat Protection” / Cloud Sandbox + “Viewing Cloud Sandbox Analysis” (hold-for-verdict, 30+ file types, MITRE ATT&CK). docs.netskope.com
  3. Netskope Docs — “Netskope Cloud Firewall”, “Inline Policies (Firewall)” & “About IPS Settings” (non-web ports, FQDN/NSClient, Alert vs Block). docs.netskope.com
  4. Netskope Community — “On-demand Remote Browser Isolation: use RBI for any website” & “UEBA: Compromised Credentials incident analysis” (practitioner threads). community.netskope.com
  5. Netskope — “Netskope One AI Security / AI Guardrails” press release + product page (GA Mar 11 2026; 29 languages; prompt-injection/jailbreak; 370+ GenAI apps). netskope.com
  6. Netskope NSK300 (Netskope Certified Cloud Security Architect) blueprint — Advanced Threat Protection + Cloud Threat Detection & Response domains. infosec.netskope.com

What's next?

Next we go deeper into CSPM · SSPM · DSPM.

Next · Netskope CSPM, SSPM & DSPM → Practice on exam.techclick.in →