Note
Note: Please contact feature-releases@catonetworks.com for more information about enabling and using this feature.
Modern enterprise applications increasingly rely on WebSocket (WS) communication instead of traditional HTTP request/response models. Platforms such as Slack, Microsoft Teams, Zoom, and AI services like ChatGPT and Copilot use WebSockets to enable real-time, bidirectional communication over a single persistent connection.
This shift introduces a critical visibility and security gap: traditional inspection techniques that focus on HTTP traffic cannot analyze WebSocket payloads once the connection is established.
Cato Cloud addresses this challenge with deep WebSocket inspection, enabling full visibility and enforcement across CASB, DLP, and AI security use cases.
-
Full application-layer visibility across modern apps
-
Accurate policy enforcement for SaaS and AI services
-
Enhanced DLP capabilities for real-time data protection
-
Improved compliance posture with complete audit logs
-
Elimination of WebSocket blind spots
AI applications rely heavily on WebSocket streaming.
Without inspection:
-
Prompts and responses are invisible
-
Sensitive data (PII, source code) may leak undetected
With inspection:
-
Full visibility into prompts and responses
-
Ability to detect:
-
Data leakage
-
Policy violations
-
Malicious or unsafe AI outputs
-
Modern SaaS platforms use WebSockets for core actions.
Without inspection:
-
Only connection-level visibility (e.g., “connected to Slack”)
-
No ability to distinguish user actions
With inspection:
-
Granular activity detection:
-
File uploads/downloads
-
Message posting
-
Data sharing
-
-
Policy enforcement per action (e.g., block sensitive uploads)
After an initial HTTP upgrade handshake, WebSocket connections carry application data as a continuous stream of framed messages. These messages:
-
Are not visible to standard HTTP inspection engines
-
May contain structured or unstructured data (JSON, binary, proprietary formats)
-
Can include sensitive information such as:
-
User-generated content
-
File transfers
-
AI prompts and responses
-
Without proper parsing, security engines only see metadata (e.g., IPs, ports, TLS session) and lose all application-layer context.
WebSocket inspection is complex due to protocol characteristics:
-
Frame fragmentation – messages can be split across multiple frames
-
Masking – client-to-server payloads are obfuscated
-
Multiplexing – multiple logical messages may share a connection
-
Protocol variability – payloads may use JSON, GraphQL, MessagePack, or proprietary formats
Effective inspection requires full parsing, reassembly, and decoding before any security analysis can occur.
The Cato Cloud performs inline WebSocket inspection at wire speed using a multi-layer approach:
-
Frame-Level Parsing
-
Are not visible to standard HTTP inspection engines
-
May contain structured or unstructured data (JSON, binary, proprietary formats)
-
Can include sensitive information such as:
-
User-generated content
-
File transfers
-
AI prompts and responses
-
-
-
Protocol-Aware Decoding
-
Identifies application protocols (e.g., JSON, GraphQL)
-
Extracts structured data fields
-
-
Event Extraction
-
Converts messages into meaningful security events, such as:
-
User actions
-
Data transfers
-
AI interactions
-
-
-
Engine Integration
-
Sends parsed data to:
-
CASB policies
-
DLP inspection
-
AI Firewall analysis
-
-
0 comments
Please sign in to leave a comment.