EnforceGate vX
EN

You Can't Secure What You Can't See: The Encrypted Traffic Blind Spot

Nicolas | 8 minutes | Articles
Nick

Nicolas

CEO, Security Engineer

OSCP GXPN CCNP JNCIP-SP

Encryption was supposed to be the good news. For a decade, the security community pushed the web toward HTTPS everywhere — and it worked. Today, the overwhelming majority of traffic leaving your network is encrypted by default. That's a genuine win for privacy and data integrity.

It's also created the single largest blind spot in enterprise security.

Encryption is no longer the exception — it's everything

The shift happened faster than most security architectures adapted to. According to Google's Transparency Report, encrypted web traffic rose from roughly 50% in 2014 to around 95% from 2020 onward.1  By October 2025, HTTPS adoption on Android had passed 99%, matching desktop platforms and closing the last meaningful gap. The practical reality for any enterprise today: nearly every web request your users make — to SaaS apps, file storage, email, collaboration tools, and everything else — travels inside a TLS tunnel.

The encryption tipping point Share of web traffic served over HTTPS 95% 50% 0 ~50% ~95% 99%+ 2014 2018 2020 2025

For most organizations, that means somewhere between 85% and 95% of all outbound web traffic is encrypted. The exact figure depends on how you measure, but the direction is not in dispute. Plaintext HTTP is now the rounding error, not the rule.

The problem: threats moved in with everyone else

Attackers go where the traffic is, and the traffic is encrypted. The same TLS tunnel that protects a legitimate login also conceals malware delivery, phishing payloads, command-and-control beacons, and data exfiltration — and it conceals them from any security control that can't see inside.

What a security gateway actually sees 95% 5% Cleartext HTTP — ≈5% (seen without TLS inspection) Encrypted (HTTPS) — ≈95% (the blind spot) ≈87% of blocked threats hide inside the encrypted slice Without an adapted solution, a gateway reads only the ≈5% in the clear — and misses where the threats live.
Sources: Google Transparency Report; Zscaler ThreatLabz 2024 — see references below.

The numbers are stark. Zscaler's ThreatLabz team analyzed 32.1 billion blocked attacks between October 2023 and September 2024 and found that 87.2% of them were delivered over encrypted channels — a 10% increase year over year.2  Malware alone made up the bulk of those encrypted attacks. WatchGuard's Q1 2025 Internet Security Report reached a consistent conclusion from a different vantage point: 71% of malware now arrives over encrypted connections.3 

Put those two facts side by side and the conclusion writes itself. If roughly 95% of your traffic is encrypted, and roughly 87% of threats are hiding inside encryption, then a security gateway that inspects only what it can read in the clear is watching the wrong 5%.

Any HTTPS traffic that doesn't undergo inline inspection is a blind spot that attackers actively exploit. URL filtering, category controls, threat feeds, and acceptable-use policies all degrade to guesswork the moment the payload is encrypted and the gateway can only see a domain name — or, increasingly, not even that.

Visibility is a policy decision, not a default

Here's the uncomfortable part: most organizations know this, and still don't inspect. The reasons are real, and they're worth naming honestly.

Decryption has costs. TLS inspection is computationally expensive, and many legacy appliances simply can't decrypt at line rate, so teams turn it off to preserve throughput. The result is a security control that exists on paper but inspects a fraction of what flows through it.

Decryption has consequences. Breaking and re-establishing TLS means terminating sessions, managing an internal CA, and handling applications that use certificate pinning. It's an operational commitment, not a checkbox.

Decryption has rules. Whether you may lawfully inspect employee traffic depends on your jurisdiction and the notice or consent you provide. That's a governance question security teams can't answer alone.

None of these are reasons to stay blind. They're reasons to treat inspection as a deliberate, tunable policy — applied where it matters, scoped where it doesn't, and governed properly throughout.

What meaningful visibility actually requires

A web gateway that handles encrypted traffic effectively needs three things.

First, graduated inspection — the ability to choose how deep you look, per deployment and per policy. Some traffic warrants nothing more than reading the SNI  to apply a domain name verdict. Some warrants full decryption. Some — banking, health, anything legally sensitive — should never be decrypted at all. A single on/off switch forces a bad trade; a model with distinct modes lets you match scrutiny to risk.

Graduated TLS inspection — match scrutiny to risk TLS tunnel Off No inspection No visibility Peek Reads SNI / domain name Payload stays sealed Bump Full decryption Full-payload verdict EnforceGate vX exposes exactly these three modes — set per policy, so sensitive categories stay private.

Second, verdicts on encrypted requests, not just connections. Allowing or denying by URI, domain name, SNI, user-agent, and client identity — before the request leaves the network — is what turns "we encrypt everything" back into "we control everything."

Third, inspection you actually own. If decrypting traffic means backhauling it through a vendor's cloud, you've solved a visibility problem by creating a data-residency and trust problem. With cloud-delivered gateways — the model sold by vendors such as Fortinet and Palo Alto Networks — your decrypted traffic, which routinely contains employees' and customers' personal data, is processed in the provider's cloud; depending on where that cloud sits, that alone can create data-protection and legal exposure under regimes like the EU GDPR or the Swiss FADP. Inspection that happens inside your own perimeter — where the data, the logs, and the decrypted traffic never leave your infrastructure — is the only version that's defensible to a privacy officer, an auditor, or a regulator.

Where does the decryption happen? Your perimeter — self-hosted Gateway Data Logs Data, logs & decrypted traffic never leave. Cloud backhaul Your traffic Vendor cloud Decrypted data leaves your control.
EnforceGate vX
Early Access

This is exactly what we built EnforceGate vX to do

A self-hosted secure web gateway with SSL/TLS inspection at selectable depth, URL filtering and identity-aware access control. Everything runs on your premises: your traffic, your data and your policies never leave your own infrastructure — there is no cloud backhaul, and nothing is sent to a vendor to inspect. URL filtering runs locally too, so there are no cloud category lookups that can fail — no transient routing problem, cloud outage or vendor maintenance window can break filtering or quietly let traffic through.

And it makes inspection affordable. EnforceGate vX runs on commodity, consumer-grade hardware and scales out horizontally — typically 4–5× cheaper than traditional URL filtering appliances, without the line-rate ceiling that pushes teams to switch inspection off in the first place.

Discover EnforceGate vX

The bottom line

The web won the argument for encryption, and that was the right outcome. But "encrypted" and "trusted" are not the same word. When 95% of your traffic is opaque and 87% of threats are hiding in that opacity, visibility into encrypted traffic stops being an advanced feature and becomes the baseline requirement for doing security at all.

You can't filter what you can't read. You can't block what you can't see. And you can't claim to secure a network where the overwhelming majority of traffic passes through unexamined.

The question for every security team isn't whether to inspect encrypted traffic. It's whether they can do it at scale, on their own terms, and without handing their data to someone else to do it for them.

See how EnforceGate vX closes the blind spot

Sources

  1. Google, Transparency Report — HTTPS encryption on the web. transparencyreport.google.com
  2. Zscaler ThreatLabz, 2024 Encrypted Attacks Report (32.1B blocked attacks, Oct 2023–Sep 2024). zscaler.com/threatlabz
  3. WatchGuard, Internet Security Report — Q1 2025. watchguard.com