Last updated: April 16, 2026
Clearswift SECURE Gateway is a content-inspection platform by Fortra that analyses email and web traffic in real time for content, attachments and classification labels at regulated organisations under NIS2, BIO, DORA and ISO 27001. The product runs Clearswift content inspection through the MIMEsweeper engine, applies adaptive redaction instead of hard blocking, and reads labels that Titus and Boldon James placed earlier in the chain. Primarily for CISOs at organisations of 1,000 to 10,000 FTE where outbound email cannot simply be refused.
What: inline MTA and ICAP appliance that inspects every message, every attachment and every web upload with the MIMEsweeper engine and adjusts content based on policy.
For whom: regulated organisations of 1,000 to 10,000 FTE under NIS2 article 21, BIO classification, DORA article 6 and ISO 27001 Annex A 8.12.
Where: inline in the mail flow between Exchange Online and the internet, and over ICAP behind a secure web gateway such as Zscaler or Netskope.
When: in the run-up to an audit that must account for outbound data flows, after an incident in which an attachment left the organisation uncontrolled, or during a DORA implementation that must inspect outbound mail.
Cost indication: per gateway per year, depending on modules and support tier. Concrete figures are issued by Korper ICT.
Timeline: 30-day POC in monitor mode, followed by 2 to 4 months of phased rollout to enforcement.
Clearswift SECURE Gateway is a family of content-inspection appliances for email and web. The Email Gateway works as an SMTP hop in the outbound or inbound mail flow. The Web Gateway connects over ICAP behind a secure web gateway and inspects HTTP and HTTPS uploads and downloads. Both variants use the same underlying engine, the same policy language and the same metadata readers.
The core is the MIMEsweeper engine. It fully unpacks every message, including nested archives up to the configured depth, reads OOXML metadata, applies OCR to images and performs pattern matching on the extracted text. On top of that sits the policy layer that decides: allow, block, quarantine, or, crucially, modify and forward. That last option is called adaptive redaction and is what sets Clearswift apart from simpler gateways.
The product line originated in Theale, United Kingdom, developed in the 1990s under the name MIMEsweeper. Acquired by HelpSystems in 2019, part of Fortra since 2022. The engine has decades of regulated environments behind it, from defence to financial institutions, which shows in the number of formats it unpacks and the precision of the policy language.
Clearswift is not a DLP in the classical sense. It works alongside a DLP by reading the same signals and enforcing at the gateway what the DLP detects on the endpoint. It is also not an anti-spam or anti-malware platform in itself. Reputation filtering and sandboxing are usually covered by Exchange Online Protection, Proofpoint or Mimecast. Clearswift fills the content-inspection layer that sits on top of basic filtering.
Primary audience: CISOs, security operations leads and mail architects at Dutch organisations of 1,000 to 10,000 FTE in regulated sectors. Typical customers are financial institutions under DORA, healthcare providers holding special categories of personal data, central government and executive agencies under the BIO, and industrial organisations with intellectual property moving through email and web. The common factor: outbound communication cannot simply be blocked, because that breaks customer processes, legal case files or patient care.
Secondary audience: compliance officers and data protection officers at semi-public organisations that must evidence BIO classification, ENSIA and GDPR accountability in parallel. For them, Clearswift is the gateway that makes visible which categories of data cross the organisation's boundary every day, with an audit log that records a decision for every message. During an incident notification to the CSIRT or the Dutch Data Protection Authority, that logging is the difference between a complete notification file and a retroactive reconstruction.
Tertiary audience: engineers at managed service providers and MSSPs running Clearswift as shared egress for multiple customer environments. The multi-tenant configuration with separated policies per customer is one of the reasons Clearswift has a substantial footprint in the Benelux MSSP market.
Clearswift fits less well for three kinds of organisations. At small SMEs under 100 FTE the operational complexity is not proportional to the return; Exchange Online Protection with transport rules covers that scale adequately. At organisations without existing classification the label-aware policy layer is wasted; Titus or Boldon James first, Clearswift second. At fully cloud-native startups with no on-premises egress infrastructure a pure SaaS offering like Proofpoint or Mimecast is more practical, even though it delivers less adaptive redaction.
Clearswift sits inline in two traffic streams. For email it is an SMTP hop, usually virtual, on a Red Hat or Rocky Linux appliance under VMware, Hyper-V, AWS or Azure. For web it sits behind a secure web gateway and communicates over ICAP. Both streams share the same management plane and the same policy source. The physical appliance still exists but is rarely deployed in the Netherlands; the virtual deployment is standard.
The email deployment has two topologies. Topology one: M365 as the primary mail platform, Clearswift as an egress hop via an Exchange Online connector. Outbound mail goes from Exchange Online to Clearswift, where content inspection takes place, and then out to the internet through a smart host. Topology two: Clearswift on both inbound and outbound, with M365 as the mailbox layer behind it. The second topology is richer in terms of control, requires more routing configuration and is typically chosen by organisations with a hybrid Exchange setup.
The web deployment works through ICAP integration with Zscaler Internet Access or Netskope. The SWG forwards suspicious uploads to Clearswift for adaptive redaction, receives an adjusted version back, and forwards it to the original destination. That destination can be public cloud storage, a webmail interface or an external portal. The end user only notices a fraction of extra latency, typically under a second for files up to 50 MB.
Integration points we configure as standard in Dutch environments. Active Directory for user context and group-based policy. Microsoft Purview or another label system for reading sensitivity labels. Titus and Boldon James for classification labels in headers and OOXML metadata. Splunk or Microsoft Sentinel for SIEM ingest of every policy decision. GoAnywhere MFT for outbound regulated transfer, where Clearswift runs the content inspection before the file leaves via a secured MFT route. An optional threat intelligence feed for dynamic updates to pattern recognition based on current threats, supplemented by advisories from the Dutch National Cyber Security Centre.
Capacity scales horizontally. A single virtual instance typically processes 500,000 to 1,000,000 messages per day at average attachment size. Larger volumes are handled with a cluster behind a load balancer, with policy pushed from a central management console. For high availability, most Dutch customers run two instances in an active-active setup, geographically separated across two data centres.
Concrete trigger events. After an incident in which an attachment containing personal data or regulated data left the organisation without existing filtering noticing it. During a NIS2 audit where article 21 requires risk management measures on data flows and article 23 imposes a 24-hour notification duty on incidents. Without content inspection at the gateway it is not reconstructable which specific data in which message left the organisation, which makes the 24-hour CSIRT notification incomplete.
During ISO 27001 (re)certification, where Annex A 8.12 (data leakage prevention) and A 8.23 (web filtering) are explicit controls. An auditor wants to see evidence that the organisation inspects outbound data flows for confidentiality, not only for malware or spam. That evidence comes from the Clearswift audit log, per message, per policy, with a hash of the original and the modified version. For GDPR article 32 (appropriate technical measures) that same log provides the material evidence for the accountability obligation under article 5(2).
During a DORA implementation for financial entities. Article 6 requires classification and protection of ICT assets and data flows; article 9 specifies preventive, detective and corrective measures. Clearswift delivers the preventive layer on outbound data flows that DORA specifically addresses, and records corrective redactions in a format a supervisor can read. Applicable since 17 January 2025 for banks, insurers, pension administrators and their critical ICT suppliers.
Organic triggers outside regulation. The CISO sees the number of escalated M365 transport rules keep growing and every new rule causes collateral damage on legitimate mail. Users learn to send attachments via personal webmail to bypass transport rules. The DLP team sees that endpoint DLP detects but has no gateway-level enforcement when a file goes out over mail. A recent ENISA report on mail-based exfiltration has been used internally as a reason to revisit the gateway layer. In those situations Clearswift is the technical answer to a problem that has already been recognised as policy.
Honest answer upfront. Many Dutch organisations run Microsoft 365 transport rules combined with Proofpoint, and for part of the use cases that is sufficient. We will not make the difference bigger than it is. Transport rules sit inside the licence you are already paying for, and Proofpoint is a mature gateway with strong reputation filtering and a broad threat intelligence base.
Still, customers we guide pick Clearswift in specific scenarios, alongside or instead of those alternatives. Four reasons return.
Adaptive redaction versus all-or-nothing. Microsoft 365 transport rules and Proofpoint can block, quarantine or allow messages. Neither can remove a specific sentence from a Word attachment while the rest of the document stays intact. Clearswift can. In regulated sectors where outbound mail carries chain processes, that difference is material. No mail blocked, just content adjusted, is often the only workable option.
Deep archive analysis and OCR. Transport rules read subject lines and limited content patterns. Proofpoint unpacks archives, but the depth is more limited than Clearswift and the OCR quality on mixed documents is lower. Clearswift unpacks up to six levels of depth by default, runs OCR on images inside PDFs and recognises metadata in nested OOXML. For organisations that send technical drawings, scanned contracts or key documents through mail, that difference is the main reason.
Classification-label-aware policies. Clearswift reads Titus and Boldon James labels natively and applies policy based on the label value, not on a derived pattern match. Transport rules can read sensitivity labels since recent Exchange Online versions, but the granularity of the policy language stays limited. Proofpoint reads labels through custom scanners, with more configuration work. If you are already investing in the Fortra chain, label continuity between Titus, Boldon James and Clearswift is a productivity advantage cross-vendor setups do not deliver.
Coexistence instead of replacement. Clearswift does not necessarily replace M365 transport rules or Proofpoint. The typical Dutch setup keeps M365 for basic filtering, Proofpoint or Exchange Online Protection for reputation and malware, and Clearswift specifically for the content-inspection layer on regulated egress. Three layers with separated responsibility; each layer does what it is good at. That is more defensible and operationally more robust than one layer trying to do everything.
Alternatives outside these two that also come up: Symantec Messaging Gateway, Mimecast Content Control and Cisco Email Security. None of those three delivers the combination of sentence-level adaptive redaction, deep archive analysis and label-aware policies the way Clearswift does. That is the reason Clearswift is the most common content-inspection layer on top of a standard mail security stack in Dutch regulated environments.
The architecture in prose. A Dutch customer in financial services with 4,000 FTE runs Clearswift on four virtual instances on VMware, two per data centre, in an active-active cluster behind a load balancer. The MTA configuration sits inline between Exchange Online and the public smart host, via an Exchange Online connector with TLS and an IP allowlist. The cluster processes around 2 million outbound messages per day, with peaks around month-end closing that rise to 3.5 million per day.
The MIMEsweeper engine unpacks every message and every attachment. Archive depth is set to eight levels; the default is six. OCR runs on all inbound images above 50 KB and on OOXML-embedded images, with a text-extraction threshold of 20 characters before pattern matching is applied. Adaptive redaction is active for three categories: BSN numbers in attachments to external domains are redacted, track changes and document comments are stripped from Word sent outside the organisation, and GPS metadata is removed from images. The sender receives a notification with a diff summary.
Label-aware policies are the heart of the configuration. Clearswift reads the Titus X-header and the Boldon James OOXML custom property on every message and every attachment. Messages labelled confidential are subject to a domain allowlist of 180 verified partner domains; anything outside it blocks. Secret always blocks, without exception. Internal passes, but OCR validation runs on attachment images to verify they do not contain higher-classified content. That is Clearswift content inspection at its most effective: the label drives the policy, the policy drives the redaction.
The ICAP integration with the secure web gateway runs over two Clearswift Web Gateway instances. The SWG, a Zscaler tenant, forwards uploads to webmail interfaces, public cloud storage and external portals to Clearswift for deep inspection. Downloads of suspicious extensions are inspected for embedded payloads as well. We typically measure the latency impact at 200 to 600 milliseconds per transaction under normal load.
For outbound regulated file exchange, Clearswift integrates with GoAnywhere MFT. A user sending a file through the MFT portal to an external party first passes through Clearswift for content inspection, after which MFT delivers the file via a secured SFTP or AS2 route. The label decides the route; the content decides whether the file proceeds unchanged, redacted or blocked. Implementation and policy tuning in Dutch environments are guided by Neo Security as the technical partner.
Failure modes we see in practice. First: performance at high mail volumes. An undersized cluster runs into MTA queue build-up during peaks, leading to noticeable delays and complaints about slow mail. Remedy: cluster sizing at 150% of peak volume, horizontal scaling with a fourth instance, and tuning OCR thresholds to the actual image diversity of the organisation.
Second: TLS inspection and certificate management. Clearswift inspects TLS traffic for the Web Gateway through a MITM construction with a private CA certificate. If that certificate is not distributed to every endpoint, the user gets certificate warnings, and crucially, many SaaS applications with certificate pinning refuse the connection entirely. Remedy: certificate distribution through MDM to every endpoint, a bypass list for pinning applications such as banking and government services, and periodic validation of the bypass list against new SaaS contracts.
Third: mail loops on misconfiguration. A wrongly configured send connector routes outbound mail back to Clearswift, which then routes it back to Exchange Online, creating a loop that can fill the MTA queue in minutes. Remedy: strict validation of routing headers, X-Loop header inspection, a maximum hop count of 25, and queue-size monitoring with an alert threshold well below queue capacity.
Fourth: OCR false positives on sketch images. Handwritten notes or technical sketches produce OCR output that can match patterns like BSN or IBAN without actual personal data being present. That produces wrongful redactions or blocks. Remedy: tune the OCR confidence threshold, require pattern context (for example, a BSN must sit near the word "BSN" or "burgerservicenummer"), and a quarantine-review workflow for borderline cases where a security engineer issues a ruling within a working day.
The timeline of a typical rollout. Weeks 1 to 2: architecture design, virtual instance deployment, base policy in monitor mode. Weeks 3 to 6: configure label-aware policies based on existing Titus and Boldon James labels, tune OCR thresholds to the real mail mix, first adaptive redaction rules in shadow mode. Months 2 to 3: from monitor to enforcement per policy category, ICAP integration with Zscaler or Netskope, SIEM integration for audit-log ingest. Month 4: GoAnywhere MFT integration for outbound regulated transfer, final sizing review against production statistics.
Next in the chain after Clearswift is typically Vera. Where Clearswift covers the gateway layer at the moment a file leaves the organisation, Vera takes over once the file is outside the infrastructure: persistent rights management, revocable access and cryptographic control that travels with the file. For the underlying regulatory argument we refer to the full regulatory deep dive. For an intake call or POC request, the contact page is the starting point.
Microsoft 365 transport rules act on headers, senders, subjects and limited content patterns, with a hard verdict: block, allow or quarantine. Clearswift analyses the full content of message and attachments, unpacks nested archives, runs OCR on images and can modify parts without rejecting the rest. An attachment with a single sentence that may not leave the organisation is redacted, the mail goes through. That nuance is missing from transport rules.
Yes. Clearswift SECURE Email Gateway sits as an inline MTA in the mail flow, typically as an egress hop after Exchange Online via a connector. Inbound traffic can also route through Clearswift for deep inspection, after which Exchange Online handles delivery. Typical Dutch deployment: M365 for mailbox and basic filtering, Clearswift as the content-inspection layer on egress for regulated outbound mail under BIO, DORA or ISO 27001.
Yes, that is the adaptive redaction feature. Clearswift can remove specific sentences, numbers or metadata from an attachment and forward the edited version while the rest of the document stays intact. Examples from Dutch practice: strip track changes and comments from a Word file before external sending, redact BSN numbers, or remove GPS metadata from photos. The recipient sees a clean file, the sender gets a notification about what was adjusted.
Clearswift unpacks ZIP, 7Z, RAR, TAR and similar archives to a configurable depth, six levels by default, extendable to more. At every level the MIMEsweeper engine is applied again to the content. Encrypted archives without a supplied password are by policy blocked or routed to a manual quarantine. This depth is essential for organisations that regularly receive Office documents in ZIP-in-ZIP constructions.
Yes. Clearswift reads the metadata and header labels that Titus and Boldon James apply: OOXML custom properties, SMTP X-headers and visual label banners. You define policy on top of that. Confidential may only go to verified domains, secret always blocks, internal passes with OCR validation. These label-aware policies make Clearswift the enforcement layer on top of what Titus and Boldon James produce at creation and discovery, without writing duplicate rules.
The Email Gateway inspects SMTP traffic, inbound and outbound. The Web Gateway inspects HTTP and HTTPS uploads and downloads, typically via ICAP integration with a secure web gateway such as Zscaler or Netskope. Both use the same MIMEsweeper engine and the same policies. For outbound web uploads to cloud storage or webmail, Clearswift Web Gateway applies the same adaptive redaction the Email Gateway applies to SMTP. Many customers license both modules for full egress coverage.
Through ICAP. The secure web gateway forwards suspicious uploads or downloads to Clearswift for deep content inspection and receives back a modified version or a block decision. The benefit: you keep Zscaler or Netskope as the primary web egress with TLS inspection and category filtering, and offload only the heavy content analysis to Clearswift. ICAP is standard in virtually every enterprise SWG and requires no change for the end user.
Clearswift is licensed per gateway, not per user. The factors are the number of instances for high availability, the modules (Email Gateway, Web Gateway, ICAP, adaptive redaction, OCR), the support tier and optional add-ons such as threat intelligence feeds. Concrete figures are volume and environment dependent and are issued by Korper ICT based on an architecture sketch. A typical Dutch enterprise runs two to four Clearswift instances for email and an ICAP pair for web.
Regulatory sources: GDPR 2016/679 article 32, NIS2 2022/2555 article 21, ISO/IEC 27001:2022.