A Zero Trust approach to email assumes that content shouldn’t be implicitly trusted just because it reached the inbox. That assumption matters more every year, because attackers have gotten better at hiding in the gray area between obviously good and obviously bad. A link can look harmless at delivery and weaponize hours later. An attachment can look like a routine invoice, resume, or quarterly report while carrying hidden active content. Signature-based detection and sandboxing still catch a lot — but they miss new, delayed, and highly targeted attacks by design.
Two capabilities now available for Cisco Secure Email Gateway address exactly this gap: Remote Browser Isolation (RBI) and Content Disarm and Reconstruction (CDR). Together they shift the security posture from detect and react to isolate and neutralize — protecting users at the two moments they’re most exposed: when they click a link, and when they open a file.
Remote Browser Isolation: safer clicks
When a user clicks a link in an email, RBI opens the destination in a remote, isolated environment rather than directly on the endpoint. The user still sees and interacts with the page, but the active web content — scripts, downloads, browser exploits — never touches their machine or the internal network. If the site turns out to host malware, a credential-harvesting form, or a drive-by download, the threat executes in the isolation environment and is discarded. The user keeps working; the attacker hits a wall.
Content Disarm and Reconstruction: cleaner files
CDR takes the same assumption to attachments. Instead of asking is this file malicious?, it assumes any active content (macros, embedded scripts, OLE objects, JavaScript in PDFs — anything that can execute) could be dangerous, strips it out, and rebuilds a clean, usable copy of the document. Employees still get the invoice, the report, the resume. The executable surface that attackers depend on simply isn’t there anymore.
CDR also extends RBI’s protection into the document itself: URLs and QR codes embedded in attachments are rewritten to route through RBI when the user clicks or scans them. That matters because attackers increasingly hide links inside documents — and inside QR codes especially — to bypass the URL inspection applied to message bodies.
How RBI and CDR fit into Cisco Secure Email Gateway
Adding RBI and CDR to the gateway means organizations no longer depend on perfect threat identification at the moment of delivery. Even when a threat slips past detection — and some always will — the dangerous parts can’t run.
Both capabilities are designed to fit how email security teams already work. RBI is native to Cisco Secure Email Gateway: the SEG rewrites URLs directly in the message, so links route through the isolation service at click time with no additional product in the mail path. CDR is policy-driven: customers use the SEG’s content filters to decide which messages get rerouted to the CDR gateway for sanitization — by sender, recipient, attachment type, risk score, or any other condition that fits their use case. This gives organizations precise control: apply the heavier treatment exactly where their risk policy calls for it and leave trusted mail flows untouched.
The business outcomes:
- Users click and open with less risk, so they spend less time second-guessing legitimate email.
- Security teams see fewer phishing, malware, and credential-theft incidents reaching the point of impact — and the ones that do see are easier to contain.
- Productivity stays intact, because access to needed content isn’t traded away for safety.
A more resilient email layer
Modern secure email gateways are no longer only about keeping bad messages out. They’re about making email safer to use when threats inevitably get through. RBI and CDR close two of the most exploited gaps in that journey — the click and the open — and turn them from points of failure into contained, recoverable events.
RBI and CDR are available as add-on licenses to Cisco Secure Email Gateway.
See how RBI and CDR perform against your real email traffic — contact your Cisco account team to start a trial.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
