Store · Managed IT Operations and Cybersecurity
Every attack starts with an address. Your team opens hundreds a day, and no one decides which ones may open.
Every time someone clicks a link, types a site or opens an attachment, the computer first asks a service called DNS, the internet's phone book, where that address is, and only then connects. This invisible step happens hundreds of times a day, on every device in the company, and almost no one decides what may or may not be opened. It is through that always-open door that most attacks come in.
It is no exaggeration: more than 91% of malware uses DNS to operate, whether to receive orders from the criminal, steal data or redirect browsing, according to Cisco. In other words, the very step you can filter is the step the attack needs to use.
The protection most companies have stays stuck inside the office, on the Windows desktop. The day the person takes the laptop home or opens the phone at a cafe, it vanishes: the device is left alone, far from any filter, precisely where people click the wrong thing most.
Extended Web Protection means deciding, at the DNS layer itself, where each click can go, and taking that decision wherever the person is. The dangerous address is blocked before it opens; the good one passes without anyone noticing. Zamak Technologies operates that layer for you.
It is not about flooding the browser with blocks or slowing the team down. It is a silent layer that stops the dangerous address before the click becomes a problem, on and off the company, and lets the rest of the internet flow. Zamak designs it, activates it and looks after it; you run the business.
Why the click becomes the way in
The attack almost never breaks the door down. It waits for someone to open an address.
See how an ordinary click, in everyday situations, becomes the opening the attack needed.
The phishing email that got through, and the link that looked like the bank.
No email filter catches everything. One day a well-crafted message gets through, with a link that leads to a perfect copy of the bank or Microsoft 365 login. The person clicks, the page opens, and they type the password without suspecting a thing. With no layer deciding the address, that cloned site opens like any other. Extended Web Protection recognizes the malicious address and blocks it before the password page loads.
The laptop at home, far from the office firewall.
In the office, the firewall still takes a look at what comes in and out. But work has left the office: the person opens the laptop at home, on the cafe Wi-Fi, on the phone's 4G. There the perimeter firewall sees nothing, and the device is left exposed. It is precisely at those moments, away from the company's eyes, that people click the fake update ad and the too-good-to-be-true deal. Protection that does not follow the person off-site protects in the wrong place.
The ransomware is already in and tries to phone the criminal.
After getting into a device, most attacks need to call back to the criminal: that is how it downloads the rest of the program, receives the order to encrypt and sends the stolen data away. That call also goes through the DNS. When the protection layer cuts that address, the attack is stuck at the start, never receiving what it needed to do damage. It is the difference between a scare and a company brought to a halt.
Open browsing, with no rule and no record.
With no policy at all, every site is open: the streaming that eats the company's internet in the middle of the workday, the inappropriate content that should not open on a work machine, the risky site no one authorized. It is not just productivity: it is HR and legal exposure, and no one has the record of what was accessed. Extended Web Protection lets the company define, by category, what makes sense to allow, and keeps the evidence.
The trusted site that, without warning, served a poisoned ad.
The problem is not always a suspicious site. Known, legitimate sites sometimes load, unknowingly, an ad that leads to a malicious address, and the person does not even need to click to be exposed. Blocking only what looks strange is not enough: you have to decide every address the browser actually tries to open behind the page, based on reputation and category, in real time. Keeping that judgment up to date is what the layer does all the time.
None of these situations is the fault of whoever clicked. They all come from the same gap: no one decides the addresses the devices open, on and off the company. It is that decision, at the DNS layer and on every device, that Extended Web Protection puts in place.
What Extended Web Protection is
It is not a site blocker. It is the layer that decides every address, anywhere.
Extended Web Protection is a security layer that acts the moment each internet address is resolved, before the connection happens. With every request, it decides: this address is safe and may open, or it is malicious, phishing, the call of an attack, and must be blocked. That decision applies to the browser, to apps and even to programs that try to connect in hiding. And, because it is extended, it follows the person off the network: on the laptop at home, on the road and on the phone. Zamak designs the policy, activates it on every device and keeps it all running.
Decides the address before the page opens
With every address request, the layer compares the destination against threat intelligence that is updated all the time and recognizes, in real time, the malicious site, the phishing page and the call an attack tries to make. The dangerous address is blocked right away, before the page loads or the file downloads; the good address passes transparently. It is protection that acts in the instant before the problem, not after it.
Follows the person off the network
This is where it is extended. The protection is not stuck to the desktop inside the office: it goes along with the person through a lightweight agent on the laptop and the phone, on Windows, Mac, Android and iPhone. At home, on the road or at a client, the same decision over the addresses keeps applying, precisely where the office firewall does not reach and where people click something wrong the most.
Policy, categories and reporting
Beyond security, the layer gives control. The company defines, by category, what makes sense to allow and what to block, with Zamak helping to design the rule so it does not get in the way of work. Safe search keeps adult content out of results, and custom lists allow or block specific addresses. In the end, a report shows, in business language, what was blocked and what is being accessed, with the evidence audit and insurance ask for.
This layer decides the addresses devices open, on and off the network. The firewall, the network's front door, has its own service; the defense inside each computer, which reacts to the malicious program that already ran, is advanced endpoint defense; and detecting and responding to an attack in progress is managed cybersecurity. These are neighboring layers that Zamak also offers, each covering what the others do not see.
What is included
The protection layer and Zamak's management, together
On one side, the layer that decides the addresses and follows every device. On the other, Zamak designing the policy, activating it on every device and handling the day-to-day. The door that used to stay open now has someone deciding what comes in, and you focus on your business.
The protection layer
What the layer does, with every address, on every device.
- Real-time blocking of malicious sites, phishing pages and attack addresses, before the page opens
- Cutting the call that ransomware and other attacks try to make back to the criminal
- Protection that follows the laptop and the phone off the network, on Windows, Mac, Android and iPhone
- Content filtering by category and safe search, according to the policy the company sets
- Custom lists to allow or block specific addresses, with threat intelligence always up to date
Management by Zamak
The layer that places the protection alongside your company.
- Design of the browsing policy together with you, to protect without getting in the way of work
- Activation of the protection on every computer and phone, on and off the network
- A single point of contact to adjust a rule, allow a site and decide together with you
- A report of what was blocked and what is accessed, translated into your business language
- Backing when a legitimate address is blocked by mistake, alongside your team, never in its place
Inside the service
How Extended Web Protection decides every address
For those who want the detail: this is how every click is decided, on and off the network.
Filtering at the DNS layer
Before any connection, the device has to resolve the address, that is, ask where that site is. The protection acts at exactly that point: it compares each destination against a base of reputation and categories and with real-time threat recognition, backed by machine learning, and allows or blocks before the connection leaves. By acting at the resolution, it catches the dangerous address opened by the browser, by an app or by a hidden program, not only what the person types.
Roaming client, on and off the network
The protection can apply to the entire office network at once and, at the same time, follow each device through a lightweight agent installed on it. That agent works on Windows, Mac, Android and iPhone, and keeps the decision over the addresses active at home, on the road and on any network. It is that part, the roaming, that makes the protection extended: it protects the person wherever the person is, not only within the company's four walls.
Categories, lists and safe search
Beyond security, the company decides what to allow. Content is organized into categories, and the company chooses which ones to block, according to the HR and productivity policy. Safe search removes adult content from search results, and custom lists make it possible to allow a specific address blocked by mistake or block a site the company does not want, including addresses with characters from other languages. Zamak helps design those rules to protect without locking up work.
DNS privacy and integrity
The address request itself can be a target of fraud, with someone answering a fake address in place of the real one. The layer uses protections that keep that query intact and encrypted, so the answer is not tampered with or spied on along the way. That way, the decision over each address is trustworthy end to end: the device reaches the right site, or is blocked, without anyone in the middle fooling the query.
Per-user policy and reporting
The policy can be the same for the whole company or different by group of people, integrated with the user directory the company already uses. Every block and every access is recorded, and reports show what was blocked, what is being accessed and by whom, scheduled to arrive on their own. It is what turns the protection into evidence: the company sees where the risks were and proves, for audit and insurance, that browsing is filtered.
Honest scope
It is important to be clear: Extended Web Protection is a powerful layer, but it is not the only one. It decides addresses and closes one of the most used doors to get into a company, and that cuts the risk a lot. What it does not do is react to the malicious program already running inside a computer, which is the job of endpoint defense, nor hunt and respond to an attack in progress, which is managed cybersecurity. Traffic that does not go through address resolution is out of its reach, and that is assessed in the conversation. The promise is honest: block the dangerous click, without pretending it alone protects everything.
The protection is run through a platform that runs on infrastructure certified to SOC 2 and ISO 27001, compliant with HIPAA and PCI-DSS, with the address query kept intact and encrypted.
The threat intelligence and the platform update and block around the clock, every day; Zamak's specialists design the policy, tune it, allow sites and are your point of contact during business hours.
Take this documentation to present to decision-makers.
The comparison
Managed extended web protection, the router filter on its own, or open browsing
There are three ways to handle the addresses a company opens: leave browsing open (and hope), rely on the simple filter that comes in the router or the firewall (which only applies inside the network and barely categorizes), or a managed, extended web protection that decides every address on and off the company and also provides policy and reporting. These are operating models, not a comparison against a specific vendor. The Zamak column lists only what Zamak delivers to the client.
Where it protects
The Zamak choice
Managed extended web protection (Zamak)
On and off the network, on the desktop, the laptop and the phone
Router filter on its own
Only inside the office, and only what goes through it
Open browsing
Nowhere
Recognizes malicious sites and phishing
The Zamak choice
Managed extended web protection (Zamak)
In real time, by reputation and category, with up-to-date intelligence
Router filter on its own
A simple list, which ages and covers little
Open browsing
Nothing: every address opens
Cuts the ransomware's call to the criminal
The Zamak choice
Managed extended web protection (Zamak)
Yes, it blocks the call-back address at the DNS layer
Router filter on its own
Rarely, and never off the network
Open browsing
No
Content and productivity policy
The Zamak choice
Managed extended web protection (Zamak)
By category, with safe search and custom lists, designed with you
Router filter on its own
Crude blocking, hard to tune without getting in the way
Open browsing
None
Reporting and evidence
The Zamak choice
Managed extended web protection (Zamak)
A report of what was blocked and accessed, per user, for audit and insurance
Router filter on its own
Little or no useful record
Open browsing
No visibility
Who designs, activates and tunes it
The Zamak choice
Managed extended web protection (Zamak)
Zamak, with the policy and point of contact
Router filter on its own
Whoever has time, when there is some to spare
Open browsing
No one
The comparison is between operating models (managed extended web protection, the router filter on its own, and open browsing), not against a specific vendor. The Zamak column lists only what Zamak delivers to the client.
Risk, impact and response
For every dangerous click, a decision before the damage
Someone clicks a phishing link that got through email
The bank or Microsoft 365 password handed to a criminal
How Extended Web Protection responds
The malicious address is recognized and blocked before the password page opens
An employee at home clicks a fake update ad
The device infected off the network, far from the office firewall
How Extended Web Protection responds
The roaming client applies the same decision at home and on the road, and blocks the address
Ransomware is already in and tries to download the payload and the key
Files encrypted and the company down for days
How Extended Web Protection responds
The call back to the criminal is cut at the DNS layer; hunting and response stay with managed cybersecurity
Browsing is left open, with no policy and no record
HR and legal exposure, and no proof for audit
How Extended Web Protection responds
The category policy controls access and the per-user report becomes the documented evidence
Policy, relationship and point of contact are Zamak's.
For every decision maker
What this means for whoever decides
Deciding the addresses the company opens solves a different pain for each role.
Owner and founder
The company stops being one click away from a disaster
It only takes one employee clicking the wrong link, and often far from the office, for an attack to start. Leaving that to luck is betting no one will ever click wrong. Here there is a layer that decides every address for everyone, on and off the company, and blocks the dangerous one before it becomes a loss. The risk that depended on each person's attention now has a defense that does not doze off.
Executives and management
Predictable cost, productivity and the proof insurance asks for
On one side, a security layer at a predictable monthly cost, with the browsing policy the company needs for content and productivity. On the other, the report that proves filtered browsing, increasingly required by audit and by cyber insurance to issue the policy. The diffuse risk of hundreds of clicks a day becomes a controlled line on the spreadsheet, with evidence.
Internal IT leader
Fewer site tickets and the blind spot of remote work covered
You know both sides: the "unblock this site" ticket that comes in all day and the fear of the laptop that leaves the office unprotected. A managed layer takes the work of maintaining lists off your plate and covers exactly the blind spot of those who work off-site. Zamak designs the policy with you and adjusts when a legitimate address is blocked by mistake. It is backing that adds to your work, not one that replaces it.
IT partner
Enterprise-grade web protection to offer, without building your own
Offer your clients an enterprise-grade extended web protection, with DNS-layer filtering, roaming client, category policy and reporting, without the cost of building and maintaining your own operation. Zamak operates behind the scenes and handles management; the relationship with the client stays yours.
Why Zamak
The layer in the hands of people who do cybersecurity every day
Zamak Technologies does not just hand over a filter switched on and disappear. It designs the browsing policy together with you, activates the protection on every computer and phone on and off the network, adjusts when a legitimate site is blocked by mistake and translates what was blocked and accessed into your business language.
It is years of experience caring for the IT and security of companies, with specialists who serve in Portuguese, English and Spanish. Zamak is your managed cybersecurity layer and your point of contact, alongside your team, never in its place.
Microsoft Solutions Partner · Addee (N-able) Elite Group · Great Place to Work
Protection run on infrastructure certified to SOC 2 and ISO 27001, compliant with HIPAA and PCI-DSS.
Frequently asked questions
What companies ask before signing up
See also Zamak firewall management · Zamak advanced endpoint defense
Let us talk
Decide where each click can go, on and off the company
The attack almost never breaks the door down: it waits for someone to open an address. Talk to Zamak and have a layer that decides every address for everyone, blocks the malicious site and phishing before the click becomes a problem, and follows your team off the office, with the policy and the report you need.
Get started now
Request the proposal and take the first step of signing up with a Zamak specialist. No commitment.
Schedule with a specialist
Talk to a Zamak specialist to design your company's browsing policy, with no commitment.
Free IT assessment
Still evaluating? Take the free assessment and see where your IT operation and security have gaps to close.