Cisco announced the end-of-life for legacy Umbrella SKUs on 18 June 2025. End-of-sale passed on 30 September 2025. Software maintenance releases stop on 30 September 2026. If you still run Umbrella, you have roughly four months to complete a migration, whether that means moving to Cisco Secure Access or evaluating a vendor-neutral SASE platform that consolidates DNS security, web gateway and network access into a single licence.
Cisco’s Umbrella product line traces back to the 2015 acquisition of OpenDNS. For a decade, it served as the default DNS-layer security tool for mid-market IT teams across Europe. The deprecation affects every legacy Umbrella SKU, from DNS-only Roaming licences to full Secure Internet Gateway (SIG) packages. Cisco’s intended migration target is its Cisco Secure Access platform, but that is not the only path available, and for many organisations it is not the simplest one either.
This post covers the exact timeline, which SKUs are affected, what Cisco Secure Access does and does not replace, and the three realistic migration paths open to you right now.
When exactly does Cisco Umbrella reach end-of-life?
Cisco published EOL bulletin EOL15688 on 18 June 2025. Legacy Umbrella SKUs passed end-of-sale on 30 September 2025. No new orders or subscription renewals have been possible since that date. Software maintenance, including bug fixes and patches, ends on 30 September 2026. Existing subscriptions with active contracts continue to receive TAC support through 30 September 2030, but without new software releases after September 2026, the product enters a feature freeze that leaves it exposed to emerging threats.
| Date | Milestone | What it means for you |
|---|---|---|
| 18 June 2025 | End-of-life announcement | Cisco publishes EOL bulletin EOL15688 |
| 30 September 2025 | End-of-sale and end-of-renewal | Last day to order or renew legacy Umbrella SKUs |
| 30 September 2025 | Last ship date | Final date for subscription fulfilment |
| 30 September 2026 | End of software maintenance | No further patches, bug fixes or feature updates |
| 30 September 2030 | Last date of support | TAC support ends; product becomes officially obsolete |
The gap between the end-of-sale (September 2025) and the end of software maintenance (September 2026) is exactly twelve months. For procurement teams in mid-market organisations, that window has already narrowed to four months. If your current Umbrella subscription runs past September 2026, you are operating on software that receives no security patches.
Which Umbrella SKUs are affected?
The EOL announcement covers the full spectrum of legacy Umbrella packaging. Cisco’s bulletin lists more than 30 individual part numbers, but they cluster into five functional categories.
| Legacy SKU category | Example part numbers | Cisco’s replacement SKU |
|---|---|---|
| Umbrella Roaming | UMB-ROAM | Cisco Umbrella DNS Security Essentials (UMB-DNS-ESS-K9) |
| Umbrella Professional | UMB-PROFESSIONAL | Cisco Umbrella DNS Security Essentials |
| Umbrella Branch (ISR/RV) | UMB-BRAN-1100, UMB-BRAN-4321, UMB-BRAN-RV | Cisco Umbrella DNS Security Essentials |
| Umbrella Insights / Platform (SP) | UMB-INSIGHTS-K9-SP, UMB-PLATFORM-K9-SP | Cisco Umbrella DNS Security Advantage for SPs |
| Umbrella Cloud Security | UMBRELLA-SUB, UMBRELLA-ENT-SUB | Cisco Umbrella Security Subscription (UMB-SEC-SUB) |
Two additional EOL tracks run in parallel. The Umbrella Roaming Client software reached end-of-life on 2 April 2025, forcing migration to Cisco Secure Client (the successor to AnyConnect). The Umbrella Reserved IP add-on reached end-of-sale on 3 January 2025.
Organisations running Umbrella DNS Security Essentials or Advantage under the current (non-legacy) SKU structure are not directly affected by this bulletin. But Cisco is steering the entire Umbrella installed base toward Cisco Secure Access packaging, and the feature roadmap for standalone Umbrella SKUs is tapering off in favour of the Secure Access platform.
What Cisco Secure Access offers (and what it does not)
Cisco positions Secure Access as the successor to both Umbrella and AnyConnect. It combines DNS security, Secure Web Gateway, ZTNA and cloud firewall capabilities into a single platform delivered through Cisco’s Security Cloud infrastructure. On paper, that sounds like a clean upgrade path. In practice, the transition introduces complexity that mid-market teams need to evaluate carefully.
What maps cleanly from Umbrella to Secure Access:
DNS-layer security carries over as “DNS Defense” within Secure Access. Web filtering, malware inspection and content categorisation transfer to the SWG component. Talos threat intelligence remains the detection engine across both products.
What changes significantly:
The Intelligent Proxy, a feature that selectively routed suspicious traffic through a cloud proxy without proxying everything, does not exist in the same form in Secure Access. The new model proxies all web traffic through a full SWG stack. For organisations that relied on the lightweight DNS-first approach of Umbrella’s lower tiers, this is a fundamental architectural shift that affects latency, certificate management and endpoint configuration.
The management console changes from the Umbrella Dashboard to Security Cloud Control. Policy structures, reporting layouts and API endpoints all differ. Custom block pages built for the Umbrella DNS redirect model need rebuilding for a proxy-based architecture where blocking happens inline rather than at the DNS resolution layer.
ZTNA in Secure Access requires Cisco Secure Client on every managed endpoint. Organisations that previously ran Umbrella with DNS-only deployment (point your resolvers and go) now face a per-device agent rollout.
What requires additional Cisco licences:
Full SASE coverage within the Cisco ecosystem still requires assembling multiple products. Cisco Duo provides MFA and identity verification. Cisco Meraki or Catalyst handles SD-WAN for multi-site connectivity. ThousandEyes provides digital experience monitoring. Each carries its own licence, its own management interface and its own renewal cycle. A 200-user organisation aiming for the SASE coverage that a unified platform delivers end to end could be managing four to five separate Cisco subscriptions.
Three realistic migration paths
Path 1: migrate to Cisco Secure Access
This is the default path Cisco promotes, and it has genuine advantages for organisations deep in the Cisco ecosystem. If you already run Meraki switches, Duo for identity and Catalyst for SD-WAN, Secure Access fits into that stack without introducing a new vendor relationship.
When this works well: Large Cisco-native environments with dedicated security staff and multi-year Cisco EAs (Enterprise Agreements) that bundle licensing.
Where it creates friction: Mid-market organisations that ran Umbrella as a standalone DNS security layer. Moving from a lightweight DNS tool to a full SSE platform means more complexity, more endpoints to manage and more licences to coordinate. The multi-console reality of Duo plus Security Cloud Control plus Meraki Dashboard does not simplify operations for a three-person IT team.
Path 2: consolidate into a single-vendor SASE platform
For organisations that view the Umbrella EOL as a trigger to rethink their security architecture entirely, single-vendor SASE platforms offer the broadest replacement scope. Instead of assembling DNS security, web gateway, firewall, ZTNA and SD-WAN from separate products, a unified platform delivers all of them from one console under one licence.
Several vendors serve this market. Zscaler delivers a mature SSE stack with global reach but enterprise-grade complexity and opaque pricing. Cloudflare One leverages one of the world’s largest edge networks and offers a freemium entry point, though data localisation requires enterprise contracts. Netskope leads in CASB and DLP depth but targets large enterprise deployments. Jimber provides a European SASE platform built for 50 to 400 user organisations, with transparent per-user pricing, EU data sovereignty and agentless device isolation through NIAC hardware.
When this works well: Organisations that want to eliminate tool sprawl, reduce the number of management consoles, and align their security architecture with a clear vendor evaluation framework.
Where it creates friction: Organisations locked into multi-year Cisco contracts across networking and identity may face contractual barriers to a full vendor switch.
Path 3: hybrid approach
Some organisations split the migration: DNS security with one vendor, broader SASE or SSE with another. This makes sense when contractual constraints force a phased transition, or when a specific compliance requirement (such as local DNS resolution for data sovereignty) demands a specialised provider.
When this works well: Regulated environments where DNS filtering must stay within a specific jurisdiction, or organisations midway through a Cisco EA that cannot exit cleanly.
Risks to manage: Two management planes, two policy languages, two incident investigation workflows. The operational overhead of a hybrid approach can exceed the cost of either platform individually, especially for lean IT teams.
The migration decisions that catch teams off guard
The vendor selection gets the most attention, but the operational details of the migration itself tend to cause more disruption. Five areas consistently surprise IT teams migrating away from Umbrella.
Custom block pages are not portable. Umbrella’s DNS-redirect block pages use a fundamentally different delivery mechanism than proxy-based SWG block pages. If you built branded block pages with helpdesk instructions and policy explanations, they need to be rebuilt from scratch in whatever platform you choose. Budget two to three days for this.
Investigate API integrations break. Organisations that automated threat intelligence lookups or incident enrichment through the Umbrella Investigate API face a rearchitecting effort. Cisco’s Security Cloud uses OAuth 2.0 authentication and a different endpoint structure. Third-party SIEM integrations that pull from Investigate need updating.
The Roaming Client to Secure Client migration is heavier than expected. Cisco Secure Client is a larger, more resource-intensive agent than the original Umbrella Roaming Client. IT teams on Reddit’s r/sysadmin and r/Cisco report conflicts with third-party DLP agents and VPN configurations. For organisations without centralised MDM, pushing the new client to every endpoint is a significant project.
DNS cutover requires careful sequencing. Switching DNS resolvers from Umbrella’s anycast addresses to a new provider affects every device on the network simultaneously. A staged cutover, starting with one site or one user group, reduces the blast radius if policy parity is not perfect on day one.
SAML SSO and Active Directory connectors need reconfiguration. The identity integration between Umbrella and your IdP does not carry over automatically. Expect to rebuild SAML trust relationships and reconfigure the Virtual Appliances that handle AD synchronisation.
Platforms designed as single-vendor SASE from the start, including Jimber, avoid some of these issues by design. A single policy engine means one set of block page templates, one API structure and one identity integration, rather than separate configurations per Cisco product.
What this means for your 2026 procurement cycle
With four months until the software maintenance deadline, the procurement timeline is compressed. Mid-market organisations should work backward from 30 September 2026 and allow three to six months for a typical migration including proof of concept, policy migration, endpoint rollout and validation.
That means the evaluation should already be underway. If you have not started, the practical sequence looks like this:
Now through June 2026: Run a proof of concept with two or three shortlisted platforms. Include Cisco Secure Access if you are invested in the Cisco ecosystem. Include at least one vendor-neutral alternative to benchmark against. Jimber offers a PoC that covers CASB, SWG and ZTNA in a single evaluation.
June through August 2026: Make the procurement decision and begin phased rollout. Start with remote users (they feel the VPN friction most) and one branch office.
September 2026: Complete migration before the software maintenance deadline. Decommission Umbrella DNS resolver configurations.
Three questions to ask every vendor on your shortlist:
- How many management consoles does your platform require to deliver DNS security, SWG, ZTNA and SD-WAN?
- What is the per-user cost including all modules, with no bandwidth surcharges?
- Under which legal jurisdiction does traffic inspection happen, and are you subject to the US CLOUD Act?
For European organisations evaluating sovereignty alongside security, that third question increasingly determines the shortlist.
Frequently asked questions
Will my existing Cisco Umbrella contracts be honoured until expiry?
Active subscriptions with valid contracts continue to receive TAC support through 30 September 2030, per Cisco’s EOL bulletin EOL15688. However, no new software maintenance releases will be issued after 30 September 2026. You retain support, but not patches.
Does Cisco Secure Access include everything Umbrella did?
The core DNS filtering, web security and threat intelligence capabilities carry over. The Intelligent Proxy feature does not exist in the same form. Custom block pages, API integrations and the Umbrella Dashboard reporting structure all change. A proof of concept is the only reliable way to confirm functional parity for your specific configuration.
How long can I keep using legacy Umbrella after September 2026?
The software will continue to function, but without patches or maintenance releases. Cisco will not fix bugs or address new vulnerabilities. Running unpatched security software after the maintenance end date creates risk that grows with every month.
What are the real costs of moving from Umbrella to Cisco Secure Access?
Cisco offers migration pricing that aims to match existing Umbrella subscription costs. The hidden costs sit in the adjacent licences needed for full coverage: Duo for identity, Meraki or Catalyst for SD-WAN, and ThousandEyes for monitoring. A comprehensive Secure Web Gateway comparison helps frame what a complete web security replacement actually requires.
Can I migrate to a non-Cisco SASE platform?
Yes. Umbrella uses standard DNS forwarding and, at higher tiers, IPsec tunnels and proxy configurations. These are protocol-level integrations, not proprietary lock-in. Migration to any SASE or SSE platform involves repointing DNS, reconfiguring tunnels, enrolling a new agent on endpoints, and rebuilding identity provider integrations.
Will my Umbrella API integrations work with Cisco Secure Access?
Not directly. The Umbrella Reporting, Management and Investigate APIs use different authentication and endpoint structures than the Security Cloud APIs. Plan for a refactoring effort if you have automated workflows that depend on these APIs.
What happens to my Umbrella Investigate threat intelligence data?
Investigate capabilities are being integrated into the broader Cisco Security Cloud platform. Historical query data and intelligence feeds transition to the new platform, but the API access method changes. If you use Investigate for automated enrichment in your SIEM, that integration needs reworking.
For a detailed comparison of how Cisco Umbrella stacks up against a unified SASE approach, read the full Cisco Umbrella versus Jimber analysis. Or if you want to see what a single-console migration looks like in practice, book a demo and bring your Umbrella configuration along.
