Your biggest security threat isn't malware YouTube hotspots trust .
It's your students attempting to bypass your filter.
Proxy bypass now generates 7x more blocked activity than malware across K–12 networks — and it’s creating the cover attackers need.
Is your security posture built for the threat landscape you have?
Real-world data shows how frequently students probe, bypass, and redeploy around filtering systems.
The volume of bypass traffic has outpaced every other threat category.
Scanners and network utility tools used to test network boundaries.
The same threats redeploying under new addresses to avoid detection.
Multi-Layer Bypass Prevention Across Every Attack Path
Bypass attempts don’t rely on a single method. Protection shouldn’t either. This approach reduces reliance on any single control, closing gaps attackers and students exploit.
Real-Time Proxy Detection and Blocking
When a student loads a proxy bypass site, Lightspeed Filter™ detects and blocks it by analyzing what’s executing in the browser, including tunneling methods, JavaScript behavior, and proxy libraries like Ultraviolet, Scramjet, and Rammerhead. These signals are evaluated in real time, with blocking triggered when thresholds are met and re-scanning to catch mid-session evasion, stopping bypass attempts that URL and text-based filtering miss.
How it works
01
Inspection
When a user accesses a page, the system analyzes the load in real time, evaluating DOM structure, network activity, and JavaScript execution. It detects proxy frameworks, tunneling methods, and hidden behaviors, including tools like Ultraviolet and Rammerhead.
02
Scoring
Each signal contributes to a weighted score. High-confidence indicators trigger immediate detection, while lower-confidence signals accumulate until a threshold is reached.
03
On-going scanning
The page is monitored throughout the session. If behavior changes or new scripts execute, signals are re-scored in real time to catch delayed or dynamic evasion techniques.
04
Feedback
Once thresholds are met, the system blocks or logs activity based on policy. All detections feed back into the model, with confirmed sites recategorized to strengthen protection across the platform.
Common Bypass Methods and How They're Stopped
Students use a range of methods to bypass filtering, from proxy tools to browser exploits. Here’s what those tactics look like and how Lightspeed stops them.
| The Bypass Problem | What It Looks Like | How Lightspeed Solves It |
|---|---|---|
| Game aggregators | Sites with tiled game libraries, embedded launchers, and unblocked access to games and apps — built on frameworks like Ruffle, Nebula, and Interstellar, plus an increasing number of custom builds | Detects aggregator patterns and known framework libraries via on-device scanning, plus tile-layout and HTML5 canvas behavior heuristics, blocking access in real time |
| Cloud-hosted proxies (AWS, Azure, GCP) | Proxy pages hosted under trusted infrastructure like s3.amazonaws.com/bullmath/index.html or s3.amazonaws.com/vcsamath/index.html, often miscategorized as Education because the parent host inherits a trusted reputation | Inspects JavaScript variables, library signatures, and page behavior on the device to flag proxy activity without blocking the parent host |
| Google Sites and Google Docs | Student-created Google Sites and Docs hosting proxy links, embedded games, or embedded videos — visible to the filter only as a generic Google asset | Inspects rendered page content and embedded elements (canvas, iframes, third-party assets) to detect bypass activity inside trusted Google domains |
| AI-generated fake "education" sites | Students use generative AI to spin up convincing education-looking pages, let them get categorized as Education, then swap in proxy or game content — sometimes hidden behind a keyboard shortcut that toggles between the safe view and the real one | Re-scans pages intermittently as content changes, treating categorization as one signal rather than a final verdict |
| Proxy frameworks (open-source and paid) | Open-source frameworks like Ultraviolet and Scramjet pulled from GitHub, plus paid "site-on-demand" bypass services sold in Discord servers that build custom pages specifically to evade Lightspeed | Fingerprints known proxy framework libraries via JavaScript signatures even when wrapped in unique URLs or custom front-ends, since paid services almost always reuse the same underlying libraries |
| Top-level and obscure domains | Newly registered or obscure top-level domains used to host proxy tools or evade categorization | Applies dynamic categorization and blocks risky or uncategorized domains by default |
| External proxy directories | Sites, platforms, and channels that catalog working proxies and bypass links — including dedicated unsafe-search sites, domain-sharing platforms (historically Afraid.org and successors), YouTube channels like @VCSAOfficial, and subreddit threads that publish working URLs and walkthroughs | Continuously reclassifies newly surfaced proxies through detection telemetry, feeding shared categorization updates back into protection across all customers |
| Extension-less Chrome sessions | Students use tricks like GitHub SSO to open a Chrome window that doesn't load extensions | Routes traffic through cloud proxy, identifies proxy behavior even without extensions, and enforces filtering |
| Malware disguised as VPNs | Bypass clusters like Fern where the first click anywhere on the page opens a popup to a known malware site posing as a free VPN download | Flags the redirect and popup behavior in real time, blocking the malware page before download is initiated |
Coverage That Fits Your Environment
Tune detection to match your policies, your users, and your risk tolerance.
Always-on Detection
Detection runs across all categories, allowing blocking to be adjusted without losing visibility into bypass attempts.
Per-Policy Sensitivity Control
Set detection sensitivity by policy. Choose "Relaxed" "Normal" or "Strict" for different user groups, grade levels, or staff.
Coverage for Known Proxy Frameworks
Detects widely used proxy tools such as Ultraviolet, Scramjet, and Rammerhead, regardless of where they appear. No dependency on domain or URL matching.
Game Aggregator Detection
Identifies sites used to access unblocked games and apps. Detects libraries like Ruffle, Nebula, and Interstellar, along with common aggregator patterns, using the same detection engine and policy controls
Approved Tool Exceptions
Combine allow lists and local recategorization to manage approved tools, excluding trusted platforms from blocking while maintaining detection.
How Does Your Filter Stack Up?
Not all filters catch the same threats. Here’s how the approaches compare.
| Capability | Lightspeed | Linewize | Deledao | GoGuardian | Securly |
|---|---|---|---|---|---|
| Live intelligence: bypass detection | Full coverageProxies + game aggregators; behavior-based | Partial coverageProxies only; text/content scan only | Partial coverageProxies + games; text/content scan only | Partial coverageProxies only; text/content scan only | No coverage |
| Blocking sensitivity control with always-on detection | Full coverageRelaxed / Normal / Strict; detection runs independent | No coverage | No coverage | No coverage | No coverage |
| Zero-day threat protection | Full coverage | Full coverage | Partial coverageAI on-device only | Full coverage | Full coverage |
| Granular security categorization | Full coverage | Full coverage | Partial coverageAI on-device only | Partial coverageLess granular; categorizes proxies | Partial coverageLess granular; categorizes proxies |
| ChromeOS app & device protection | Full coverage | Partial coverageOn-network only | No coverage | No coverage | No coverage |
| On-device, tamper resistant agents | Full coverage | Partial coverageVPN-based; performance impact | Partial coverageChrome-based only | Full coverage | Partial coverageSmartPAC proxy only; no native agent |
See what's getting through your filter right now
Run a side-by-side comparison of your current filter and Lightspeed, and see what bypass activity you’re currently missing.
14-Day No Obligation Bypass Audit
- Side-by-side view of detected vs missed bypass activity
- Summary you can use to evaluate coverage gaps
- Summary you can use in leadership conversation
We’ll reach out to set up your POC. No spam, no pressure.
your custom report
See what's getting through your filter right now
Run a proof of concept with your network. We’ll show you exactly what bypass activity looks like in your environment, and what your current filter isn’t catching.
- No commitment required
- Results typically ready within one week of setup
- Includes a walkthrough with your account executive
We’ll reach out to set up your POC. No spam, no pressure.
See what your filter is missing
Most filters tell you what they blocked. Yours won’t tell you what got through. A Lightspeed POC gives you visibility into bypass activity on your own network — using your data.
| Detection method | URL filtering | Lightspeed |
|---|---|---|
| Known proxy domains | ✓ | ✓ |
| Newly generated proxy hostnames | ✗ | ✓ |
| Ultraviolet / Scramjet / Rammerhead | ✗ | ✓ |
| Mid-session evasion & re-routing | ✗ | ✓ |
| Game aggregator libraries | Partial | ✓ |
| Off-network / BYOD devices | ✗ | ✓ |
