What are the limits of gateway-based protection?

Gateways can't catch everything. Limitations include: zero-day threats lacking signatures, sophisticated evasion techniques, legitimate-looking **phishing** with no technical indicators, and compromise via other vectors.

Timing limitations: analysis happens at delivery time but threats may activate later (delayed weaponization). URL rewriting helps but adds complexity and occasional user friction.

Scope limitations: gateways protect perimeter but can't prevent internal threats, detect already-compromised accounts sending outbound, or protect personal devices accessing corporate email. Defense-in-depth requires multiple layers.