Microsoft recently promoted Edge’s built-in Edge Secure Network “VPN” feature on social platform Microsoft claims that this feature is based on "VPN technology" that encrypts traffic within the browser to help resist third-party eavesdropping, tracking and malicious attacks, and improves online privacy by hiding user IP addresses.
The feature, called Edge Secure Network VPN, is integrated into the Edge browser and can theoretically replace installing some third-party VPNs, but there is a monthly traffic cap of 5GB. Users need to click the three-dot menu in the upper right corner of Edge, select "More Tools" and enter "Secure Network", then click "Get VPN for Free" and log in with a personal Microsoft account to enable it. After the free quota is exhausted, the encryption protection will be suspended and will be reset in the next billing cycle; in order to save traffic, high-bandwidth scenarios such as Netflix, Hulu, HBO and other video streaming media are excluded from the encrypted tunnel. Additionally, this feature is not currently supported on enterprise or managed devices and is not available in some regions.
In terms of server selection, Edge Secure Network VPN does not allow users to manually specify nodes or countries/regions. In response to user questions, Microsoft confirmed that the service will automatically connect to geographically "nearest" servers and will not open the option to manually switch regions. Microsoft also said that this feature has a certain degree of "intelligence" and will be automatically activated when accessing a website that is not fully encrypted or in a network environment considered high risk (such as public Wi-Fi). Users can also adjust it in the settings to enable it in more browsing scenarios or only turn it on on demand. In the official description, Microsoft positions Edge Secure Network as a built-in "basic protection" and does not explicitly claim that it can completely replace traditional independent VPN services. However, it still uses terms such as "monthly free VPN data protection" and "use of VPN technology" in its marketing rhetoric.
This publicity quickly attracted technical skepticism from privacy researcher Sooraj Sathyanarayanan, who currently works on the Brave browser team and has long been concerned about privacy and security issues. Sooraj published on
According to Sooraj's analysis, Edge Secure Network is essentially a browser-level traffic tunnel, not a system-level virtual private network. This means that only network requests generated by the Edge browser will be sent into the encrypted channel, while other applications in the system, background services, email clients, operating system updates and even DNS queries will continue to go through the regular network path and are not protected by this feature.
He defines it as the HTTP CONNECT proxy architecture built on the Cloudflare Privacy Proxy, designed to protect browsing sessions within Edge, rather than establishing an end-to-end encrypted tunnel for the entire device. In contrast, many commercial VPN tools uniformly route all network traffic from a device to an encrypted exit and provide features such as a "kill switch" and server region selection.
Researchers also pointed out that Edge Secure Network runs in what Microsoft calls "optimized mode" by default, which means it will only be automatically enabled under certain conditions (such as connecting to public Wi-Fi, visiting non-HTTPS websites, etc.) unless the user manually modifies the settings to extend it to cover all browsing scenarios. In addition, enabling this feature requires logging into a personal Microsoft account. Microsoft explains that this is to meter and enforce the 5GB monthly traffic cap, but in the researcher's view, this also means that this protection layer is tied to a verified identity rather than anonymous use.
In terms of trust model, Sooraj described Edge Secure Network as a "two-party trust architecture": Microsoft is responsible for account identity management, and Cloudflare is responsible for network routing. Microsoft assures that Cloudflare cannot see the user account identity, and Cloudflare stated in its public statement that it will not check the user's specific traffic content. However, researchers caution that the entire system is based on trust in statements from both parties and lacks independent public audits to verify the details of data processing. He also mentioned that Edge Secure Network lacks manual region selection, has limited transparency into routing behavior, and lacks some of the protection mechanisms common with traditional full-device VPNs.
Looking at the broader industry context, Microsoft is not alone in introducing a network protection layer into browsers. The Opera browser already has a similar "in-browser VPN" feature built into it, positioning it as an integrated privacy protection component. This type of tool emphasizes "convenience first" scenarios: automatically turned on under specific conditions, simple to configure, reducing to a certain extent the explicit risks caused by insecure connections such as public Wi-Fi, while avoiding the obvious performance losses that may be caused by system-wide VPNs. However, from the perspective of their original design intentions and capabilities, these browser built-in protections cannot and should not be regarded as complete replacements for traditional VPN services.
A key question in the controversy surrounding Edge Secure Network is how accurately and transparently vendors should define the scope of their capabilities when advertising such capabilities to users. For ordinary users, the term “VPN” often means system-level, full-traffic privacy protection and region switching capabilities, while Edge Secure Network is closer to the category of “built-in security proxy”. In the future, whether this feature can be regarded as a "practical basic protection" or an "over-packaged privacy feature" depends largely on how Microsoft continues to clarify its positioning and limitations in official documents and marketing expressions. Microsoft has yet to make any further public statement on the researcher's criticism. The media said it has sought a clearer statement from Microsoft and will update the report after receiving a response.