- Surfshark’s new Dausos protocol assigns each user a dedicated server-side tunnel instead of sharing a single interface with other users on the same server.
- Dausos uses AEGIS-256X2 encryption, which no other commercial VPN currently ships, and runs faster than the industry-standard AES-GCM on modern hardware.
- The protocol is fully post-quantum secure, combining X25519 with ML-KEM for hybrid key exchange and using ML-DSA for certificate signing.
- Cure53 audited Dausos in February and March 2026 and found zero critical or high-severity issues within the protocol itself.
- Dausos is currently available only on Surfshark’s macOS app, with other platforms planned.
Surfshark, the Netherlands-headquartered cybersecurity company, released its proprietary VPN protocol called Dausos on April 13, 2026.
The name comes from the Lithuanian word for “heaven,” a reference to the company’s Lithuanian roots in Baltic mythology.
Most commercial VPNs rely on protocols like WireGuard, OpenVPN, or IKEv2. These were originally designed for enterprise networking and later adapted for consumer use. Surfshark built Dausos from scratch to avoid the inefficiencies that come with that adaptation process.
The central technical difference is how Dausos handles user traffic on the server side. Traditional VPN protocols route all connected users through a single shared network interface, known as a TUN interface.
Dausos creates a separate, dedicated tunnel for each user session. When you connect to a server, that server spins up a new network interface specific to your session. No network space, logic, or resources are shared with other users.
“A key security aspect of this protocol is the isolation of user data traffic. While the risk of cross-traffic exposure in modern VPNs is very low, our unique protocol design goes the extra mile to ensure a clean, private, and secure path for each user’s data,” said Karolis Kaciulis, Leading System Engineer at Surfshark, in the company’s official announcement.
Kaciulis also explained that this design eliminates redundant packet checking, which improves connection speed and removes the theoretical possibility of data packets interfering with each other.
The speed claims are significant. Surfshark reports that Dausos delivers speeds up to 30% faster than existing industry-standard protocols.
Tom’s Guide reported that Surfshark’s internal testing showed an average download speed of 318 Mbps on Dausos, compared to 244 Mbps on WireGuard.
In Tom’s Guide’s own prior testing, Surfshark’s WireGuard speeds peaked at 1,021 Mbps. If the 30% improvement scales proportionally, Dausos could reach approximately 1,300 Mbps.
(Independent benchmarks from third parties are still pending, so treat these numbers as early indicators.)
The protocol also adapts dynamically to your network conditions and device capabilities. Whether you are on fiber, Wi-Fi, or switching between mobile data and wireless, Dausos distributes data packets based on your specific configuration.
On the encryption side, Dausos uses the AEGIS-256X2 cryptographic algorithm. No other commercial VPN provider currently uses this cipher.
AEGIS-256X2 provides authenticated encryption, meaning it simultaneously confirms the integrity and confidentiality of your data. It runs faster than AES-GCM on modern hardware, which contributes to the protocol’s speed gains.
Post-quantum security is where Surfshark made its most aggressive technical bet. Dausos implements a hybrid key exchange that combines X25519, a widely trusted elliptic curve method, with ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). ML-KEM is one of the three post-quantum encryption standards finalized by NIST in August 2024.
This hybrid approach protects your data from both current decryption methods and future quantum computing threats. Surfshark has a track record of investing in privacy-focused infrastructure, and Dausos fits that pattern.
Surfshark also created its own self-signed root certificate authority using the ML-DSA signature scheme, another NIST post-quantum standard. Root certificates are the digital files your device uses to verify that websites, software, and connections are legitimate.
As the industry moves toward post-quantum certificate schemes, Surfshark is positioning itself early.
“We wanted to be at the forefront and adopt this technology as soon as possible, and our own protocol seemed like the best opportunity for that,” Kaciulis stated.
Beyond encryption, Dausos introduces post-compromise security, which goes further than the traditional Perfect Forward Secrecy (PFS) model.
With PFS, session keys are regenerated periodically so a compromised key only exposes a small window of data, typically the last few minutes.
Dausos takes an additional step: every new session and every re-keying instance generates entirely new key pairs with no mathematical relationship to previous keys.
If one key is compromised, no future keys can be derived from it.
Port randomization adds another layer. Most VPN protocols connect through a fixed port. Dausos assigns a randomized port for every session, making connections harder to predict or target.
The Cure53 audit, conducted in February and March 2026, deployed four senior consultants over sixteen person-days.
The scope covered five work packages: VPN architecture and threat model, control channel and state handling, data channel and packet handling, cryptographic design and key exchange, and session management with rekeying and PFS.
The audit produced ten total findings. Of those, seven were security vulnerabilities and three were best-practice recommendations.
The most severe vulnerabilities were found in the external hosting environment, not in the Dausos protocol or its source code. Within the protocol itself, all eight findings were rated medium severity or lower.
“With no findings rated at Critical or High severity within the actual Dausos protocol itself, the audit results reflect a stable and resilient platform,” the Cure53 summary report stated.
“The Surfshark team demonstrated a significant commitment to security by remediating the majority of the findings immediately following the testing phase.”
Cure53 did recommend that Surfshark develop a formal protocol specification and a comprehensive threat model to address latent risks as the protocol matures.
Surfshark has also filed a patent application for Dausos’ architecture.
Right now, there is one significant limitation. Dausos is only available on Surfshark’s macOS app downloaded from the Apple App Store.
If you installed Surfshark using the DMG version, you will need to switch to the App Store build. To enable the protocol, open the Surfshark app, go to Settings, select VPN Settings, click Protocol, and choose Dausos from the list.
Surfshark told CNET’s Attila Tomaschek that the team is actively working on rolling out Dausos to other platforms but cannot share a specific timeline yet. The protocol is still in beta, so Surfshark recommends switching back to WireGuard or OpenVPN if you run into connection issues.
The broader VPN industry context matters here. ExpressVPN has its Lightway protocol. NordVPN runs NordLynx, a WireGuard-based implementation.
Surfshark’s Dausos joins a growing trend of major VPN providers building proprietary protocols rather than relying solely on open-source options. The per-user tunnel approach and AEGIS-256X2 encryption are features no competitor currently offers.
For users considering a VPN subscription, Surfshark is running its birthday deal from April 20 through May 11, 2026. The VPN-only plan is available at $1.78 per month on a 2-year subscription with 3 extra months included.
Surfshark One, which bundles VPN, Antivirus, Search, Alert, and Alternative ID, is priced at $2.08 per month on the same plan length. Privacy-conscious users who prefer to buy a VPN with Bitcoin can also do so through Surfshark’s payment options.
(The $1.78/month price is the lowest Surfshark has ever offered. If you have been waiting for a deal, this is worth a look.)
Whether the 30% speed gains and dedicated tunnel architecture hold up under widespread real-world usage remains to be seen. Independent testing from outlets like Tom’s Guide and CNET is still in progress.
But the Cure53 audit results, the post-quantum encryption stack, and the patent filing all signal that Surfshark built Dausos as a long-term investment in its infrastructure, not a marketing exercise.
