- Dausos is Surfshark’s first proprietary VPN protocol, built from scratch rather than adapted from enterprise networking tools like WireGuard or OpenVPN.
- Each user gets a dedicated server-side tunnel, eliminating shared network interfaces between sessions.
- The protocol ships with AEGIS-256X2 encryption, a cipher no other commercial VPN uses today.
- Surfshark pairs this with a hybrid post-quantum key exchange approved by NIST, combining X25519 and ML-KEM.
- Berlin-based security firm Cure53 completed a source code audit in March 2026 and found no critical or high-severity issues in the protocol.
Every major VPN protocol in use today started life as something else.
- WireGuard was a general-purpose secure network tunnel.
- OpenVPN grew out of enterprise remote access needs.
- IKEv2 came from the IPsec framework.
VPN providers took these tools and adapted them for consumer use.ย Surfsharkย decided to skip the adaptation step entirely.
The companyย announced Dausos on April 13, 2026, naming it after the Lithuanian word for “heaven,” a nod to Surfshark’s Lithuanian heritage.
The protocol is currently live on the macOS App Store version of the Surfshark app. Other platforms are in development, though Surfshark has not committed to a timeline.
So what does Dausos actually change at a technical level?
The most notable shift is in how the server handles your connection. With standard VPN protocols, every user connected to a given server shares one network interface, called a TUN interface. Your encrypted packets travel alongside packets from every other user on that same server.
The risk of cross-traffic exposure is low in practice, but the shared architecture creates overhead and resource contention.
Dausos eliminates that shared layer. When you connect, the server creates a brand new network interface for your session alone. Your traffic runs through its own isolated path. No shared logic, no shared resources.
Karolis Kaciulis, Leading System Engineer at Surfshark, described it this way:
“The protocol’s unique design avoids unnecessary and redundant checking of data packets, which enhances connection performance and even further prevents the theoretical possibility of data packets interfering with each other.”
This quote appeared inย Surfshark’s press releaseย and was cited by multiple outlets includingย CNETย andย Tom’s Guide.
That per-user tunnel design feeds directly into the speed gains Surfshark is claiming. The company says Dausos runs up to 30% faster than current industry-standard protocols.
Tom’s Guide reported that Surfshark’s internal benchmarks showed 318 Mbps average download speeds on Dausos versus 244 Mbps on WireGuard.
In Tom’s Guide’s own independent testing,ย Surfshark’s WireGuard implementationย peaked at 1,021 Mbps. Scaling the 30% figure to that baseline puts Dausos in the range of 1,300 Mbps.
(No independent outlet has published its own Dausos speed tests yet. These figures come from Surfshark’s internal data and projections based on prior third-party benchmarks.)
The encryption layer is where Dausos diverges from the rest of theย VPN market. Surfshark chose AEGIS-256X2, a cryptographic algorithm that provides authenticated encryption, meaning it handles both data confidentiality and integrity verification in a single operation.
AEGIS-256X2 outperforms AES-GCM on modern hardware, which partly explains the speed improvement. No other consumer VPN ships this cipher.
For key exchange, Dausos uses a hybrid post-quantum approach. It pairs X25519, a proven elliptic curve Diffie-Hellman method, with ML-KEM, the Module-Lattice-Based Key-Encapsulation Mechanism thatย NIST standardized in August 2024ย as part of its first batch of post-quantum cryptography standards.
The hybrid model means your connection is secured against both conventional attacks and the theoretical future threat of quantum decryption.
Surfshark went further on the certificate side. The company built its own self-signed root certificate authority using ML-DSA, another NIST post-quantum standard designed for digital signatures. Root certificates are what your device checks to confirm that the server you are connecting to is actually who it claims to be.
Most VPN providers still rely on traditional certificate schemes. Surfshark is among the first to implement post-quantum certificates in a shipping product.
The company has aย history of building privacy-focused infrastructureย beyond its core VPN product, and Dausos fits that trajectory.
“We introduced numerous steps, some of them never seen in any VPN protocol before, to maximize the security of our protocol,” Kaciulis said in theย official announcement.
Session security in Dausos also moves past the industry baseline. Most VPN protocols use Perfect Forward Secrecy, which regenerates encryption keys at regular intervals so that a compromised key can only expose a few minutes of session data.
Dausos implements what Surfshark calls post-compromise security. Every new session and every re-keying event produces entirely fresh key pairs.
These new keys have zero mathematical relationship to any prior key. A compromised key reveals nothing about past or future sessions.
On top of that, Dausos randomizes the server port for every connection. Standard VPN protocols typically use a fixed port. Randomizing it makes your connection pattern less predictable and harder to fingerprint.
Theย Cure53 audit report, dated March 30, 2026, provides the closest thing to independent validation available right now.
Four senior consultants spent sixteen person-days on the engagement, working across five scoped areas:
- architecture and threat model,
- control channel,
- data channel,
- cryptographic design, and
- session management.
They found ten issues total. Seven were classified as security vulnerabilities and three as miscellaneous recommendations. The two most severe findings were in the external hosting environment, outside the protocol itself, and were categorized as out-of-scope. The remaining eight, all within the Dausos protocol, carried medium severity or lower ratings.
Theย Cure53 summaryย noted:
“The Surfshark team demonstrated a significant commitment to security by remediating the majority of the findings immediately following the testing phase.”
Cure53 also recommended that Surfshark create a formal protocol specification and threat model document to track latent risks over time.
Surfshark has filed a patent application covering the Dausos architecture.
The macOS-only availability is the obvious constraint right now. Most VPN users run their connections on phones, streaming devices, routers, and Windows machines.ย TROYPOINT notedย that the real test for Dausos comes when it reaches those platforms.
Surfshark confirmed to CNET that expansion is underway but offered no specific dates. The protocol isย still in beta, and Surfshark advises users to fall back to WireGuard or OpenVPN if they experience connectivity problems.
In the competitive landscape, Dausos positions Surfshark alongside ExpressVPN’s Lightway and NordVPN’s NordLynx as providers that have moved beyond relying on third-party protocols.
The difference is that neither Lightway nor NordLynx offers per-user dedicated tunnels or AEGIS-256X2 encryption.
If you are looking at timing your purchase, Surfshark’s birthday sale runs from April 20 through May 11, 2026.
Theย VPN-only 2-year planย costs $1.78 per month with 3 extra months included, the lowest price in the company’s history. Surfshark One, which adds Antivirus, Search, Alert, and Alternative ID, is $2.08 per month on the same terms.
Users who prefer toย pay for a VPN with Bitcoinย can do that through Surfshark’s checkout as well.
The protocol’s long-term impact depends on two things: how the speed claims hold up in independent testing across multiple server locations, and how quickly Surfshark can ship Dausos on Windows, Android, iOS, and Linux. The audit results are clean.
The cryptographic choices align with NIST’s post-quantum direction. The dedicated tunnel architecture is a genuine technical differentiator. What remains is proof at scale.
