Market Guide for Data Loss Prevention

9 April 2025 - ID G00801998 - 46 min read
By Andrew Bales, Franz Hinner,  and 3 more
DLP is a mature market, but modern organizations are exploring comprehensive solutions that go beyond traditional DLP methods. Security and risk management leaders should focus on user-centric, adaptive risk-based data security techniques to strengthen the security of their organization’s data.

Overview

Key Findings

  • Data loss prevention (DLP) projects that are not tied to broader business-driven initiatives or use cases often indicate an absent or immature data security governance program. A focus on technology solutions without the programmatic foundation results in incomplete use cases and requirements for DLP tools, which makes the selection process difficult and decreases the likelihood of project success.
  • Integrated DLP (IDLP) solutions, traditionally less robust and comprehensive than enterprise DLP (EDLP) platforms, are narrowing the gap in DLP channel coverage, detection and policy accuracy and feature parity.
  • The DLP market has been saturated with traditionally content-focused DLP platforms. These solutions may not fully cater to the complex and volatile data security requirements of modern organizations, such as industry and compliance regulations, insider risk minimization, and evolving data exfiltration vectors.
  • Securing data across complex environments has complicated the DLP vendor selection process. It can be difficult for SRM leaders to differentiate vendors with on-premises capabilities adapted for the cloud from vendors with more modern, cloud-native solutions.

Recommendations

  • Define a DLP strategy that aligns with the organization’s business initiatives and data security governance best practices by identifying critical business outcomes and selecting DLP products that enable and support defined outcomes.
  • Assess the DLP market in relation to the organization’s needs by evaluating both EDLP and IDLP solutions during the technology selection process.
  • Address increasingly complex and diverse data security requirements by selecting a DLP solution that offers comprehensive and adaptive DLP techniques, including both context- and content-based detection, with a focus on determining user intent with data and managing insider risks.
  • Gain visibility and control over data in the cloud by investing in DLP tools that support a cloud-native strategy, especially if a significant portion of the sensitive data resides in the public cloud or in diverse SaaS applications.

Strategic Planning Assumptions

By 2027, 70% of CISOs in larger enterprises will adopt a consolidated approach to address both insider risk and data exfiltration use cases.
By 2027, organizations incorporating intent detection and real-time remediation capabilities into DLP programs will realize a one-third reduction in insider risks.

Market Definition

This document was revised on 25 April 2025. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
Gartner defines data loss prevention (DLP) as a technical control designed to prevent data loss in order to comply with personal data regulations, prevent unintended disclosure, minimize insider risk and ensure that sensitive data is not overly accessible. DLP controls are typically applied to reduce the data risk for two states of unstructured data: data at rest and data in motion. Depending on the state of the data, DLP applies detective, preventive or corrective controls, including alerting, quarantining, blocking, redaction or access restriction.
DLP can be an effective measure to mitigate the risks posed by processing sensitive data, many of which are inherent to the data. Examples of inherent data risk include:
  • Personally identifiable information (PII) that, if compromised, would fail to meet regulatory requirements
  • Intellectual property (IP) that, if stolen, would harm an organization’s competitive advantage
  • Unsecured payment and financial data that, if breached, would require inordinate spend to rectify
DLP helps to identify the risks linked to the data and applies controls to prevent its loss. By preventing the loss or unauthorized disclosure of sensitive data, DLP plays a crucial role in minimizing damage to organizational reputation, avoiding fines for noncompliance and mitigating the risks of IP theft and loss of competitive advantage.
DLP controls for data in motion act as the last line of defense, from a data loss perspective. Controls inspect data transfers to external destinations and filter those that contain sensitive data to minimize the risk. These controls take various actions including logging and auditing, alerting, blocking, or other methods to minimize or eliminate the risk of losing this data.
DLP tools also exist for sensitive unstructured data at rest. These solutions scan storage repositories for sensitive data elements within unstructured data and apply controls to classify, move, delete and restrict unauthorized access or otherwise remediate the risk of this sensitive data. Effective controls for data at rest can minimize the repercussions of a data breach or prevent overexposure of sensitive data.

Mandatory Features

The mandatory features for this market include:
  • Detection of sensitive data at rest or data in motion across more than one channel (e.g., email, endpoint, network, browser, cloud, generative AI [GenAI])
  • Automated application of preventative controls (e.g., blocking, encryption, alerting, user justification)
  • Automated incident response workflow
  • Data-centric content inspection logic through single channel (e.g., detection of user emailing corporate credit card data to their personal email)
  • Policy templates for regulated data types (e.g., PII, protected health information [PHI], payment or financial data)
  • Granular incident reporting
  • Integration with security incident and event management (SIEM) platforms for incident response

Common Features

The common features for this market include:
  • Integration with user entity and behavior analytics (UEBA) solutions for correlation of data loss to insider risk
  • User-centric content inspection logic through multichannel correlation (e.g., detection of user emailing corporate credit card data to their personal email and detection of same user downloading confidential sales data from corporate CRM platform)
  • Dynamic user risk scoring based on role and behavior
  • Policy templates for nonregulated data types (e.g., controlled unclassified information [CUI], IP, source code)
  • Application of data classification tags
  • Role-based access controls for incident response and review
  • Content detection for data stored on mobile devices

Market Description

DLP solutions use a combination of features to detect and prevent data loss. These include data classification labeling, data-centric content inspection techniques, and contextual analysis to identify sensitive content and analyze actions related to the use of that content. They monitor user activity with data and evaluate if attempted actions are appropriate based on a predefined DLP policy. This policy details acceptable uses, in specific contexts, of predetermined content types and/or classification labels.
Gartner categorizes DLP solutions as follows (see Figure 1):
  • EDLP solutions offer centralized policy management and reporting functionalities across all the common data exfiltration channels (email, endpoint, network, browser and cloud). This centralized platform allows security and risk management (SRM) leaders to consistently define and deploy DLP policies, implement controls, and monitor alerts across one or more channels. EDLP solutions generally incorporate advanced content detection logic to identify complex content and combine granular, nonbinary controls to prevent data loss and remediate incidents. EDLP solutions often include context- and intent-based detection, which enhances policy accuracy and provides the necessary insider risk context for DLP incident response teams. They are broad and provide flexible offerings that are applicable to diverse use cases, including regulatory compliance, internal policy compliance and security for intellectual property (IP) data types.
  • IDLP solutions include DLP features that have been natively integrated within another solution, such as a secure email gateway or an endpoint protection platform (EPP). IDLP solutions typically do not detect and prevent data loss across every data exfiltration channel, most often providing coverage across one or two channels. Some features, such as out-of-the-box policy detection logic, file and data type support, preventative actions, or reporting, may be limited when compared with EDLP solutions. Additionally, policy orchestration across other IDLP or EDLP solutions can be a manual process, and correlating specific events across multiple solutions can present a burden for SRM leaders (see Note 1). In recent years, however, feature parity between IDLP solutions and EDLP solutions has increased considerably, and many of the representative IDLP solutions now offer similar functionality to their EDLP counterparts for the subset of channels they cover.
  • Cloud-Native DLP solutions provide DLP capabilities for SaaS-delivered business applications and hyperscale cloud service providers (CSPs) and are deployed as SaaS or through API integration with the data stores. CSPs and SaaS-delivered business applications typically include some classification of, and DLP controls for, data within their own environments, without using third-party tools. Third-party (i.e., non-CSP) cloud-native DLP providers often support complex multicloud strategies, and some offer data classification to complement their DLP controls.
Figure 1: DLP Market Overview
The key use cases and features of the data loss prevention market are outlined, categorizing solutions into enterprise, integrated and cloud-native DLP. Enterprise DLP offers consolidated management and broad coverage, while cloud-native DLP focuses on resolving cloud data sprawl. Understanding these distinctions aids in selecting the right DLP strategy for specific organizational needs.

Market Direction

Today, the DLP market is evolving to address the well-known limitations of traditional approaches to DLP, which relied heavily on resource-intensive, data-centric content inspection and often led to performance issues with high numbers of false positives. Traditional approaches to DLP were also reactive, preventing data loss only at the corporate boundary, rather than analyzing user risk and adapting controls to secure data throughout its life cycle. The DLP market is moving in a direction where more sophisticated detection logic and additional analytics (either data or identity) are necessary to increase the fidelity of DLP alerts.
As part of this market shift, Gartner has observed that organizations are considering integrated approaches to DLP. This is because DLP features are increasingly becoming standard controls in other security platforms, such as email security, endpoint protection, security service edge (SSE), insider risk management technologies and data access governance (for data at rest). Although cybersecurity vendor consolidation continues to be an objective for SRM leaders, Gartner has observed clients shifting the opposite direction with their DLP approaches, considering IDLP approaches. For these organizations, IDLP strategies increase the complexity of policy and console management, but may reduce the procurement costs since they often choose tools already in their vendor portfolio.
Many DLP vendors integrate with data classification to enhance their policy detection logic. Data classification, which is offered through either native functionality or third-party integration, provides a standard method for determining the sensitivity of data. DLP vendors that support data classification typically supplement their out-of-the-box DLP policy logic with detection of the data classification label that has been previously, manually or automatically, applied to the data (see Note 2). Practically, this may look like building a DLP policy with multiple detection conditions (e.g., detect a string of personally identifiable information (PII) and the keyword “confidential” in the same file). Using multiple conditions for detection allows SRM leaders to “layer” detection logic within the DLP policy to increase the policy accuracy. Properly labeling data simplifies the overall data security process as organizations can easily distinguish sensitive data from nonsensitive data (see Note 3).
Solutions with adaptive risk-based DLP often leverage user and entity behavior analytics (UEBA) and user activity monitoring (UAM) to supplement or replace data detection. These solutions can analyze user activities, communication patterns and other contextual information derived from user activity to detect anomalous deviations from normal behavior and establish user intent. This allows for early detection of risky user behavior, enabling SRM leaders to deter malicious insiders, educate careless users and monitor departing employees. Because these tools do not rely primarily on data detection, adaptive data risk-based DLP approaches can be leveraged to address a wider range of use cases, such as IP theft, malicious insider and careless user usage of sensitive data, or departing employees looking to keep IP when departing to a competitor (see Figure 2).
Figure 2: Adaptive Risk-Based DLP
Adaptive risk-based data loss prevention focuses on key use cases such as compliance and IP theft. It integrates data detection, UEBA, UAM, risk scoring and user intent for enhanced security. This approach helps organizations mitigate risks from insiders and departing employees effectively.
Using this adaptive risk-based approach, DLP vendors assign each user a risk score and, based on their behavior and perceived intent over time, these scores will increase or decrease. This provides SRM leaders a view of the riskiest users and their risk trends over time. Risk scores typically start at a base value determined by user role, baseline activity or similar users across the organization, and can be impacted by a range of behaviors and indicators of risk.
This convergence of data-centric monitoring and detection with behavior analytics enables better detection of data exfiltration attempts. DLP alerts are enriched with contextual information derived from anomalous user behaviors, perceived risky user intent, improved risk scoring and real-time monitoring. This allows security teams to more effectively prioritize their risk reduction efforts, focusing on the most critical risks first. Further, vendors are incorporating AI into their products which play a critical role in enhancing policy development, detection accuracy and incident triage and response.

Market Analysis

Managing the risk of data exfiltration remains a major challenge for Gartner clients, with inquiry numbers on this topic remaining consistently high. Organizations seek out DLP for different reasons, including compliance with privacy regulations and concerns about personal data leaving the organization, or securing IP such as source code, trade secrets or patent information. More recently, some organizations have expressed interest in pursuing DLP to control access to sensitive information by machines. This issue has been exacerbated with the mainstream adoption of generative AI (GenAI) and continued sprawl of organizational data.
These issues have led to a complex set of architectural and operational issues for SRM leaders to address. Gartner’s AI TRiSM framework complements DLP since, in part, AI TRiSM is focused on minimizing the risk of sensitive data loss to GenAI through effective information governance. AI TRiSM is outside the scope of this research; for more information, see Use TRiSM to Manage AI Governance, Trust, Risk and Security.
Over the past few years, DLP has started to evolve away from a market technology to an integrated technology as it reflects the central importance of data security to SRM leaders. Technical controls for preventing data loss have become less binary and shifted toward approaches that enable business outcomes instead of halting them completely. These include tokenization, masking and granular access controls, to supplement traditional binary block-or-allow controls. While IDLP solutions were initially less robust than enterprise-grade DLP systems, their capabilities have significantly improved and are now quite promising. Many vendors that began by offering IDLP capabilities have continued to evolve and can now provide capabilities of similar complexity compared to their EDLP counterparts. See Figure 3 for a more detailed, visual comparison of the various types of DLP solutions (integrated, enterprise and cloud-native).
Figure 3: Integrated Versus Enterprise Versus Cloud-Native DLP
Integrated, enterprise and cloud-native data loss prevention systems are compared across various channels. Integrated DLP is decentralized, Enterprise DLP is centralized and cloud-native DLP is cloud-centralized. DLP solutions allow midsize enterprises to support data security for remote workers.
Although IDLP is rapidly becoming more viable for organizations, SRM leaders implementing a DLP project should first determine the data exfiltration channels that pose the most risk to the organization. The optimal DLP architecture for an organization will be highly dependent on the predetermined use cases (see Choosing the Right Data Loss Prevention Architecture).
There is no single best DLP technology for every organization. The best technology is that which best addresses specific organizational use cases for DLP.

IDLP

Vendors that offer IDLP provide DLP capabilities that have been integrated into a broader security platform. Although IDLP providers typically offer coverage across only a subset of the data exfiltration channels covered by EDLP, some providers have IDLP capabilities into multiple different security products. For example, a single cybersecurity provider may offer DLP capabilities integrated into their distinct email security and endpoint protection products.
In part because of this decentralized approach, organizations have expressed increasing interest in exploring IDLP approaches as an alternative to EDLP. IDLP vendors exist across several core security products: email security platforms, EPPs, SSE, insider risk management, and data access governance and data security posture management.

Email Security

Email is one of the most prevalent methods of sending sensitive information, either accidentally or intentionally. Therefore, securing email and applying controls to detect and prevent data loss via outbound email is a priority for most clients. Common use cases for email DLP include:
  • Monitoring and controlling sensitive data in email traffic using a secure email gateway (SEG) or an integrated cloud email security (ICES) control
  • Discovering and controlling sensitive data at rest in the email server
Most email security vendors now include, or can provide, DLP capabilities in their products. Some email security vendors’ solutions can also detect accidental data loss use cases, such as misdirected email. These solutions use AI-based algorithms to track users’ email patterns and prompt users to confirm that the email is addressed correctly. This most frequently occurs when the email or attachment contains sensitive information, and the email is addressed to an external email address with which the user has had no previous correspondence. Misdirected email detection and prevention is critical for organizations in industry verticals where IP security is vital (e.g., manufacturing, pharmaceuticals) or where users may handle sensitive information for multiple clients (e.g., insurance, law firms, healthcare).
Combining EDLP with an email security platform allows SRM leaders to use the SEG for managing other threats like phishing, malware and account compromise, while leveraging the EDLP tool to prevent data loss. Also, the team managing the EDLP solution can manage email DLP as part of its day-to-day operations. Most EDLP vendors provide an email DLP solution that involves redirecting email traffic through their DLP system (see Magic Quadrant for Email Security Platforms).

Endpoint Protection

Endpoint DLP solutions are most often deployed via an endpoint agent through which organizations can monitor for sensitive data movement off the endpoint device. These agents are delivered as IDLP through EPPs or as EDLP. Data exfiltration on an endpoint typically occurs via several methods, which DLP can detect and prevent. Common use cases for endpoint DLP include:
  • Identifying and preventing data exfiltration through printing, Bluetooth and removable media, such as USB drives
  • Discovering and controlling sensitive data on local storage systems
  • Identifying and controlling sensitive data shared through the internet
  • Preventing sensitive information from being transferred to applications or via copy-paste activity
Data may also reside in or move to local storage (either SaaS applications or shared network drives), so some endpoint DLP solutions have endpoint discovery functionalities to scan for sensitive data at rest, taking action on this data to move the data to an authorized location. Because endpoint DLP solutions often sit at the kernel level, some endpoint DLP providers also can monitor web browser and email traffic. Inspecting web browser traffic allows for EPP solutions with DLP controls for browsers to also be able to prevent data loss to unauthorized, browser-based GenAI applications. Although they are quite versatile, full utilization of all the detection capabilities across exfiltration channels may negatively impact system performance.
Since endpoint DLPs require a deployed endpoint agent, they are limited to addressing data loss use cases on managed endpoints. Consequently, if an organization has a bring your own device (BYOD) policy, a traditional endpoint DLP solution will not be of use unless users grant IT teams authorization to install agents on those endpoints. For organizations with BYOD policies, detection of data movement from both unmanaged and managed endpoints from sanctioned cloud apps can best be achieved by using a cloud access security broker (CASB) as a reverse proxy layer between corporate applications and the unmanaged device. CASBs in reverse proxy can detect and prevent sensitive data leaked from the sanctioned cloud through blocking controls or attribute-based access control.
Additionally, many EPP vendors include DLP as an IDLP offering, and offer support for operating systems such as Microsoft Windows and macOS, with limited support for Linux due to the compatibility issues with the many kernel and distribution versions of Linux in use. For more information, see Magic Quadrant for Endpoint Protection Platforms.

Security Service Edge

SSE solutions secure access to the web, cloud services and private applications. Typically, SSE solutions include access control, threat protection, DLP, security monitoring and acceptable use control enforced by network-based and API-based integrations. SSE capabilities are primarily delivered as a cloud-based service, and may include on-premises or agent-based components. Common use cases for IDLP in SSE include:
  • Monitoring and controlling sensitive data accessed or moved from cloud applications to managed or unmanaged devices
  • Monitoring and controlling sensitive data at rest in sanctioned cloud applications
  • Detecting and preventing data loss in data flows through the network
Because of the convergence of CASB and secure web gateway (SWG) services to SSE, many SSE vendors’ ability to secure sensitive data initially focused their DLP products on SaaS workloads and network data flows. However, the repackaging of existing on-premises (or development of new) agent-based services has allowed some SSE vendors to extend data security controls to sensitive data across the entire organizational ecosystem.
SSE offerings also are proactively exploring DLP enhancements, some in the form of alternative methods of DLP deterrence (e.g., fine-grained access policies and controls, pairing indicators of risk with data loss activity), and others on the detective side (e.g., acquiring or building data security posture management [DSPM] vendors for data classification or building in-house data classification and contextual, AI-based data detection), as well as expanding their support for multiple exfiltration channels. Some SSE vendors even provide DLP across all exfiltration channels (that is, EDLP). For more information, see Magic Quadrant for Security Service Edge.

Insider Risk Management

Gartner defines insider risk management as a methodology that includes the tools and capabilities to measure, detect and contain undesirable behavior of trusted accounts within the organization. It involves solutions that monitor the behavior of employees (such as UEBA), service partners and key suppliers operating inside the organization. These tools then assess whether the behavior aligns with the expectations of the role and the organization’s corporate risk tolerance.
Traditional DLP solutions focus more on content and are data-centric, so they cannot easily distinguish between malicious and accidental data disclosure. However, by enriching DLP events with the context around the user’s behavior, it will be far easier to distinguish between malicious and negligent acts and apply controls. As DLP vendors expand their use cases and enhance the detection accuracy and usability of their solutions, we see concerted effort from vendors to incorporate indicators of risk and user behavior into their DLP detection logic. This approach utilizes content inspection capabilities with behavioral analytics and machine learning, and also helps reduce the number of false positives (see Market Guide for Insider Risk Management).

Data Access Governance and Data Security Posture Management

Data access governance serves as the primary safeguard for unstructured data at rest, regardless of where it is located (on-premises, cloud or SaaS). Data access governance products enable organizations to analyze and rectify overpermissive unstructured data entitlements. Common use cases for IDLP in data access governance include:
  • Identifying and controlling sensitive data at rest in unstructured data stores
  • Monitoring sensitive data to ensure appropriate access entitlements are in place and applying access controls to overpermissive data
By using data access governance, organizations can ensure strict adherence to their data access and usage policies, thus preventing unauthorized access or oversharing of sensitive information. Data access governance tools overlap with user analytics, data discovery and DLP capabilities. While data access governance is a control that generally is applied on a cadence, vendors are starting to emphasize real-time capabilities that also blend well with next-generation DLP.
While data access governance may primarily focus on data at rest, data access governance solutions can become critical for organizations to complete their data security portfolio. Further, many Gartner clients have expressed that very little organizational data at rest has been governed using appropriate access controls. For more information, see 2024 Strategic Roadmap for World-Class Security of Unstructured Data.
DSPM typically provides the foundation element of data discovery and classification necessary for effective governance of data at rest. DSPM discovers known and unknown (or shadow) data and creates an analysis of data flows and data maps to enable more consistent identification of data location and classification of sensitive and regulated data. This works for structured and unstructured data across cloud service platforms. In addition, DSPM solutions identify security and privacy risks in the data flowing through pipelines and across IaaS, PaaS and SaaS, and can help assess the data security posture of an organization’s data across CSPs. Data security posture management solutions have visibility at the tenant level, so organizations do not need to manually plug in each new resource that gets deployed within that tenant to audit it.
Some vendors recognize the lack of preventative controls offered by DSPM and have begun to incorporate DLP capabilities and controls to supplement the data mapping and discovery capabilities. Their methods for applying control are typically nonbinary, such as access controls and data masking. Some vendors have made acquisitions of DLP startups to provide the necessary controls for preventing data loss (see Innovation Insight: Data Security Posture Management).

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Vendor Selection

Table 1 lists representative DLP vendors that provide solutions that support one or more types of DLP (including endpoint, email, network and cloud), support more than one application, and can be applied to more than one egress channel.

Representative Vendors in Data Loss Prevention

Vendor
Product name
DLP category
Headquarters
Native data classification
UEBA/Insider risk
BigID
BigID Next
Cloud-native
New York, New York
Yes
Yes
Broadcom
Symantec DLP
Enterprise
Palo Alto, California
Yes
Yes
CrowdStrike
Falcon Data Protection
Integrated
Austin, Texas
No
Yes
Cyberhaven
Data Detection and Response
Cloud-native
Palo Alto, California
Yes
Yes
Fortra (Digital Guardian)
Data Loss Prevention Platform
Enterprise
Eden Prairie, Minnesota
Yes
No
DTEX
InTERCEPT
Integrated
Saratoga, California
Yes
Yes
Forcepoint
Forcepoint Data Loss Prevention
Enterprise
Austin, Texas
Yes
Yes
Fortinet
FortiDLP
Enterprise
Sunnyvale, California
Yes
Yes
GTB Technologies
Enterprise Data Security Suite
Enterprise
West Palm Beach, Florida
Yes
Yes
Harmonic
Harmonic Security
Cloud-native
San Francisco, California
No
Yes
Microsoft
Purview Data Security
Enterprise
Redmond, Washington
Yes
Yes
Mimecast
Aware, Incydr
Enterprise
London, England
Yes
Yes
Netskope
Netskope One Data Loss Prevention
Integrated
Santa Clara, California
Yes
Yes
Nightfall
Data Exfiltration Prevention
Cloud-native
San Francisco, California
Yes
Yes
Palo Alto Networks
Enterprise Data Loss Prevention
Integrated
Santa Clara, California
Yes
Yes
Proofpoint
Enterprise Data Loss Prevention
Enterprise
Sunnyvale, California
Yes
Yes
SkyGuard
SkyGuard DLP
Enterprise
Beijing, China
Yes
Yes
Trellix
Trellix Data Loss Prevention
Enterprise
Plano, Texas
Yes
No
Varonis
Varonis Data Security Platform
Integrated
Miami, Florida
Yes
Yes
Zscaler
Zscaler Data Protection
Integrated
San Jose, California
Yes
Yes
Source: Gartner (April 2025)

Vendor Profiles

BigID

BigID, founded in 2016, focuses on data discovery, classification, governance and privacy controls rather than on traditional preventative controls for data in motion. BigID has developed a platform that integrates with data sources across cloud and on-premises, including databases, file shares, and enterprise and SaaS applications.
  • Email DLP: Monitors and controls sensitive data at rest in email exchange servers
  • Cloud DLP: Identifies and controls data in SaaS and cloud data stores
  • Data discovery and classification: Identifies and categorizes sensitive data to enforce data security policies
BigID’s approach to DLP prioritizes security controls for data at rest, including data governance. The platform integrates with a wide range of data sources, including databases, cloud environments and enterprise applications, to provide insights into organizational data sprawl. BigID does not offer endpoint DLP or address traditional data in motion use cases for DLP (it supports Apache Kafka and Amazon Kinesis). They can, however, identify and classify data across the data sources they integrate with, offering options for minimizing the risk posed by this data. These options include alerting security administrators to automatically applying data access revocation or data minimization.

Broadcom

Broadcom’s DLP features were introduced in 2019, following the acquisition of Symantec. Broadcom offers DLP coverage for each exfiltration channel, and offers UEBA through the utility of Symantec Information Centric Analytics (ICA) to manage insider risks.
  • Email DLP: Monitors data exfiltration attempts via email, and provides controls to keep sensitive information secure
  • Endpoint DLP: Provides DLP for user devices (supporting Windows, macOS and Linux endpoints), preventing unauthorized data access and transfer
  • Network and browser DLP: Monitors and controls data in motion across the network and via web browsers to prevent data exfiltration attempts
  • Cloud DLP: Extends DLP to cloud environments, ensuring secure usage of data and compliance
  • Data discovery and classification: Discovers and classifies sensitive data across user endpoints and on-premises and cloud data stores
Broadcom DLP provides coverage across multiple data channels, using a single console for policy and incident management. It utilizes a variety of data detection methods to identify and secure sensitive information. Additionally, integrating DLP with Symantec ICA allows SRM leaders to better mitigate insider threats by analyzing user behavior and implementing appropriate access controls. Native data tagging from Broadcom has been deprecated, but Broadcom DLP supports other common data tagging technologies, such as sensitivity labels from Microsoft Purview.

CrowdStrike

CrowdStrike, established in 2011, traditionally focused primarily on endpoint security, but has recently expanded its offerings to include DLP functionalities, leveraging the Falcon agent and management platform.
  • Endpoint DLP: Supports limited use cases for data security on Windows endpoints, including data transfers to removable media and clipboard functions
  • Browser DLP: Provides DLP for browser-based activities and some SaaS applications
CrowdStrike has developed DLP functionalities based on a wide array of default content patterns (called “data classifications”), web sources and more. It supports both the endpoint, with limited use cases, and browser DLP channels, with further support for some SaaS applications accessible via the browser. CrowdStrike’s DLP solution combines behavioral analytics context (such as users’ unusual data access patterns or unauthorized data transfers) with content inspection (such as sensitive data content or an inherited classification label) to prevent data loss.
Although CrowdStrike uses the terminology “data classification,” it does not have the ability to append or modify classification labels within a document like some other DLP providers do. The Falcon Data Protection management console provides security teams with visibility of the organization’s security posture (beyond data security), enabling it to correlate data loss and anomalous behavior events with other security incidents when responding to incidents.

Cyberhaven

Cyberhaven, established in 2016, positions itself in the data security market with its Data Detection and Response product, which offers visibility into data throughout its life cycle. Cyberhaven combines data detection with user behavior analytics to provide security teams with visibility into and control over their organization’s data.
  • Email DLP: Monitors and controls sensitive data sent via email from corporate devices
  • Endpoint DLP: Monitors and secures data on user devices, with agent support for Windows, macOS and Linux devices
  • Browser DLP: Secures data shared to supported applications accessed via the browser
  • Cloud DLP: Connects via APIs to sanctioned SaaS applications to gain visibility and control over data access and movement in these applications
  • Data discovery and classification: Discovers and classifies sensitive data to inform DLP policies
Cyberhaven Data Detection and Response combines telemetry from the endpoint agent with context from API connectors to sanctioned SaaS applications to build a data lineage. This data lineage provides visibility into user behavior with data and supports proactive insider threat detection and DLP, allowing organizations to identify and mitigate potential data risks before they escalate. Cyberhaven can detect both regulated and unregulated data types, such as IP and source code, the latter of which is often a detection challenge for DLP solutions that rely on traditional, noncontextual detection methods.

Digital Guardian

Digital Guardian was founded in 2003 and acquired by Fortra in 2021. Digital Guardian initially focused on endpoint DLP, but has since expanded its offerings to include DLP coverage for network and browsers, email, and cloud.
  • Email DLP: Monitors data exfiltration attempts via email and provides controls to keep sensitive information secure
  • Endpoint DLP: Provides DLP for user devices (supports Windows, macOS and Linux endpoints), preventing unauthorized data access and transfer
  • Network and browser DLP: Monitors and controls data in motion across the network and via web browsers to prevent data exfiltration attempts
  • Data discovery and classification: Identifies and classifies sensitive data to supplement DLP strategies
Digital Guardian’s DLP solution is deployed via an endpoint agent, or network appliance, and focuses on securing sensitive data across diverse environments, including on-premises, cloud and hybrid systems. The platform integrates with various data sources and systems, offering visibility into data movement and user activities. Digital Guardian employs a combination of data classification and contextual awareness to detect and prevent data loss. Its methodology includes monitoring data in motion and at rest, allowing for policy enforcement customized to specific needs.

DTEX

DTEX, founded in 2000, combines user behavior intelligence and activity monitoring with DLP controls to reduce data loss and minimize insider risk.
  • Endpoint DLP: Monitors user behavior and file activity and controls sensitive data movement on user endpoints (supporting Windows, macOS and Linux endpoints)
  • Cloud DLP: Monitors and controls sensitive data movement to storage applications
  • Data discovery and classification: Identifies and classifies data based on inferred sensitivity
DTEX provides a single agent that monitors and prevents data loss, minimizes insider risk, and identifies account compromise. DTEX’s platform is deployed as an endpoint agent on Windows, macOS and Linux devices, and gathers telemetry data to inform usage of controls. DTEX does not inspect the data, instead inferring sensitivity about it from various metadata attributes, including inherited classification labels and insider risk telemetry. Because their detection is purely focused on user behavior, organizations with a content-centric focus may find DTEX lacking — although, because of their context-centric focus, overall DLP policy accuracy may increase. Further, using predictive analytics and identification of anomalous user behaviors, DTEX attempts to determine user intent and correlates this with data sensitivity to try to prevent data loss.

Forcepoint

Forcepoint was formed in 2016 from the merger of Websense, Stonesoft, Sidewinder and Raytheon’s “Cyber Products” business. Forcepoint has expanded its SSE capabilities through the acquisition of Bitglass in 2021 and, in 2025, it announced intent to acquire Getvisibility to expand its data discovery and classification capabilities. Forcepoint DLP unifies policy management and enforcement across cloud, web, email, endpoint and network.
  • Email DLP: Prevents data loss through email, integrating with popular email providers and offering prebuilt security policies
  • Endpoint DLP: Secures data on Windows and macOS endpoints, on and off the corporate network
  • Network and browser DLP: Prevents data loss in motion through web channels and FTP, identifying and preventing intentional data exfiltration and accidental data loss
  • Cloud DLP: Extends DLP to cloud environments, including cloud applications, web traffic and private cloud applications.
  • Data discovery and classification: Identifies sensitive data across file servers, SharePoint, Exchange and databases
Forcepoint’s DLP incorporates a risk-adaptive protection approach focusing on understanding user behavior and prioritizing high-risk users via real-time risk calculations. Its policy enforcement is based on user intent and context to reduce false positives. Forcepoint integrates with various security tools and threat intelligence platforms to assist security teams with incident response.

Fortinet

Fortinet, established in 2000, integrated DLP capabilities into its FortiGate firewalls and other security products. In 2024, Fortinet acquired Next DLP to supplement its offerings in stand-alone and IDLP. FortiDLP provides DLP coverage and visibility for network, endpoint and cloud, combining content inspection with UEBA.
  • Email DLP: Monitors data exfiltration attempts via email, providing controls to keep sensitive information secure
  • Endpoint DLP: Provides DLP capabilities preventing unauthorized data access and transfer for Windows, macOS and Linux endpoints
  • Network and browser DLP: Monitors and controls data in motion across the network and browsers to prevent data exfiltration attempts
  • Cloud DLP: Extends DLP to cloud environments, ensuring secure usage of data
  • Data discovery and classification: Identifies and classifies sensitive data to supplement DLP strategies through FortiData
FortiDLP is a SaaS-deployed, agent-based platform that provides data coverage and tracking across multiple channels and insider risk management capability into its unified endpoint. When deployed, FortiDLP builds a baseline user risk profile and understands how user behavior changes over time. FortiDLP includes Secure Data Flow that identifies sensitive data at the point of origin and builds a data lineage of manipulations on the data.

GTB Technologies

GTB Technologies, founded in 2004, has been a provider of DLP for over 20 years. GTB Technologies has focused on securing sensitive data across multiple exfiltration channels.
  • Email DLP: Inspects email traffic and prevents sensitive data loss
  • Endpoint DLP: Monitors user activity and prevents data loss on user endpoints, with support for Windows, macOS and Linux endpoints
  • Network and browser DLP: Monitors and controls data in motion across the network and via web browsers to prevent data exfiltration attempts
  • Cloud DLP: Monitors and controls data in common cloud applications
  • Data discovery and classification: Utilizes data classification to enhance data detection accuracy
GTB Technologies provides DLP for multiple data exfiltration channels, including endpoints, network, browsers and cloud applications. The platform integrates with common data sources, providing visibility and control over data movement to minimize the risk of data exfiltration. The solution employs a combination of data classification and content inspection techniques (such as OCR and fingerprinting) to monitor user activity and prevent potential data loss.

Harmonic

Harmonic is a relatively new entrant in the DLP market, founded in 2023. Its focus is on GenAI applications, first determining the risk posed by such applications and then preventing data loss to risky applications.
  • Browser DLP: Deployed via webhooks or browser extensions to detect sensitive data usage and prevent sensitive data loss in browsers used to access GenAI applications
  • Cloud DLP: Utilizes APIs to connect to and secure sensitive data used by GenAI SaaS applications
Harmonic’s solution approaches DLP by adaptive security and threat intelligence, particularly for GenAI applications. Although offering deployment through browser extensions and endpoint agents (for Windows endpoints), Harmonic focuses on DLP for GenAI applications and does not address typical use cases for endpoint DLP, such as controls for data loss to removable media and printing. Instead of relying on regular expressions and pattern matching for sensitive data detection, Harmonic’s DLP policies leverage proprietary data security small language models that detect and respond to potential data loss incidents. These small language models also allow for natural language DLP policy development specific to organizational needs, which can increase the accuracy of detection and response to data loss incidents.

Microsoft

Microsoft entered the DLP market in 2012. Microsoft Purview is its suite of data security, governance and compliance solutions. Purview integrates with Microsoft 365 and other data services (both Microsoft and non-Microsoft). Microsoft continues to expand its Purview product suite, frequently adding new features and building new integrations.
  • Email DLP: Monitors and controls sensitive data loss through email traffic
  • Endpoint DLP: Monitors and controls data exfiltration from macOS and Windows endpoints
  • Network and browser DLP: Prevents data loss for web browsers and for network traffic from managed devices to cloud services and applications
  • Cloud DLP: Monitors and controls sensitive data across cloud environments and SaaS applications
  • Data discovery and classification: Discovers and classifies data using Microsoft Purview Information Protection
Purview allows security teams to classify data and build and manage DLP policies across Microsoft 365 apps and services, including Exchange, SharePoint, OneDrive and Teams, as well as non-Microsoft data sources. While Microsoft Purview’s DLP features integrate with non-Microsoft cloud services and on-premises file shares, organizations using a diverse mix of platforms should carefully evaluate the extent of integrations available for their specific non-Microsoft environment and systems.

Mimecast

Mimecast, established in 2003, historically has provided solely email DLP capabilities but, through its acquisitions of Aware and Code42 in 2024, has expanded its DLP coverage of data exfiltration vectors beyond email to endpoint, browser and cloud applications.
  • Email DLP: Monitors and controls email communications for sensitive data, minimizing unauthorized sharing
  • Endpoint DLP: Monitors and controls endpoint activities to control unauthorized sharing of sensitive information, with support for Windows, macOS and Linux endpoints
  • Browser DLP: Monitors and controls sensitive data in web browser uploads
  • Cloud DLP: Extends data security to cloud-based email and collaboration platforms
  • Data discovery and classification: Identifies and categorizes sensitive data to enforce data security policies
Mimecast’s email DLP solution prevents unauthorized sharing of sensitive information by applying policies that detect and block potential data breaches. Through IP acquired from Code42 and Aware, Mimecast extends DLP beyond email by providing endpoint and cloud DLP capabilities. It correlates endpoint DLP functionalities with UEBA to minimize insider risks and prevent data loss based on user risks.

Netskope

Netskope was founded in 2012 and has a cloud-based DLP product that can provide security for sensitive data in cloud, on-premises and hybrid environments. Netskope’s DLP is part of its SSE offering and it supports an agent-based approach for endpoint DLP.
  • Email DLP: Detects and prevents sensitive data egress through email
  • Endpoint DLP: Monitors and controls data loss using the Netskope client deployed on macOS and Windows devices
  • Network and browser DLP: Detects and prevents loss of sensitive data through the Netskope SWG
  • Cloud DLP: Provides DLP for sanctioned and unsanctioned SaaS applications and cloud data stores
  • Data discovery and classification: Discovers sensitive data at rest in the cloud and appends data classifications based on detection of sensitive data
Netskope can correlate content detection with user behavior analytics to address insider risk use cases and add context to DLP alerts, which can increase the accuracy of existing DLP policies. Further, Netskope integrates with other systems, such as Microsoft Purview, to append data classification labels and increase the accuracy of DLP policies.

Nightfall

Nightfall emerged in the DLP market in 2018, offering a cloud-native DLP solution deployed via APIs to secure sensitive data across cloud applications. More recently, its coverage has expanded beyond SaaS applications to also offer some email and endpoint DLP capabilities.
  • Email DLP: Monitors and controls email traffic for Gmail and Exchange
  • Endpoint DLP: Monitors and prevents loss of sensitive data on user endpoints (endpoint agent support for macOS and Windows)
  • Browser DLP: Monitors and controls sensitive data movement to SaaS applications
  • Cloud DLP: Monitors and controls sensitive data in cloud applications
  • Data discovery and classification: Discovers and classifies sensitive data at rest in SaaS applications
Nightfall offers a cloud-native DLP solution with limited default coverage, but has made its APIs configurable for SRM leaders to increase visibility by building integrations for unsupported applications and use cases. Nightfall’s default email DLP coverage supports Gmail and Exchange Online, with the option to encrypt emails containing sensitive data. Its browser extension is built for Chromium-based browsers, Mozilla Firefox and Apple Safari, and can extend DLP coverage to GenAI applications. Nightfall’s endpoint agent supports macOS and Windows and can be used to detect and prevent data loss via browser uploads and cloud storage sync applications.

Palo Alto Networks

Palo Alto Networks, founded in 2005, offers its integrated, cloud-delivered DLP product (called Enterprise Data Loss Prevention) to discover, monitor and secure sensitive data across email, endpoints, networks, and cloud environments.
  • Email DLP: Identifies and secures data sent via email, regardless of the device or email client
  • Endpoint DLP: Identifies and prevents data loss via the Prisma Access agent deployed on macOS and Window endpoints
  • Network and Browser DLP: Inspects web traffic and monitors data in motion across on-premises, hybrid, and multicloud environments
  • Cloud DLP: Monitors and secures data in motion for remote users, natively integrated into its secure access service edge (SASE); also extends to SaaS applications and public clouds
  • Data discovery and classification: Utilizes multiple detection techniques to identify and classify data
Palo Alto NetworksEnterprise Data Loss Prevention is natively integrated with its broader security ecosystem, including its next-generation firewalls (NGFWs), Prisma Access for secure remote access and security for SaaS through Prisma SaaS. The solution offers a unified policy framework for consistent data security across hybrid environments, providing enterprises with visibility and control at scale. Palo Alto Networks leverages large language models to enhance contextual analysis, enabling more precise detection of potential data loss.

Proofpoint

Proofpoint, founded in 2002, is a vendor in the email security space. It launched its DLP solution in 2020 and has integrated DLP into many of its other products. Proofpoint acquired Tessian in late 2023, enhancing its email DLP capabilities.
  • Email DLP: Identifies and secures sensitive data, automates compliance, and prevents data loss via email transfer
  • Endpoint DLP: Detects and prevents data loss via agents deployed on macOS and Windows endpoints
  • Network and Browser DLP: Secures data in motion shared through the network or via the browser
  • Cloud DLP: Extends data security to cloud use cases such as securing cloud data and ensuring acceptable use of GenAI tools in cloud environments
  • Data discovery and classification: Detects, identifies and classifies sensitive data in cloud data stores and applications
Proofpoint’s human-centric approach to data security integrates user behavior analysis with content detection to prevent data loss. The platform offers centralized policy management for email, endpoint, browser and cloud DLP, combined with the Proofpoint Insider Threat Management (ITM) console for incident management and response. The centralized incident management console allows analysts to review incidents, respond and enforce policies across all channels. To classify data, Proofpoint extends Microsoft sensitivity labels for data in the cloud and on the endpoint.

SkyGuard

SkyGuard, established in 2015, offers an EDLP solution designed to safeguard data across diverse environments, including endpoints, network, on-premises and cloud services.
  • Email DLP: Detects and prevents sensitive data exfiltration through email services
  • Endpoint DLP: Prevents data loss on endpoints, with support for Windows, macOS and Linux
  • Network DLP: Inspects network traffic, including email and instant messaging, for visibility of data transfer and mandatory data security policy enforcement
  • Cloud DLP: Extends on-premises DLP solutions to the cloud, addressing the challenges of securing sensitive data in cloud applications, remote offices and mobile endpoints
  • Data discovery and classification: Scans laptops, servers, file shares, cloud storage, SaaS applications and databases to identify and classify sensitive information residing across these locations
SkyGuard DLP combines data classification, real-time monitoring and contextual analysis to detect and prevent unauthorized data access and exfiltration. It supports both API-based and agent-based deployments and hybrid cloud deployment, enabling centralized management across fragmented DLP implementations in decentralized or multilocation enterprises by unifying security policies, visualizing data risk events and threat reports, and supporting large volumes of events/logs. SkyGuard offers policy templates for geographic- and industry-specific regulations, but its limited global presence and integration with certain international platforms could pose challenges for multinational organizations.

Trellix

Trellix was formed in the 2021 merger of McAfee Enterprise and FireEye, and offers DLP for multiple use cases. Trellix partners closely with Skyhigh Security and although the two are under common ownership (Symphony Technology Group) and leadership, they are technically separate entities.
  • Email DLP: Monitors and controls sensitive data shared in email communications
  • Endpoint DLP: Monitors and secures sensitive data via an agent installed on Windows and macOS endpoints
  • Network and Browser DLP: Secures data in motion shared through the network or via the browser
  • Cloud DLP: Monitors and controls sensitive data movement to cloud applications (primarily through a partnership with Skyhigh Security)
  • Data discovery and classification: Discovers and classifies data on user endpoints, servers and in some cloud applications
Trellix Data Loss Prevention offers an EDLP solution for securing sensitive data across multiple exfiltration channels, including endpoints, networks, email and cloud environments. While Trellix provides DLP functionality across on-premises workloads and user endpoints, visibility and control over sensitive data in the cloud are enhanced through an integration with Skyhigh Security. This partnership allows security teams to apply policies and view cloud DLP events through the Trellix ePolicy Orchestrator (ePO) management console.

Varonis

Varonis, founded in 2005, offers DLP functionalities across a variety of data sources, including SaaS, on-premises and cloud environments. Varonis’s DLP capabilities are isolated to data at rest, and its control sets include data access governance and data deidentification.
  • Email DLP: Monitors and controls sensitive data at rest in email exchange servers
  • Cloud DLP: Identifies and controls data at rest in SaaS and cloud data stores
  • Data discovery and classification: Identifies and categorizes sensitive data to enforce data security policies
Varonis provides DLP functionalities primarily for data at rest (not data in motion) by focusing on securing data at rest across various repositories, including SaaS, on-premises and cloud environments. Varonis begins with data classification, identifying sensitive data and evaluating data sprawl to help SRM leaders understand their data at rest. Varonis relies on several methods for securing data at rest, including access controls (offered as policy, attribute and role-based) and data masking. Varonis’s coverage of data at rest allows it to address the needs of organizations seeking to manage sensitive data across diverse storage environments.

Zscaler

Zscaler was founded in 2007 and provides IDLP throughout its platform. Its DLP spans across most common data exfiltration channels, email, endpoint, network, browser and cloud, specifically cloud services and SaaS applications.
  • Email DLP: Detects and prevents sensitive data exfiltration through cloud email services
  • Endpoint DLP: Monitors and controls data loss using the Zscaler Client Connector deployed on macOS and Windows devices
  • Network and browser DLP: Detects and prevents loss of sensitive data across the network and via web browsers
  • Cloud DLP: Provides DLP for sanctioned and unsanctioned applications and cloud data stores
  • Data discovery and classification: Discovers sensitive data in the cloud and appends data labels based on detection of sensitive data (in specific applications)
Zscaler Data Protection is built to provide DLP across an array of data sources, systems and data exfiltration channels, leveraging its cloud-native architecture to integrate with cloud services, on-premises systems and SaaS applications. Zscaler’s DLP relies on content inspection, contextual analysis and machine learning to identify sensitive data and prevent data exfiltration across the channels it covers.

Market Recommendations

When preparing for a DLP project, SRM leaders should:
  • Consider DLP technology as a deliverable within a DLP program. SRM leaders with effective data security programs start with data risk assessments and data security governance to define the business use cases in scope for the DLP project, and align them with the requirements for DLP technology procurement.
  • Engage business stakeholders to identify business needs and data risks to determine the riskiest data exfiltration vectors. Evaluate existing IDLP options to obtain better visibility of data usage and movement across the organizational ecosystem.
  • Classify and label data. Labeling data brings consistency to what is considered sensitive information in an environment, which makes it easier to define DLP policies. Accurate data classification adds a layer to DLP detection, which minimizes false positives that introduce friction between security and business teams. Data labeling also helps minimize the false negatives that prevent DLP controls from being effective.
  • Use EDLP if you have limited resources or if it is determined that users are transacting sensitive information through multiple channels. Leveraging multiple IDLP providers may lead to issues such as administrative overhead (from managing multiple IDLP consoles) and policy inconsistency (IDLP vendor policy integration may be limited) across exfiltration channels. Although potentially more expensive, choosing an EDLP vendor may support the business and resourcing needs of the organization, while potentially reducing the total cost of ownership (TCO) of the DLP program.
  • Invest in a DLP solution that can understand the full context surrounding the data, identify baseline user risk, and compare subsequent actions to the baseline activity by gathering contextual clues about the who, what, when and where of the data. This should be a priority for organizations with heightened concern about insider risk.
  • Use cloud-native DLP solutions for public cloud data security in organizations with a hybrid or cloud-first strategy. Many of these vendors can also provide data security for multiple platforms and often integrate with both unstructured and structured data repositories.
  • Use additional data security controls to fill any gaps that are not addressed by reactive and preventative controls. This includes securing the data at the source (in a database or file repository), rather than applying controls to secure the data at only the corporate boundary.

Acronym Key and Glossary Terms

BYOD
bring your own device
CASB
cloud access security broker
DLP
data loss prevention
DSPM
data security posture management
EDLP
enterprise DLP
EPP
endpoint protection platform
ICES
integrated cloud email security
IDLP
integrated DLP
PII
personally identifiable information
SEG
secure email gateway
SIEM
security information and event management
SSE
security service edge
SWG
secure web gateway
UAM
user activity monitoring
UEBA
user and entity behavior analytics

Evidence

This research is based on more than 700 client interactions on data loss prevention, data classification and data security between January 2024 and February 2025.
1 Data Classification Concepts and Considerations for Improving Data Protection, National Institute of Standards and Technology (NIST).

Note 1: Consolidated Incident Response

Incident response with multiple DLP platforms is a difficult process, often requiring manual correlation across platforms. Some security teams choose to centralize incident response using a security information and event management (SIEM) or security orchestration, automation and response (SOAR) tools to aggregate logs from disparate platforms into a single platform.

Note 2: Methods for Classifying Data

Data classification, in the context of this research, is accomplished through placing a marker within the file that indicates the organization’s view of the classification. Some data classification products can add metadata to a database table, record or column, but this is outside the scope of this research.
The document classification can be determined through a variety of methods, including manual application, content scanning or metadata analysis.1 The label persists with the data and can be easily read by other controls and systems to provide a continuity of approach to managing and securing the data. Markers can be in the form of a header or footer within the document format, a watermark or text within the document.

Note 3: Data Classification Policies

Data classification can increase the effectiveness of the DLP program, although it can be disruptive to existing business processes. Because of the potential business disruption of data classification, building the business case to classify data typically requires robust governing policies that have been approved by the necessary stakeholders (see Toolkit: Classification and Handling of Sensitive Data and Building Effective Data Classification Policies and Data Handling Documents).