GigaOm Radar for Data Security Posture Management (DSPM) v3

Data is central to all organizations and should be regarded as a vital asset. As the data landscape evolves, data is becoming increasingly dispersed across multiple locations. No longer confined to on-prem shares and databases, data now often resides in various cloud repositories and data platforms. The convenience and low perceived cost of cloud storage often lead to these repositories being created outside normal controls. They are frequently used for specific tasks and then abandoned or forgotten by the original project owners. This results in shadow data repositories that fall outside the oversight of those responsible for data security and storage. Even organizations with strong data security tools often struggle to detect these shadow repositories, leaving them vulnerable and unprotected.

It’s impossible to overlook the impact of AI on organizational data security. This includes the adoption of public services like ChatGPT and Microsoft Copilot, as well as organizations developing their own large and small language models and AI agents. These factors increase pressure on data security, which must keep data secure and relevant, prevent improper sharing with AI models, and avoid the risk of "poisoning" the AI models that businesses are increasingly relying on.

The complexity of the data landscape poses a significant risk to data security and privacy that must be managed, as the consequences of data loss can be severe. This has caused organizations to adopt many separate, often platform-specific solutions, which increase complexity, costs, and risk. As a result, organizations are demanding better ways to obtain a comprehensive view of data security and risk.

Data security posture management (DSPM) solutions can provide the visibility and control needed to address the challenge. These solutions can build a data map and analyze data movement and lineage to understand how data flows through an organization and where it may introduce risk. They provide a clear visualization of an organization’s data estate, compliance posture, and security posture. They will also continuously monitor that security posture, provide guidance on access controls, and understand user behavior to quickly identify threats and allow an organization to rapidly mitigate them.

DSPM continues to evolve to meet new challenges, with many vendors offering AI-specific features to help organizations tackle the complex issues this field presents. They are also expanding capabilities to not only alert about potential threats but also deliver detection and response functions, integrating DSPM with data security enforcement.

DSPM remains a developing market, and this is reflected in ongoing consolidation as DSPM vendors seek to expand their offerings through acquisitions. This trend is likely to continue as vendors aim to add more AI security features and further improve their data security enforcement capabilities.

In this report, we are considering vendors that offer specific DSPM solutions. They must be specifically capable of data discovery and of identifying potential risks to sensitive data. Solutions that offer DSPM only as a feature of a broader platform, requiring customers to purchase the entire platform, will not be considered.

This is our third year evaluating the DSPM space in the context of our Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 25 of the top DSPM solutions and compares offerings against their capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria). It provides an overview of the market, identifies leading DSPM offerings, and helps decision-makers evaluate these solutions so they can make a more informed investment decision.

To help prospective customers find the best fit for their use case and business requirements, we assess how well DSPM solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to midsize companies. Here, ease of use and deployment are more important than extensive management functionality and feature set.

• Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category have a strong focus on flexibility, performance, scalability, and the ability to effectively integrate into existing environments.

• Public sector: While the infrastructure of these environments is likely to be similar to that of SMBs and enterprises, these organizations typically have some constraints, especially around needing suppliers to meet specific requirements laid out in buying and supply frameworks. Solutions must therefore be able to meet such framework demands.

• Managed service provider (MSP): Increasingly, organizations across all IT disciplines are looking to managed services to augment in-house capabilities. Here, we assess vendors on how effectively they support MSPs, both technically and commercially, or on their ability to offer their own managed services.

In addition, we recognize the following deployment models:

• SaaS: These solutions are available only in the cloud and are designed, deployed, and managed by the vendor. The advantages of this type of solution are its simplicity, ease and speed of scaling, and flexible licensing models. While some components (such as scanners or agents) must be architecturally installed in a physical location, this isn’t part of our evaluation. We assess that the solution's main management and intelligence components are available via a SaaS deployment.

• Self-hosted on-prem: These solutions allow the main management and intelligence components to be installed in the customer’s on-prem data center. They are not shared and are specific to a single customer.

• Self-hosted cloud: With these solutions (available in a cloud marketplace or deployable as an image), the main management and intelligence components are deployed and supported in a public cloud service. These components can be deployed either as a cloud-native service or as a public cloud image, usually (although not exclusively) available from a cloud provider’s marketplace. In these instances, they are not shared and are specific to a single customer.

• Managed service: In this model, the vendor handles all management and operations. For this report, that means fully managed by the vendor, not by one of its partners. However, comanaging (operations shared between provider and customer) is also acceptable.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Automated data discovery

• Automated data classification

• Cloud platform integrations (including SaaS)

• Compliance reporting

• Security posture assessment

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a DSPM solution

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization

These decision criteria are summarized below.

Key Features

• Data mapping: To safeguard its data, an organization must first understand what data it has. Leading solutions should be able to provide a comprehensive map of an organization's data and the status of its repositories, including any potential risks to the data held within them.

• Data access intelligence: To understand the risks to their data, organizations must be able to build a detailed view that includes what data is being accessed, by whom or what, and when. Leading solutions should be able to provide this information.

• Data lineage: To appreciate data risk, organizations must understand the data lifecycle. Good DSPM solutions must show how data moves through data pipelines and how it is impacted, accessed, and changed along the way.

• AI risk analysis: The increasing use of AI presents a new threat to data security, governance, and compliance. Organizations must assess potential risks before deploying AI models and manage ongoing interactions with AI services, whether enterprise AI platforms, assistants, or public generative AI (GenAI) tools. DSPM tools can help by identifying these risks, tracking data flows to AI services, and managing model access to sensitive data.

• On-prem repository support: While much data has moved to the cloud, a significant amount, especially in enterprises, remains on-prem. Leading solutions should provide insight into these repositories.

• Nonhuman identity (NHI) threat management: With the increasing use of automated processes and machine identities, including those driven by AI, DSPM solutions must manage and secure these identities to prevent unauthorized access and data breaches. The threat posed by these types of accounts is significant and growing, and solutions should provide ways to specifically manage the NHI threat.

• Automated data threat detection and response: The primary goal of a DSPM solution is to provide insight into the current posture and guidance for improvement. However, in today’s rapidly evolving threat landscape, solutions should quickly identify active threats and automate their mitigation to reduce their impact.

• Incident response and impact analytics: Organizations must understand the impact of data breaches. This is valuable before an incident to evaluate existing vulnerabilities and determine what data may be at risk. After an incident, an impact analysis can help determine what was affected and how, including nontechnical impacts such as compliance breaches and potential financial penalties.

Table 2. Key Features Comparison

Emerging Features

• Risk correlation and attack path analysis: Data security risks are not linear, and identifying them requires a broad context. Correlating multiple potential threat indicators together to identify risks and attack paths is increasingly a valuable security tool for organizations. The ability to identify where potentially benign risks, when brought together, present significant risk has great value. Increasingly, customers will need tools to help them gain this proactive insight.

• Risk quantification: IT leaders and security teams need to communicate risk to executives. A quantitative risk metric (like “this database represents a $5M breach risk”) can be powerful for decision-making and securing funding to address potential data risks. DSPM solutions are ideal tools for this, and increasingly, customers will want to see these tools quantify the business impact or value of data risks, such as monetary risk scoring or other metrics.

• AI-specific posture management: GenAI usage in organizations has exploded, raising new data security concerns. Employees may input confidential data into ChatGPT or connect internal data to AI tools, and organizations worry about unintended data exposure. However, organizations also recognize that adopting such technology can deliver significant value. Therefore, they will increasingly want tools that can help identify potential risks associated with AI adoption, enabling effective planning and deployment of AI guardrails ahead of adoption.

Table 3. Emerging Features Comparison

Business Criteria

• Ease of management: Data security is already complex, and adding solutions should not increase complexity. Businesses will welcome tools that ease management, provide central administration and reporting, and automate repetitive tasks. Moreover, it is more than the technology that’s important here. Vendors that provide services such as support, training, and proactive account management will help ease the overall management burden of a solution.

• Flexibility: Customer environments vary and are constantly changing. Security tools must be flexible, support different deployment models and adoption techniques, and meet a broad range of customer needs.

• Cost transparency: No organization in today's economic environment should consider technology purchases without understanding the entire range of potential costs. These may include the purchase price, deployment expenses (hardware, software, and customization), and integration costs, as well as ongoing maintenance, training, and support costs. Other factors that may indirectly affect cost include ease of use for both end users and operations teams, as well as the effectiveness of onboarding and training materials.

• Scalability: As businesses grow and demands change, DSPM solutions must be able to accommodate that growth, adapting to increases in workload from an expanding network, more devices, or a larger user base. This is vital because maintaining robust security coverage is essential, regardless of organizational growth or increased threat vectors.

• Interoperability: A DSPM strategy cannot be effective in a silo. Solutions must therefore integrate with the tools customers already use, including operational tools such as service desk systems and SIEM solutions. They may also include identity platforms and security orchestration tools. These are key to ensuring DSPM is part of the organization's existing security workflows.

• Ecosystem: A vendor’s ecosystem consists of the products, services, integrations, partners, and communities that support its offerings. The breadth of that ecosystem determines how well a solution fits into an organization’s broader technology landscape, both in the short and long term. When evaluating solutions, organizations should consider the variety of partners within the vendor’s broader ecosystem, which can enhance flexibility, support, and long-term success.

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for DSPM Solutions

As you can see in Figure 1, the DSPM market continues to grow and evolve. This is evident in our positioning, with the vast majority of vendors in the Maturity half of the Radar chart.

Vendors in the Innovation half fall into two categories. The first includes vendors that are still relatively new to the market and are developing their solutions quickly. The second includes vendors that have recently been acquired or are poised to be acquired, which may drive significant changes to their solutions.

The positioning of so many vendors in the Platform Play hemisphere highlights that most are addressing the holistic nature of the DSPM challenge. They are addressing data security risks across both cloud and on-prem environments, and for a broad range of customers, from SMBs to the largest enterprises.

The vendors positioned in the Feature Play half of the Radar chart reflect either market focus (such as large enterprises only) or data repository focus (focused on cloud-only data or structured data only). Vendors with a more specialized focus should be among those considered for specific use cases.

The continual evolution of data security risks is reflected in vendor positions as Leaders or Challengers. With the majority of vendors in this space being positioned as Challengers, there are still opportunities to improve execution and better leverage solutions. Even among the Leaders, many still have areas for improvement, such as AI risk analysis, NHI security, and data lineage. These are key differentiators between the strongest solutions and the rest.

This report also highlights a small group of Outperformers. These vendors have strong roadmaps and are making headway in emerging areas such as AI security posture management (AI-SPM) and risk correlation.

While there has been some market consolidation, the DSPM market continues to grow, as reflected in the substantial increase in vendor numbers since our last report (from 14 to 25).

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Arexdata: Arexdata DSPM

Solution Overview

Arexdata DSPM was launched in 2022 and provides companies with an efficient management and protection solution for their data assets.

Arexdata DSPM is a data security platform designed to discover, classify, and protect sensitive data across on-prem, hybrid, and multicloud environments. The solution operates through agentless scanning that connects to data sources via API integrations, supporting major cloud platforms including AWS, Azure, and Google Cloud, as well as on-prem databases and SaaS applications. The solution employs automated data discovery engines that scan structured and unstructured data repositories to identify sensitive information, such as PII, PHI, and financial data.

Arexdata provides data classification capabilities using pattern matching and ML algorithms to categorize sensitive data in accordance with regulatory frameworks. It provides visibility into data exposure risks through risk scoring that evaluates factors such as data sensitivity, access permissions, and storage security configurations.

Arexdata offers policy-based remediation workflows that enable security teams to enforce data-handling policies and respond to policy violations. The solution includes access management features that map data access paths and identify overpermissioned accounts or excessive privileges. Integration capabilities extend to SIEM tools and ticketing systems for alert routing and incident management. The solution provides reporting dashboards that visualize data inventory, compliance posture, and risk trends across the data estate.

Arexdata is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the DSPM Radar chart.

Strengths

Arexdata scored well on a number of decision criteria, including:

• On-prem repository support: Arexdata provides comprehensive on-prem repository coverage. It can scan and assess data on file servers, network-attached storage (NAS), Common Internet File System (CIFS), and local repositories. This also includes NAS solutions such as NetApp and hyperconverged infrastructure (HCI) solutions such as Nutanix. It also supplies endpoint insight with support for Windows desktops and servers, Linux, and MacOS.

• AI risk analysis: Arexdata DSPM monitoring includes strong Microsoft Copilot integration, capturing user activity, prompts, and AI responses. It automatically detects unauthorized access to sensitive information through AI-powered analysis, identifying permission misconfigurations in real time. The Sensitive Screen functionality uses OCR technology to monitor AI applications and external services by periodically capturing screens and analyzing content against data classification policies. Arexdata’s Shadow AI Use Dashboard offers detailed AI agent detection. The system also generates detailed reports when critical information is detected across multiple channels, preventing data leakage through personal communications and unauthorized sharing.

• Data mapping: The solution provides strong data mapping to discover data across a wide array of locations, including structured and unstructured data in the cloud, on-prem, and at endpoints. It provides real-time visibility into data locations, data types, and data classification from within its centralized console.

Opportunities

Arexdata has room for improvement in a few decision criteria, including:

• Automated data threat detection and response: Arexdata protects against unauthorized changes. The solution alerts, identifies, and reverses unexpected changes to critical files that may indicate an intrusion. It also provides permission change notifications, helping to detect potential security issues or unauthorized attempts to access data. However, it does not offer advanced automation capabilities and lacks a native orchestration platform that enables customers to build remediation playbooks. Adding these capabilities would help customers build more robust and complex threat remediation responses.

• Incident response and impact analytics: Arexdata provides a detailed history of accesses, modifications, and file locations, which can help support incident investigation. It does this by feeding this information into the incident response process rather than providing its own incident response capabilities. While some of this is addressed via its MCP integration (allowing customer AI tools to address some of this), adding a more formal incident response module to the solution would help analysts investigate risks more quickly and reduce the need for external tools.

• NHI threat management: Arexdata doesn’t treat machine accounts differently, but its permission management and auditing apply to all identities equally. Service accounts and bots are visible in the same reports, and excessive access by such accounts is flagged like any other risk. These capabilities are useful and will help analysts assess NHI risk. Adding specific NHI identification and risk analysis would be a valuable addition to the solution.

Purchase Considerations

Arexdata does not publish pricing or license information on its website. Pricing is per user and is subscription based, with volume-based licensing available for larger customers.

With SaaS and on-prem deployment options, deployment complexity will be dependent on numerous factors. However, the vendor provides technical support and professional services to assist with deployment.

The solution should be suitable for both SMBs and large enterprises.

Use Cases

Arexdata DSPM addresses a range of use cases, including regulatory compliance, automating data discovery and classification to support GDPR, HIPAA, CCPA, and other regulatory frameworks. It also helps organizations maintain data inventories and better manage and secure data. It has good on-prem repository support, which will be attractive to organizations that maintain on-prem data infrastructure.

Bedrock Data

Solution Overview

Bedrock Data provides management and security for cloud services and on-prem environments.

Bedrock Data’s DSPM is delivered as a SaaS solution and uses its AI Reasoning (AIR) Engine to provide accurate, scalable data visibility, governance, and protection to meet security and compliance requirements. Bedrock Data’s ArgusAI secures enterprise agents, models, and copilot rollouts by assessing and controlling data risk in AI applications through Data Bill of Materials, Entitlements, and Guardrails analysis. It also includes Semantic Search for querying Bedrock Data's Metadata Lake and Natural Language Policy creation to articulate data control policies without complex query engines.

The solution integrates into existing environments via an API and maintains privacy via its Outpost architecture, a serverless component deployed within the customer's cloud infrastructure. Metadata is forwarded to its SaaS-based analysis engine for classification and risk assessment. APIs also enable metadata sharing to enhance the prioritization and effectiveness of other security solutions, including cloud-native application protection platform (CNAPP), SIEM, and data loss prevention (DLP) tools (with push-down tags).

Adaptive Sampling allows the solution to process and classify up to one petabyte of data per hour. It can assess risk in structured, semistructured, and unstructured datasets. A centralized dashboard provides real-time visibility into data risks. The solution's AI-powered categorization determines data ownership and document types beyond basic classification. Granular policy controls, customizable in natural language, allow users to define trust boundaries and remediate risky or noncompliant data movements.

It provides proactive security with insights into data movement and risk exposure by identifying the "blast radius" and delivers entitlement analysis for both human and nonhuman credentials.

Bedrock Data is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the DSPM Radar chart.

Strengths

Bedrock Data scored well on a number of decision criteria, including:

• Data mapping: Bedrock Data offers comprehensive data discovery, capable of identifying data across a range of repositories, including S3 buckets, file systems, databases, data warehouses, and document repositories. It uses a patented scanning technique to deliver fast, cost-effective classification, then identifies oversharing, access anomalies, and potential misconfigurations, providing a clear security posture.

• Incident response and impact analytics: The solution provides strong incident insight and data to support incident response. It identifies affected data and users and outputs that information for security teams. This includes valuable details on blast radius, showing the range of users and systems that a data breach could impact.

• AI risk analysis: The solution discovers and classifies data used for AI training and inference and determines whether models are trained on sensitive data. It analyzes configured guardrails to determine what sensitive data would be exposed and which data would be filtered out by the configured policy. It also tracks AI SaaS applications such as Glean and shows what data they have access to. Enterprises can set policies on which sensitive data AI models should and shouldn’t have access to, and receive alerts when those policies are violated.

Opportunities

Bedrock Data has room for improvement in a few decision criteria, including:

• On-prem repository support: Bedrock Data has recently added support for on-prem repositories, including NAS devices, Windows file shares, and other systems that make files available via NFS or server message block. However, developing this by adding support for databases and on-prem applications would help deliver a more complete solution.

• NHI threat management: Bedrock Data offers insight into service accounts and bots. By combining entitlement analysis with access activity, it can identify risks and enforce least privilege policies. While it highlights these risks and supports integration with identity and access management (IAM) tools for remediation, it could further develop capabilities, such as secret scanning in code or automatic credential rotation.

• Data lineage: Bedrock Data tracks data lineage for structured and unstructured data across cloud (including AWS, Azure, Google Cloud, and Snowflake), SaaS (such as Microsoft 365 and Google Drive), and on-prem file shares. Bedrock Data presents lineage in tabular form and via a graph visualization that shows source-to-destination relationships. For structured data, it details which specific fields and columns are being copied or transformed along the lineage path. However, developing this into a more formal and complete data lineage capability would appeal to its customers and build on its foundation.

Purchase Considerations

The Bedrock Data solution is sold as a yearly subscription based on a contracted data or user amount, with the option to purchase additional capacity. Licensing models vary and are based on the volume of data analyzed for IaaS and PaaS environments and the number of users for SaaS environments

The vendor targets enterprises with more than 1,000 employees or more than 1 petabyte of data in infrastructure. The solution is comprehensive and provides the full range of data security capabilities. Deployment is straightforward for those experienced with public cloud platforms, and professional services are generally not necessary for deployment but may be useful for complex remediation scenarios.

The vendor is not FedRAMP certified, so the solution is not suitable for those markets.

While the vendor positions itself as suitable for SMBs, its focus on enterprises with large, complex data estates means that organizations without such needs may find alternative solutions more suitable.

Use Cases

Bedrock Data operates across multiple sectors, delivering high-performance scanning to efficiently process large datasets in cloud environments. Its ability to add detailed context (such as data location, entitlement chains, and PII) enhances existing SIEM, SOAR, cloud security posture management (CSPM), and DLP platforms, improving their accuracy and effectiveness. It helps customers reduce data security posture issues across all environments, providing visibility into data liability exposure and detecting violations of enterprise data security policies. It also delivers AI data bill of materials capabilities, understanding which sensitive data AI models can return based on training and inference data and enforcing policies around model data access to aid AI adoption.

BigID: BigID Data Security Posture Management

Solution Overview

BigID focuses on data and AI security, privacy, compliance, and governance. Its solution acts as a single source of truth for an organization's entire data estate and delivers a data-centric, risk-based approach to data security.

BigID Data Security Posture Management can be deployed on-prem, as a cloud image, in a hybrid configuration, or via SaaS. It uses an agentless approach that can handle a wide range of data types, including structured, unstructured, semistructured, and streaming data. With a library of more than 500 native connectors, BigID seamlessly integrates with a variety of data repositories across cloud, SaaS, and on-prem environments. The solution is modular, with DSPM available as a standalone addition to the core module. The solution automatically discovers data within each connected repository and classifies it using ML, natural language processing (NLP), pattern matching, and pretrained classifiers. It identifies misconfigurations, publicly accessible data, and policy violations.

BigID’s data activity monitoring captures user access and configuration events from sensitive data sources, giving rich context to help pinpoint potential threats. It provides posture scoring and maps findings to regulatory frameworks and internal policies so teams can prioritize remediation. It has AI security and compliance capabilities, addressing AI governance by identifying sensitive data in training sets and prompts, mapping AI-specific data lineage, labeling vector data, and monitoring how AI systems interact with enterprise information.

BigID is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the DSPM Radar chart.

Strengths

BigID scored well on a number of decision criteria, including:

• Incident response and impact analytics: BigID delivers robust incident investigation support. It logs meaningful data events and correlates them with sensitivity and identity, giving responders an immediate view of what happened and the impact on sensitive information. The solution’s data lineage and access history help provide the scope of an incident. It prioritizes incidents by potential impact using its risk scoring, so a breach of highly sensitive data is flagged as a higher priority than a low-risk data interaction.

• Data mapping: BigID delivers full-spectrum data mapping, supporting all environments (cloud, SaaS, and on-prem) and data formats, updates continuously, and visualizes the flows and locations of sensitive information. It identifies misconfigurations and shadow data stores while overlaying classification context, providing customers with comprehensive insight into their data estate.

• On-prem repository support: BigID supports on-prem data environments with feature parity to its cloud coverage. It connects to on-prem relational databases (including SQL Server, Oracle, and Db2), file systems and NAS shares (including Windows SMB, NetApp, and Isilon), big data platforms (like Hadoop and HDFS), and even legacy application data stores. BigID’s architecture does not require local agents on every server. Instead, it can use an Outpost or secure connectors to access on-prem data for scanning.

Opportunities

BigID has room for improvement in a few decision criteria, including:

• Data lineage: BigID's data lineage capabilities are purpose-built for DSPM rather than pipeline engineering, making them security-focused, tracking data rather than interactions or transformations. It tracks how sensitive data moves and propagates across structured and unstructured systems over time. For structured data, BigID maps connections at the table, column, and SCHEMA levels. For some organizations, this may not be enough, as they also need broader insight throughout the data lifecycle. Adding information such as data transformation details would help BigID deliver greater insight.

• AI risk analysis: BigID delivers several AI security capabilities. It can detect when sensitive data is used in AI contexts, and it discovers and classifies data in AI training datasets and prompts. Its analysis ties data classification to AI usage logs, so if sensitive records are fed into an AI platform, it logs which data, which user or process, and when. It provides visibility into data flows to external AI services via integration with DLP or cloud logs. Customers use BigID's discovery and classification capabilities for prompt protection. BigID can continue to develop this area by adding security features, such as the ability to detect prompt injection attacks. This would provide even more comprehensive cover for its customers.

• Automated data threat detection and response: BigID enables rapid, automated responses to data security issues. It not only detects risky conditions but also provides some native remediation actions, including deletion, moving, masking, and permissions revocation. It also integrates with workflow tools to enable remediation and supports direct fixes across many platforms. Audit trails, rollback capability, and automated validation of remediation success indicate a strong response mechanism. The vendor could develop this further by adding increased native remediation capabilities and the ability to build complex orchestrations.

Purchase Considerations

BigID operates on a subscription-based model for its modular solution. Licensing is based on data sources, scale, and functional modules. Customers can self-select modules and apps based on specific needs and use cases, or opt for BigID's suggested bundles designed for data security, privacy and compliance, and data management. Annual subscriptions are standard, with multiyear options available.

While professional services are optional, they are available for customers with complex data discovery, classification, and security needs, including large onboarding projects, custom policy development, or deeper integration into governance workflows. The vendor also offers BigID Express, a streamlined DSPM deployment designed for rapid implementation and faster time to value, providing core discovery, classification, and risk insights with simplified setup for customers who want to establish DSPM fundamentals or run a targeted pilot.

The vendor offers a solution that is suitable for businesses of all sizes, from SMBs to large enterprises.

Use Cases

Organizations most often adopt BigID’s DSPM solution to reduce data exposure by automatically identifying sensitive or regulated data, correlating it with access rights and configurations, and highlighting overexposed or misconfigured assets. It helps organizations meet and maintain compliance across complex data estates by mapping discovered data to regulatory frameworks such as GDPR, CPRA, HIPAA, and PCI; surfacing policy violations; and demonstrating ongoing compliance with reduced manual effort. Additionally, it supports the secure and responsible adoption of AI by identifying sensitive data used in AI workflows, assessing AI-specific risks, and enforcing guardrails before data is shared, processed, or consumed by AI systems.

Concentric AI: Semantic Intelligence

Solution Overview

Concentric AI offers intelligent data security and simplifies data management. Its AI-based solution helps businesses find sensitive data, mitigate risks, remove duplicates, and ensure compliance across cloud and on-prem environments.

Concentric AI's Semantic Intelligence deep learning solution manages data security by autonomously discovering, categorizing, and remediating data. It protects structured and unstructured data in the cloud, on-prem, and within email or messaging services. The solution integrates with existing services via API for cloud repositories and a virtual proxy for on-prem scanning. Using an AI engine with NLP powered by proprietary large language models, Concentric AI categorizes data into more than 500 categories without needing rule development, regex patterns, or user involvement. Identified risks include inappropriate permissions, risky sharing, unauthorized access, and mislocated data.

Its User 360 and File/Data 360 functions detect inappropriate activity and support access-control planning. The solution provides insights into data location, access, and sharing, enabling operations teams to implement remediation actions such as document classification, data relocation or deletion, retention policy application, access control adjustments, blocking, masking, and permissions management.

Concentric AI has expanded its solution to address emerging GenAI security risks, now detecting and protecting against data leakage across GenAI assistants, public GenAI tools, and proprietary GenAI workloads, allowing organizations to safely embrace AI without expanding their attack surface.

Concentric AI is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Concentric AI scored well on a number of decision criteria, including:

• Data mapping: Concentric AI’s solution automatically discovers and categorizes data across cloud, SaaS, and on-prem systems. It covers structured data (databases and data warehouses) and unstructured content (files, emails, and collaboration platforms) without requiring manual tagging. It also identifies misplaced or risky data and can autonomously remediate certain issues (such as moving an exposed file to a secure folder). It provides visual timelines of data flows showing how data moves between sources over time. It offers a holistic real-time map of an organization’s data, enriched with context on sensitivity and risk.

• Data access intelligence: Concentric AI provides detailed information about who has access to every data asset and monitors how that access is used. It integrates with identity providers (such as Azure AD and Okta) to pull user and group information, and clearly distinguishes service accounts from humans. It employs user and entity behavior analytics (UEBA) to detect anomalous behavior. It can also enforce remediation actions such as automatically revoking access or removing a shared link.

• Data lineage: Concentric AI’s Semantic Intelligence has good data lineage capabilities. It can parse structured and unstructured data across cloud, SaaS, and on-prem repositories. The data lineage feature displays a visual timeline of each instance when a data record is created, copied, edited, deleted, or shared, along with a timestamp indicating the user and when the action was performed. Details on how the elements are derived are included on the same screen, displayed above and below the timeline. The impact of changes and errors is captured within the solution’s risk dashboard.

Opportunities

Concentric AI has room for improvement in a few decision criteria, including:

• AI risk analysis: Concentric AI continues to develop its capabilities with the addition of its Semantic DLP solution. It uses proprietary technology to automatically recognize any AI application through the browser and identify sensitive information being uploaded, copied and pasted, or typed into prompts, and it logs every policy violation, prompt, and response for compliance and investigation purposes. It then produces a warning, blocks access, or redacts sensitive data, as defined by policies. Extending these capabilities would be valuable to customers, providing more insight into AI interactions outside the browser and a more detailed AI risk analysis.

• NHI threat management: Semantic Intelligence can identify human and nonhuman users and the data each user and group has access to. It also includes identity graphs that visually represent identities and access to sensitive information. The risk dashboard displays excessive permissions and automated remediation actions. There is an opportunity to build on this in areas such as integrating the code repository directly to detect leaks and adding blast radius information to provide insight into how a compromised NHI would impact an organization.

• Automated data threat detection and response: Concentric AI identifies and autonomously remediates threats to data. Its risk dashboard provides actionable guidance on top threats to customer data, along with scoring to help security teams prioritize responses. There are opportunities for Concentric AI to develop this further by building more complex playbooks that are natively automated into the solutions, although this can also be done via integration with external SOAR and other automation tools.

Purchase Considerations

Concentric AI offers subscription-based licensing with pricing based on data volume, billed per terabyte. The Semantic DLP module requires per-user pricing. The vendor does not publish its pricing publicly, but it is available directly or through its partner community. The minimum subscription commitment is one year. The vendor provides a data risk assessment with no ongoing commitment, which is useful for those evaluating the solution.

As a SaaS solution designed for simplicity and scale, deployment is not overly complex, and since the solution classifies data using its own semantic approach, only minimal setup is required to achieve initial discovery and evaluate potential risk. Each customer is assigned a customer success manager who coordinates a kickoff meeting to ensure seamless implementation.

The solution is suitable for businesses of all sizes and industries, serving customers from SMBs to enterprises.

Use Cases

Concentric AI meets a wide range of use cases. Data access governance enables organizations to implement a robust zero trust approach in which users have access only to what they need and every access attempt is verified, uncovering embedded data risks and facilitating rapid remediation. Semantic DLP delivers comprehensive protection across public GenAI tools through shadow AI detection and sensitive data blocking or masking. Data leakage prevention automatically discovers sensitive data across the organization and centralizes it in secure, governed locations with clear labels that integrate with DLP, Zero Trust Network Access (ZTNA), and cloud access security broker (CASB) tools, while data lineage capabilities provide full visibility into each file's journey, including who accessed it, where it was shared, and how it's being used.

Cyera: Cyera Data Security Platform

Solution Overview

Cyera focuses on data security, developing solutions that can discover and protect data across the enterprise data infrastructure.

The Cyera Data Security Platform is available as SaaS or, for organizations needing local processing, as an "outpost" deployment. It features agentless scanning with automated repository discovery and the ability to inventory IaaS and PaaS storage buckets, native databases, and databases running in VMs or container environments. It identifies folders and files in SaaS applications. The solution also extends to on-prem data stores, including file shares, NAS, and popular enterprise databases.

The solution maps the entire organization's sensitive data and detects issues across protected repositories. When risks are discovered, it can automate responses either directly or through integrations with SOAR and ticketing systems. It uses AI, ML, and NLP to drive data discovery and classification accuracy, with multimodal, AI-native classification that adapts without manual training. Cyera has also added its Cy AI chatbot to the product to support natural language queries and enhance productivity.

Cyera delivers security posture assessment along with reactive, real-time data detection and response (DDR) capabilities. Cyera has also added AI risk analysis for Microsoft Copilot and other AI tools, giving customers insight into potential risk exposure. The solution includes a data intelligence layer and a managed Snowflake instance of Cyera metadata that enables integration with customer data or security lakes and supports natural language conversation and report building.

Cyera has announced additional endpoint capabilities to be delivered in 2026, complementing its existing agentless architecture.

Cyera is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Cyera scored well on a number of decision criteria, including:

• AI risk analysis: Cyera treats AI data interaction as a specific risk, combining telemetry from its full platform, including DSPM, Access Trail for data access management, and Omni DLP, which employs an orchestration model that brings intelligence from solutions across the organization. It gives context-rich visibility into how sensitive data interacts with AI, detecting, tracing, and controlling the flow of data into AI models, pipelines, and agentic frameworks. AI Guardian delivers AI-SPM, enriched with telemetry from Omni DLP and Access Trail, allowing Cyera to inspect prompts and outputs and understand the architecture of tools that interact with AI, including embedded agents, connected services, and downstream inference layers.

• Incident response and impact analytics: Cyera quickly provides scope and impact insight when a data security incident occurs. For example, if a user’s account is suspected of leaking data, a responder can query Cyera for “everything Jane Doe accessed in the last week that was sensitive” and get results immediately. Cyera’s interface prioritizes incidents by risk level and provides a timeline of events. It also correlates related alerts, so a complex incident (like multiple service accounts being used by an attacker) is grouped and easier to analyze. All the evidence (files, users, and times) can be exported to provide to compliance teams or management.

• Data mapping: Cyera continues to improve this capability, including the addition of its new lineage data flows. Cyera’s solution connects to a wide range of environments (including major cloud platforms, SaaS apps, on-prem databases, and file systems) to automatically discover and classify sensitive data. It inventories both structured data (databases and data lakes) and unstructured data (files in cloud storage and messages) and applies AI-driven classification labels (such as PII and secrets). The platform delivers additional value with its ability to not only identify these known classifications but also learned classifications that represent unique IP that would be unlikely to be captured by traditional methods. It highlights security issues in the data landscape and flags dormant data stores.

Opportunities

Cyera has room for improvement in a few decision criteria, including:

• Data access intelligence: Cyera provides visibility into entitlements and usage (who can access data and who has accessed it) and integrates identity context to highlight overprivileged and dormant accounts. However, it lacks fully automated anomaly detection via behavioral analytics, relying on defined policies and known conditions. More dynamic behavioral analysis is on the short-term roadmap and expected to ship in 2026.

• NHI threat management: Cyera provides strong visibility and analysis of machine identities (covering their access and actual usage and detecting anomalies or overprivilege). Currently, the solution provides policy recommendations and can trigger remediation workflows, including tightening service account scope. There are opportunities to further enhance capabilities, including the ability to ingest public threat intelligence, and the ability to present visual insights into the links between identities and credentials (although addressing this is part of its short-term roadmap).

• Automated data threat detection and response: Cyera uses AI to detect threats such as large anomalous downloads, newly exposed sensitive data, or unsafe data transmissions. When a threat is detected, Cyera provides clear remediation guidance and can trigger workflows. The solution integrates with SOAR tools, and playbooks can be triggered directly from within the solution. Native automatic detection and response are more limited. Expanding these automated capabilities would increase appeal to organizations without mature automation tools to fill this gap. Some of this gap can be addressed by Cyera’s DataWatcher Service, which provides end-to-end management of Cyera Data Security Posture Management (DSPM) and Cyera Omni Data Loss Prevention (DLP) solutions.

Purchase Considerations

Cyera is licensed by data volume (for IaaS, DBaaS, and on-prem) and by user/seat (for SaaS, access governance, and DLP), with a 12-month minimum subscription term. DSPM and Omni DLP form the foundation of the solution. Additional feature add-ons are available. Pricing is environment-specific and shared through direct sales and partner networks.

As a SaaS offering with a fully agentless model leveraging secure API-based integrations, customers can deploy quickly, often surfacing results and risk insights within hours. Most customers deploy with in-house resources, though Cyera offers professional services for scaled onboarding, custom integrations, and policy orchestration. The vendor's DataWatcher service provides 24/7 managed data detection and response via a shared responsibility model.

Cyera is now officially listed as FedRAMP In Process, indicating that it is undergoing the necessary security assessments and approvals to achieve full FedRAMP authorization.

Cyera targets large enterprises, the public sector, and managed service partners, so it may not be suitable for smaller businesses.

Use Cases

Cyera delivers solutions for several use cases, including data risk assessments and threat reduction across cloud, SaaS, and hybrid environments. The solution helps security teams reduce high-risk conditions such as stale entitlements, overshared links, and excessive permissions. Cyera also helps customers enhance existing DLP tools by using its DSPM-derived classification context to enrich information in solutions such as Microsoft Purview, Zscaler, and Netskope, thereby improving accuracy and reducing false positives. It also helps organizations enable AI capabilities, including Microsoft Copilot, Salesforce AgentForce, and homegrown models, by governing sensitive data flows, detecting prompt injection, identifying unsafe agents, and eliminating model leakage.

Forcepoint: Forcepoint DSPM

Solution Overview

Forcepoint is a cybersecurity company that provides a Data Security Everywhere solution, protecting data across endpoints, cloud applications, email, web, and networks with unified policy and adaptive behavior-based enforcement.

Forcepoint's AI Native DSPM is a new addition to its portfolio. It uses an AI Mesh model, which is a networked architecture of small, efficient AI models that work together to classify data with high accuracy. This cooperative mesh identifies relationships between words, understands context, determines a file’s sensitivity, and continuously scans structured and unstructured data repositories, automatically identifying sensitive information without requiring predefined templates or manual configuration. The solution provides comprehensive visibility across SaaS applications, cloud storage (AWS S3, Azure Blob Storage, and Google Cloud Storage), databases, file shares, and on-prem repositories through API-based integrations and agentless scanning. Its AI-driven classification engine leverages NLP and ML to identify more than 1,600 data types spanning regulatory frameworks, including GDPR, HIPAA, PCI-DSS, and CCPA. It is available as SaaS and for on-prem and cloud self-hosted deployment.

The solution delivers a real-time data security posture assessment through risk scoring that evaluates exposure based on access permissions, data sensitivity, sharing configurations, and compliance gaps. Built-in remediation workflows enable direct action from the console, including permission adjustments, deleting or moving files, and access revocation, without requiring external ticketing systems.

Forcepoint integrates DSPM capabilities into its broader data security platform, providing unified policy management and incident response across DLP, CASB, DSPM, DDR, SWG, and email. The solution includes anomaly detection for unusual data access patterns and automated compliance reporting with prebuilt templates for major regulatory frameworks.

Forcepoint is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Forcepoint scored well on a number of decision criteria, including:

• Data access intelligence: Forcepoint provides a centralized view of data and data access, helping customers enforce the principle of least privilege across cloud, SaaS, and on-prem systems. It provides good access integration with detailed identity context. It flags overprivileged roles and unused credentials and alerts on anomalous data access using risk-adaptive analytics, allowing customers to effectively remediate risk and improve access security posture.

• Automated data threat detection and response: Native integration with Forcepoint’s DDR solution provides a comprehensive range of detection and response options. It provides continuous monitoring with dynamic incident alerts across on-prem repositories and the cloud. DDR tracks file access patterns, sharing behaviors, and data movements in real time, alerting security teams to activities that could signal insider threats or compromise attempts. It provides automated remediation with custom playbooks to help customers build a custom threat response.

• Incident response and impact analytics: Forcepoint incident response provides accelerated response times, automated alerts, and workflows. It provides detailed context to security operations teams, offering insight into what data was accessed, which user was involved, and when activities occurred when investigating an incident. It can also feed incident data into SIEM and SOAR tools and supports compliance reporting.

Opportunities

Forcepoint has room for improvement in a few decision criteria, including:

• AI risk analysis: While the solution integrates with Microsoft Copilot and ChatGPT via API to provide some level of control and insight into their usage, much of the current control is delivered through existing features such as DLP. Increasingly, customers need deeper insight into AI-specific risks, including AI pipeline security and agentic AI behavior. Building this into the platform will help extend Forcepoint’s capabilities in this rapidly growing risk area.

• NHI threat management: Currently, Forcepoint doesn’t differentiate NHIs from standard accounts in risk scoring. This means it also lacks a dedicated view for machine identities. NHIs are a growing risk for all organizations, especially as agentic AI grows. Adding more distinct NHI features will help its customers better tackle this risk.

• Data lineage: Forcepoint AI Native DSPM focuses on risk remediation and real-time monitoring and less on formal data lineage visualization. It does provide a specific lineage view that can trace locations, changes, file movement, sharing, downloads, and other data interactions. However, it could build on this by adding more detailed insights, such as how elements are derived, calculated, and transformed, to provide more formal data lineage capability that would increase the platform's appeal.

Purchase Considerations

Forcepoint supports a flexible set of licensing options, from seat-based licensing to consumption-based licensing for enterprise use cases, with pricing tiers that scale with the total data estate size. The solution can also be packaged as part of Forcepoint's broader data security platform.

Implementation complexity will depend on the deployment model. Deployment is likely to also require initial data source configuration and policy tuning. Forcepoint offers professional services and dedicated customer success resources during onboarding. The vendor offers 24/7 technical support with tiered service levels and maintains a global support infrastructure.

Forcepoint primarily targets large enterprises and mid-market organizations with complex, distributed data environments spanning multiple cloud platforms and on-prem infrastructure. It may be less suitable for smaller businesses.

Use Cases

Forcepoint AI Native DSPM addresses critical data security scenarios for organizations managing distributed data estates. Primary use cases include continuous data discovery and classification across cloud, on-prem, and hybrid environments, enabling organizations to maintain a real-time inventory of sensitive data locations and types. The solution can also help customers address access governance concerns by analyzing permission structures to identify overexposed data, excessive privileges, and stale access rights that require remediation.

Fortra: Fortra Data Security Posture Management

Solution Overview

Fortra is a cybersecurity vendor providing comprehensive offensive and defensive security solutions.

Fortra’s Data Security Posture Management (DSPM) is a new addition to the Fortra platform. The solution can be consumed as SaaS or self-hosted and is available as a managed service. It provides complete data discovery, classification, risk analysis, and security posture management capabilities. The solution operates through a connector-based architecture that integrates with cloud, SaaS, and on-prem repositories without requiring intrusive installations.

Fortra DSPM is built on a single architecture rather than made up of several components. It employs contextual risk prioritization that weighs findings based on data sensitivity, exposure, access patterns, and business impact. Fortra uses AI-based data classification powered by ML models for context-aware detection, reducing false positives. Its unified data graph shows how data, users, permissions, and systems interconnect, enabling teams to quickly visualize the blast radius of potential incidents. The solution also includes automated remediation workflows with policy-driven actions for misconfigurations, permissions, and data movement risks. It offers multiple remediations, including allow/log, deny/block, step-up authentication, user coaching, masking, and redaction.

Fortra is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the DSPM Radar chart.

Strengths

Fortra scored well on a number of decision criteria, including:

• Data access intelligence: Fortra DSPM provides detailed insight into permissions and data usage. It enumerates who can access files and folders and monitors every actual access via its agents. It clearly distinguishes service accounts from regular users and monitors both accordingly. Fortra’s solution also directly intervenes: if an unauthorized access attempt is detected (for example, a user tries to copy a sensitive file they aren’t allowed to), the agent can block it in real time.

• Incident response and impact analytics: Fortra DSPM enables organizations to generate comprehensive incident response reports that meet regulatory, compliance, and internal audit requirements. It automates the collection and correlation of critical incident data, ensuring accuracy and speed during high-pressure situations. It automatically captures details such as the incident timeline, impacted data assets, sensitivity levels, exposure paths, and user access logs. It provides blast radius analysis and root-cause insights, including details on how the incident occurred, associated vulnerabilities, and calculated risk scores.

• On-prem repository support: Fortra supports a wide range of on-prem repositories, including Windows file servers, NFS shares, NAS devices, SharePoint Server, and databases. The solution can be deployed fully on-prem (with management servers and databases onsite) for organizations that can’t use the cloud. All features, including discovery, classification, monitoring, and blocking, are available in this deployment model.

Opportunities

Fortra has room for improvement in a few decision criteria, including:

• AI risk analysis: Fortra’s current AI controls are based on existing features (such as DLP) rather than on specific AI model controls. While this can still be effective, there is a large scope for Fortra to further improve its capabilities; for example, developing in areas such as identifying shadow AI tools, identifying agents accessing data, and understanding how tools like Copilot interact with data to build prompt responses.

• Data lineage: Due to Fortra’s continuous activity monitoring, it can reconstruct a narrative lineage of sensitive data. For example, through its logs, you can trace that a file was created on an internal server, copied to a laptop, and then emailed to a partner, effectively showing the path of that data but not a true depiction of lineage. This provides significant scope for Fortra to develop capabilities such as showing granular data lineage, how elements are derived, calculated, or transformed, and providing clear graphical representations of data throughout its lifecycle.

• Automated data threat detection and response: Fortra provides a number of threat detection and remediation capabilities but relies on external tools to deliver more complex automations. Natively automated capabilities are still mainly policy based and lack more sophisticated orchestration capabilities. Building these into the platform natively can help customers reduce reliance on additional automation tools and help those who lack mature SOAR or other orchestration tools.

Purchase Considerations

Fortra DSPM is licensed on a subscription basis, primarily following a per-user, per-year model that enables predictable costs and scalability. While per-user licensing is standard, capacity-based licensing options are available depending on product configuration or specific customer environments. The minimum subscription commitment is typically one year, with multiyear agreements available that provide pricing stability. Pricing is not publicly available and must be obtained through Fortra sales representatives or authorized partners, with quotes tailored to specific customer needs based on user count, deployment model, and required integrations.

The solution offers flexible deployment models to accommodate diverse organizational requirements. The primary offering is a fully hosted SaaS deployment managed by Fortra, which provides continuous updates, fastest time to value, and requires no customer infrastructure. The SaaS-based solution will offer the easiest deployment options. The vendor can offer professional services support if needed.

Fotra targets its solution to SMBs, large enterprises, and MSP partners.

Use Cases

Fortra DSPM primarily addresses sensitive data discovery and classification across cloud and hybrid environments, solving the critical business challenge of insufficient visibility into where sensitive data resides. Its automated discovery provides organizations with a complete inventory, helping reduce exposure and simplify audit processes. It also supports compliance and governance efforts by helping reduce data exposure and access risk. By correlating data sensitivity with access rights and configuration posture, the solution helps organizations identify and correct misconfigurations while continuously measuring their compliance posture. Fortra also helps address the complex challenge of insider risk by detecting unusual data access or movement.

IBM: IBM Guardium Data Security Center (GDSC)*

Solution Overview

IBM is a provider of a wide range of IT services, which includes an extensive portfolio of security products.

IBM Guardium Data Security Center (GDSC) serves as a centralized management solution for IBM's Guardium Data Protection portfolio, providing unified visibility and control across hybrid and multicloud data environments. The solution integrates multiple Guardium modules, including Guardium Data Protection, Guardium Insights, and Guardium Discover & Classify, to deliver comprehensive DSPM capabilities.

GDSC leverages containerized microservices, whether deployed on-prem, in private or public clouds, or consumed as SaaS. The solution provides automated data discovery and classification across structured and unstructured data stores. It uses ML and pattern matching to identify sensitive data across more than 80 data source types. The solution's risk-assessment engine analyzes vulnerabilities, access patterns, and policy violations to calculate data security risk scores.

IBM GDSC offers centralized policy management, allowing security teams to define and enforce consistent data security policies across distributed environments. The solution provides real-time monitoring and alerting for data access anomalies, policy violations, and potential threats. IBM GDSC’s unified dashboard aggregates risk metrics, compliance status, and security findings across all connected data sources. It includes workflow automation for remediation activities and integrates with SIEM and SOAR tools through APIs. The solution supports regulatory compliance reporting for frameworks such as GDPR, HIPAA, PCI DSS, and SOX.

IBM is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

IBM scored well on a number of decision criteria, including:

• Data mapping: IBM provides comprehensive data discovery and classification. The solution automatically finds sensitive data across multicloud and SaaS environments, including shadow and hidden data, then tags it and tracks its location and movement. It can map data across structured and unstructured sources, then use AI and ML to train the system to identify which files contain sensitive data.

• Data access intelligence: The solution continuously monitors user activity across databases, files, and cloud data, detecting overprivileged and dormant accounts and enabling proactive entitlement reviews. Its real‑time analytics and user behavior baselining identify anomalous access, while policies can block, quarantine, or mask risky sessions.

• Automated data threat detection and response: IBM GDSC uses advanced analytics and GenAI to detect abnormal data activity, classify threats with full contextual insight, and accelerate incident handling. It correlates signals across cloud databases; enriches each event with the who, what, when, where, and how; and automatically creates response tickets or blocks risky behavior.

Opportunities

IBM has room for improvement in a few decision criteria, including:

• NHI threat management: While IBM addresses machine and service identities as part of its access analytics, it does not have a separate NHI module. Offering more specific NHI visibility, as well as advanced capabilities such as secrets integration for NHI lifecycle management, would increase the solution’s appeal to those looking to address the complex problem NHI poses.

• Data lineage: IBM offers comprehensive data lineage in conjunction with watsonx.data, tracking data from creation to deletion and including transforms as it moves through the system. However, this is not currently part of the DSPM solution. Bringing this into the DSPM product would be a valuable addition, extending its capabilities and addressing the lineage challenge many businesses face.

• On-prem repository support: IBM GDSC integrates well with IBM’s on-prem Guardium tools to cover databases and file systems, but the DSPM module itself focuses on cloud sources. On-prem data protection is achieved via separate (albeit integrated) components. Bringing these components together into a single DSPM component would help simplify DSPM adoption for customers.

Purchase Considerations

IBM GDSC pricing is based on a modular approach. It can be licensed under either a subscription or a perpetual license model. Licenses are purchased using a resource unit, with consumption under an enterprise or usage-based model. There are several considerations for licensing Guardium and its modules. Customers should seek advice from IBM or its partners.

Depending on whether the solution is self-hosted or SaaS based, deployment complexity will vary. However, IBM offers a broad range of professional services to support those who need them.

Use Cases

IBM addresses several use cases with this solution, including flexible deployment options such as self-hosting and SaaS. These options help overcome challenges for those adopting DSPM, especially organizations that require self-hosting capabilities. The solution also supports compliance management with audit-ready reports and evidence for frameworks such as GDPR, HIPAA, PCI DSS, and SOX through automated policy enforcement and activity monitoring. IBM GDSC is a broad solution and part of a larger portfolio that can address multiple issues, making it an ideal consideration for those looking to consolidate vendors.

Lepide: Lepide Data Security Platform

Solution Overview

Lepide is a long-established data security company. Its initial focus on Active Directory security has expanded over time to include a variety of data security capabilities. Lepide Data Security Platform now provides auditing and reporting, access governance, threat detection, and data classification.

Lepide Data Security Platform has five core elements: Identify, Trust, Detect, Auditor, and Protect. It is modular, allowing customers to deploy components either individually or all together. Lepide Data Security Platform is available as both SaaS and self-hosted. It scans only unstructured datasets. The solution is managed through a central console that provides interactive dashboards and reports. Reports highlight risks, including data held in open shares, inactive users with high permissions, sensitive data shared externally, and overprovisioned user access. Risk reports show both the affected regulatory frameworks and the monetary value of affected files. The solution is particularly strong at protecting on-prem environments, including file shares, as well as storage solutions from various NAS and HCI vendors.

Detected data threats can be mitigated through automated script execution. Lepide also addresses AI risks through its audit capability for user interactions with Microsoft Copilot, including query auditing and detailed tracking of Copilot-driven actions.

Lepide is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the DSPM Radar chart.

Strengths

Lepide scored well on a number of decision criteria, including:

• Data access intelligence: Lepide provides insights into how users access data and whether their permissions are appropriate. It can identify dormant identities that still have access to data assets and detect unusual activity, such as potential ransomware attacks and mass file downloads. It also offers automated response capabilities to mitigate such threats.

• On-prem repository support: Lepide offers broad coverage of on-prem repositories, although it is primarily designed for unstructured data use cases. It covers repositories such as Windows file servers, NetApp, EMC Storage, Exchange Server, SharePoint Server, and SQL Server.

• Automated data threat detection and response: Ledpide continues to improve its capabilities in this area with the addition of services such as Lepide Protect, which automates remediation of overpermissive file access. This adds to its automated threat detection and response capabilities, centered on predefined threat models and its real-time alerting infrastructure. The UEBA engine learns normal behavior patterns and triggers alerts on anomalies.

Opportunities

Lepide has room for improvement in a few decision criteria, including:

• Data lineage: Lepide does not provide a true data lineage visualization that shows how data flows through pipelines, transformations, or dependency mapping between systems. It tracks file creation, modification, copy, and deletion events with timestamps that record user identity, and it monitors data movement between on-prem and cloud locations. The solution does track the telemetry required to build a more robust lineage offering. Focusing here would further increase the platform's appeal.

• AI risk analysis: Lepide has begun addressing AI risks by helping organizations understand what sensitive data AI assistants, especially Microsoft Copilot, can access and ensuring proper permissions governance before AI deployment. There is an opportunity for the vendor to improve its capabilities here, including detecting sensitive data shared with external AI services such as ChatGPT, prompt injection monitoring, training data governance, and inventorying AI models. The risk AI presents to businesses continues to grow, and helping its customers better tackle this issue should be an area of focus for Lepide.

• NHI threat management: Lepide offers service account identification through Active Directory auditing. It tracks service account permissions and privilege changes. However, the solution lacks dedicated NHI threat management features, including secrets scanning across code repositories, CI/CD integration, detection of credential exposure from public sources, and automated secret rotation. Building additional capabilities here will be valuable to its customers and help tackle the complex challenges of NHI.

Purchase Considerations

Lepide Data Security Platform is licensed per enabled Active Directory user (not per device or target host) and offers tiered pricing based on customer size (SMB through enterprise). Licenses are available as subscriptions with 1-, 2-, or 3-year commitments, and discounts are offered for multiyear contracts. Lepide also retains perpetual licensing options for specific cases. Pricing can be obtained through direct sales and partner channels.

Deployment complexity varies depending on whether a customer chooses the SaaS or self-hosting option. The use of agents and APIs should not be complicated for most IT teams. Lepide’s support team provides assistance with initial setup and configuration at no additional cost.

While the solution could be attractive to both smaller customers and large enterprises, the vendor targets the mid-market (500-10,000 employees).

Use Cases

Lepide's solution is aimed at mid-market businesses operating in highly regulated sectors. It solves a number of use cases, including detailed auditing insights into Microsoft Copilot usage for AI adoption. It offers strong visibility into data access and usage, supporting data access governance projects. It also helps businesses drive compliance efforts with a good range of compliance reports.

LinkShadow: Data Security Posture Management (DSPM)

Solution Overview

LinkShadow is a cybersecurity vendor focused on providing integrated data security and threat detection capabilities through its next-generation platform architecture.

The company has three core offerings: Data Security Posture Management (DSPM), Identity Threat Detection and Response (ITDR), and Network Detection and Response (NDR). These solutions are unified through LinkShadow's Cybersecurity Mesh Architecture Platform (CMX), which correlates data across individual tools to provide a comprehensive view of data risk.

The LinkShadow solution is delivered primarily as a virtual appliance but can also be deployed in the cloud or consumed as SaaS. It provides data discovery, classification, access mapping, and risk detection across cloud and on-prem locations. Integrations are either via a specific app integration or plugin. The solution operates without requiring endpoint agents, instead relying on agentless, API-based data collection.

LinkShadow DSPM uses AI and ML for automated data classification and risk scoring. The solution includes automated remediation workflows that can flag or ticket critical misconfigurations directly into security and IT service management (ITSM) systems. It provides real-time data flow mapping, including an exposure graph that visualizes how sensitive data moves and is accessed by various identities across cloud boundaries.

The solution delivers automated governance validation by continuously mapping data risks against predefined regulatory frameworks and providing risk-weighted scores and actionable insights. The solution also correlates data sensitivity with IAM configurations to identify excessive access rights and misconfigurations that create high-risk data exposure scenarios.

LinkShadow is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the DSPM Radar chart.

Strengths

LinkShadow scored well on a number of decision criteria, including:

• Data mapping: LinkShadow maps sensitive data across multicloud (including AWS, Azure, and Google Cloud) and on-prem environments, with real-time visibility into data locations and flows. It automatically classifies content and flags misconfigurations (such as open S3 buckets or overly permissive file shares). It also visualises basic data flows between systems via an “exposure graph,” helping identify how sensitive data moves or is shared.

• Data access intelligence: LinkShadow continuously monitors who accesses sensitive data and how they do so. It logs every access event agentlessly and correlates them with identity context, clearly distinguishing human users from service accounts. It uses AI-driven anomaly detection to flag unusual data access and identify overprivileged accounts. It can actively respond to threats in real time or recommend a response.

• On-prem repository support: The solution includes connectors and agents for on-prem file servers (Windows and Linux), network shares, and on-site databases, with the same discovery, classification, and monitoring capabilities as cloud data. The solution can also be deployed in a hybrid or fully on-prem mode for organizations that require it, ensuring data does not leave the network.

Opportunities

LinkShadow has room for improvement in a few decision criteria, including:

• Data lineage: LinkShadow tracks fundamental data activity, including file creation, access, sharing, deletion, renaming, and restoration, providing a logged sequence of events. However, it could build on this foundation to create more comprehensive lineage in areas such as full pipeline visualization, transformations, or dependencies, all in a single graph. Adding this would provide a comprehensive lineage module that automatically links and displays data flows across platforms.

• AI risk analysis: Currently, the solution can use its API integrations to audit logs and gain visibility into the prompts and responses of GenAI tools (including shadow AI and enterprise Copilots). It also uses its deep classification engine to identify and flag attempts by users to paste, upload, or input sensitive data into these models in real time. There is an opportunity to build more robust features here to provide more comprehensive AI risk insight, including inventorying AI models and prompt-response filtering by analyzing AI tools and their behaviors.

• NHI threat management: LinkShadow identifies and monitors service accounts and other nonhuman identities in its analysis. It flags service accounts with excessive permissions or unusual activity. This provides a solid basis for NHI threat management. However, the vendor could further enhance this by improving visualization of identities and credentials, better managing the NHI lifecycle with features, including secret rotation, and providing native enforcement of NHI controls.

Purchase Considerations

LinkShadow licensing is based on two primary factors: the number of users and the number of data store or repository integrations. For deployments hosted on LinkShadow's SaaS platform, an additional 1 TB per application is included with the base license. The minimum purchase is a 1-year subscription for the DSPM virtual appliance base license, which includes integration with five data silos or applications and 100 users. All licensing is subscription based with a minimum commitment of one year. Pricing information is available from the vendor or its partner channel.

Deploying LinkShadow DSPM is relatively straightforward due to its agentless, API-based architecture. The solution is bundled as a virtual appliance that can be installed on any hypervisor environment without requiring separate infrastructure, database servers, or other supporting systems. For those needing professional services, these are currently offered directly by LinkShadow rather than through third-party implementation partners.

This solution is suitable for SMBs through to large enterprises, and multitenant offerings are available for MSPs.

Use Cases

LinkShadow DSPM helps organizations tackle several use cases. It helps eliminate data sprawl by providing complete visibility across multicloud and SaaS environments and automatically identifying and classifying sensitive information such as PII, PCI, and PHI. It supports organizations' attempts to reduce data exposure risk by revealing excessive access rights and misconfigurations, enabling teams to implement effective data access governance. It also streamlines compliance validation by continuously assessing data risks against regulatory frameworks, delivering actionable insights into violations such as data residency breaches or encryption gaps.

Netskope: Netskope One Data Security Posture Management (DSPM)

Solution Overview

Netskope is a cloud application security company that offers a comprehensive network and security platform, with DSPM as one of its key features.

Netskope One Data Security Posture Management (DSPM) is delivered as part of the vendor’s integrated Intelligent Security Service Edge (SSE) platform, combining DSPM capabilities with CASB, SWG, and ZTNA. The solution provides comprehensive data discovery across multicloud environments (including AWS, Azure, Google Cloud, and SaaS applications), PaaS (like Databricks and Snowflake), and on-prem databases, data lakes, and data warehouses, using agentless scanning to identify sensitive data at rest.

The solution employs ML-driven classification, with more than 3,000 prebuilt data identifiers that support global compliance frameworks, including GDPR, HIPAA, PCI-DSS, and CCPA. It performs automated risk assessments by analyzing data exposure, access permissions, encryption status, and compliance posture across structured and unstructured data stores. Its built-in query analysis engine can predict the intent and behavior of queries, enabling customers to monitor SQL and SQL-like interactions in their data infrastructure. The solution integrates natively with the Netskope Security Cloud platform, enabling unified policy enforcement and automated remediation workflows.

DSPM capabilities include continuous monitoring of data repositories, shadow data discovery, data lineage tracking, and misconfiguration detection. The solution provides visibility into both sanctioned and unsanctioned applications through inline inspection and API-based discovery. It includes automated response capabilities, with policy-driven remediation options such as access revocation, encryption enforcement, and quarantine actions, as well as an automated deidentification capability that can Find-Flag-Fix noncomplaint real data and replace it with deidentified data. The solution provides centralized dashboards that display risk scores, compliance status, and data flow visualization across the entire cloud environment.

While the solution is part of the larger Netskope One platform, the DSPM module can be purchased as a standalone capability.

Netskope is positioned as a Challenger and Outperformer in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Netskope scored well on a number of decision criteria, including:

• Data mapping: Netskope automatically discovers and inventories sensitive data across a broad range of locations, including cloud services, on-prem databases, and file systems. It quickly finds sensitive records in structured and unstructured sources, including shadow data. It then classifies each dataset using advanced pattern recognition and AI, so security teams know exactly what types of data they hold and where they are located.

• Data access intelligence: Netskope gives security teams a clear picture of who can access sensitive data and whether that access is appropriate. It continuously analyzes permissions and highlights potential overexposure, integrating with identity management and Netskope’s own CASB to track both internal users and third parties.

• On-prem repository support: Netskope can scan on-prem data repositories, including on-prem databases and network file shares, and provides full DSPM feature capabilities regardless of whether data is housed in the cloud or on-prem. This ensures customers have full visibility of data security risks across their entire data estate.

Netskope was classified as an Outperformer given the continued development of its DSPM and border data security capabilities. The vendor is making strong strides in areas such as risk correlations, quantification, and AI-specific threats.

Opportunities

Netskope has room for improvement in a couple of decision criteria, including:

• NHI threat management: Netskope offers strong identity risk information. It examines all identities (users, service accounts, and bots) with access to sensitive data as part of its posture assessment. If a service account has excessive permissions on a confidential data store, it will appear in the risk findings just as a human user with too much access would. However, this is not a specific NHI capability, although it has the base telemetry to provide it. Adding specific NHI capabilities would help users more quickly identify risks.

• AI risk analysis: Netskope provides strong AI-specific security. It can identify AI use across all managed and unmanaged SaaS applications. There is a specific AI dashboard that provides insights into the applications used, instance type, and actions taken. However, reliance on existing DLP-type controls to manage internal AI interactions is widespread. While this will address several problems, further investment here to address the specific risks posed by internal AI, such as the focus on AI agents and their dynamic nature, would help expand its AI security capabilities, providing an even more comprehensive solution.

Purchase Considerations

Licensing is not published on the Netskope website. Licensing is modular and user based, utilizing a per-user, per-year subscription model. DSPM is available as a standalone package. To fully experience enhanced security and posture management, additional modules must be licensed in the same manner. Multiple Netskope One modules may be needed to access all features.

The solution is SaaS based, which should reduce initial deployment complexity. The comprehensive platform may prove difficult for some, but help is available via Netskope’s professional service packages and extensive partner ecosystem.

Technically, this solution is suitable for SMBs to large enterprises. However, it is focused more on larger and more complex environments.

Use Cases

Netskope One DSPM addresses cloud data security and compliance use cases for organizations managing sensitive information across multicloud and SaaS environments, helping them identify exposure risks and compliance gaps. Its broader modular platform helps organizations address additional use cases, supplementing their DSPM efforts. This includes DLP policy enforcement, insider threat detection through anomalous access pattern analysis, and automated remediation of security misconfigurations in cloud environments.

Netwrix: DSPM

Solution Overview

Netwrix is a provider of security solutions that help customers meet data discovery, classification, protection, and compliance needs.

Netwrix DSPM is available through multiple deployment models: a multitenant SaaS offering via the 1Secure platform and a self-hosted on-prem deployment. The solution has more than 40 prebuilt connectors spanning on-prem file servers, NAS, databases, cloud object stores (AWS, Azure, and Google Cloud), and SaaS applications. Lightweight collectors or agents are deployed only where native APIs don't provide adequate visibility or in isolated network segments.

The solution provides visibility into sensitive data through content and context-aware classification. It provides access analysis by mapping direct and indirect permission paths, nested group memberships, and shared links to expose hidden access routes and overprivileged entitlements. Activity monitoring capabilities baseline normal user behavior and flag anomalous data access patterns.

Netwrix offers AI security capabilities, including monitoring user interactions with AI tools and tracking prompts and responses. The solution includes curated AI and copilot readiness assessments that identify configuration and entitlement weaknesses before AI adoption. Its DLP capabilities can integrate with common AI tools to enforce policies, preventing sensitive data from being shared with these platforms.

The solution includes built-in remediation capabilities with AI-guided automation, prebuilt scripts and playbooks, and the ability to execute actions directly from the UI. It also offers integration with SIEM, SOAR, and ITSM tools.

Netwrix is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Netwrix scored well on a number of decision criteria, including:

• Data mapping: Netwrix DSPM maps cloud, on-prem, and SaaS repositories. It covers structured and unstructured data, shows flows via unified reporting, identifies misconfigurations and shadow or dormant repositories, overlays classification, and supports scheduled or continuous scans and interactive drill-down with exportable views to provide customers with a detailed assessment of their data estate and associated security risks.

• Data access intelligence: Netwrix scans data repositories for activity. It reports effective access rights and uses behavior analytics to detect access anomalies and unauthorized access. It can enforce restrictions via integrations using its built-in remediation actions (such as modifying permissions and labeling). It integrates with Active Directory and cloud IAM services to assess effective permissions for files, folders, and data stores. This includes resolving nested group membership so users can see the real user list.

• On-prem repository support: Netwrix has long been known for its on-prem data security (originating from file server auditing tools). It supports Windows file servers, NAS (including NetApp), SharePoint Server, on-prem email servers, and traditional relational databases. The solution can be deployed entirely on-prem if needed, meaning data analysis remains on site. The solution provides full feature consistency across on-prem and cloud repositories.

Opportunities

Netwrix has room for improvement in a few decision criteria, including:

• Data lineage: Netwrix tracks certain events (such as file moves or copies) via file system audit logs, providing operations teams with information they can use to infer a file's lineage. However, it lacks a lineage module that automatically threads these events into a cohesive flow or graph. While improved lineage is on the vendor roadmap, there are currently gaps in its capabilities for those who wish to visualize the data lifecycle across their environment.

• AI risk analysis: Netwrix monitors how sensitive data might be exposed to AI; for example, it looks at logs to see if users are exporting data likely for use in GenAI tools (like large text exports or unusual queries that match patterns of AI data gathering). “AI risk” has also been added as a factor in risk scoring. There is significant scope for improvement here, including inventorying and lifecycle tracking of AI models and robust model governance. Adding these capabilities would enhance the appeal of the solution for those adopting AI.

• Incident response and impact analytics: Netwrix provides solid incident response insights. It identifies policy violations, maps affected assets and related data, prioritizes actions by risk, produces incident reports suitable for technical and business audiences, provides forensic details (who/what/when/where for accesses and permission changes), and allows reports to be shared and exported. The vendor could further enhance this by using AI tools to better summarize incidents and by evaluating the potential to automate incident investigation creation when incidents occur.

Purchase Considerations

Netwrix adopts a modular approach, offering a variety of product solution suites based on the customer's level of maturity. Solutions are primarily licensed by application suite package through a subscription model. Solution suites are licensed based on the number of governed identities, ensuring organizations can grow their deployments without incurring additional costs.

Deployment complexity varies depending on whether solutions are self-hosted or SaaS based. The solution can scale from SMBs to enterprises. Support and education are included with the solution purchase, and customers have access to extensive documentation, training, and support services to assist with adoption.

Netwrix primarily targets organizations from 500 to 10,000 users in the SMB and mid-market segments, though its architecture supports large enterprises.

Use Cases

Netwrix addresses several use cases for its customers. This includes data risk management, which helps prevent breaches by identifying where sensitive information is exposed. It helps customers tackle insider risk by detecting unusual employee behavior and maintaining comprehensive access records. Netwrix also assists customers with AI adoption, enabling them to confidently deploy GenAI tools without risking data leakage or compliance violations, accelerating digital transformation while maintaining security controls.

Palo Alto Networks: Cortex Cloud DSPM

Solution Overview

Palo Alto Networks is a global technology company with a comprehensive portfolio that covers networking, connectivity, endpoint security, and security services.

Cortex Cloud DSPM is a SaaS solution. It is agentless and does not use proxies to integrate with customer clouds. It supports a wide range of data repositories, both in the cloud and on-prem, for both classification and risk assessment. It can automatically discover data repositories within cloud environments to help organizations build an accurate view of their data landscape and locate, classify, and prioritize data risk. Its risk engine can be customized to create business-specific risk policies and apply data governance, using AI-powered data classification to improve accuracy and reduce false positives.

Cortex Cloud DSPM is part of the Cortex Platform, sharing the same data lake to enable unified security workflows.

The solution provides a risk overview with a score to help prioritize risks. It also offers a compliance dashboard that provides clear guidance on data security posture against major compliance frameworks. Cortex Cloud DSPM extends risk analysis to AI through AI-SPM capabilities, which provide detailed analysis of the threats AI models can pose, including AI model inventory, training data lineage tracking, and risk assessment for GenAI applications.

The solution is purchased as a standalone part of the Cortex Cloud base product. Elements include data discovery, classification, risk analysis, and compliance monitoring.

Palo Alto Networks is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Palo Alto Networks scored well on a number of decision criteria, including:

• Data mapping: Palo Alto Networks provides a comprehensive visualization of the data environment, including data flows between locations. It can identify misconfigurations in repositories and missing security controls. It can also show shadow or dormant data repositories and analyze the risk associated with them.

• AI risk analysis: Palo Alto Networks AI-SPM and DSPM tools provide a robust solution for discovering AI assets and identifying risks associated with misconfigured AI assets. They analyze data flowing through AI pipelines, display all data sources used for training and augmentation, and identify any risks or vulnerabilities they create. They analyze sensitive data flows and prioritize risks such as poisoned datasets, unsanctioned models, and misconfigurations, while enforcing governance guardrails.

• Incident response and impact analytics: The solution’s attack path analysis enables organizations to prioritize actions by offering a clear understanding of the sequence of vulnerabilities or misconfigurations an attacker could exploit to reach sensitive assets. It provides a visualization of the attack path, highlights high-risk points, and contextualizes risks to focus on the most critical issues. It enables rapid remediation through the industry’s leading security automation platform with more than 1,000 enterprise integrations. Cortex Agentic Assistant further enhances response by allowing AI agents to investigate cases, plan remediation steps, and execute actions across the environment.

Opportunities

Palo Alto Networks has room for improvement in a few decision criteria, including:

• On-prem repository support: Palo Alto Networks’ support for on-prem repositories is currently focused on unstructured file shares and lacks capabilities for structured datasets and for some cloud functionality, such as misconfiguration analysis. Extending on-prem support and delivering better feature parity with its cloud capabilities will enhance the insights its customers have across their entire data estate.

• Data lineage: Palo Alto Networks provides insights into risky data flows, such as data leaving production environments or crossing geographic boundaries. However, it lacks more detailed capabilities, such as identifying data transformations and presenting visual lineage, which are slated for future development.

• NHI threat management: Cortex Cloud DSPM is deeply integrated with cloud infrastructure entitlement management (CIEM), recognizing the risk of data exposure and exfiltration in the event of an NHI takeover. Cortex Cloud DSPM proactively discovers and alerts on exposed machine identity credentials within data assets, such as access tokens, API keys, and passkeys. However, this does not currently extend to on-prem NHIs, leaving customers with a visibility gap.

Purchase Considerations

Cortex Cloud DSPM is available under two licensing models, offering customers flexible options. It can be licensed on a per-VM, per-instance, or per-asset basis, with the option to add modules as needed. It also offers flexible credits, which can be purchased under a single SKU and applied to any module for any cloud asset or VM.

As an agentless SaaS offering, deployment complexity is reduced, enabling quick onboarding. This is helped with AI-assisted configuration wizards and prebuilt policy templates for common use cases. The vendor claims that full discovery, classification, and risk assessment of an enterprise's entire cloud estate can be achieved within 24 to 48 hours. Professional services are available where needed.

Use Cases

Cortex Cloud DSPM supports a number of use cases, including comprehensive data visibility across departments and geographies, enforcement of compliance across teams, and the development of automated response playbooks to deal with data risks. It also helps customers with AI adoption with capabilities such as AI training, data governance, and shadow AI detection.

Privacera*

Solution Overview

Privacera offers unified data security and access governance, built by the creators of Apache Ranger and Atlas. It enables companies to enforce the secure use of data and ensure compliance with stringent regulations.

Privacera provides a comprehensive DSPM solution that unifies data discovery, classification, access governance, and security across hybrid and multicloud environments. It can be deployed as SaaS or self-hosted in cloud or data center environments.

The solution employs automated data discovery and classification capabilities (using ML and pattern matching) to identify sensitive data across structured and unstructured sources. It provides continuous monitoring of the data security posture, detecting misconfigurations, overpermissioned access, and policy violations in real time. The solution includes policy-based access controls with attribute- and role-based access mechanisms, enabling fine-grained permission management.

Privacera's architecture is built on Apache Ranger and extends it with cloud-native capabilities, offering centralized policy management and enforcement across distributed data environments. The solution integrates with existing identity providers and security tools via APIs and connectors, enabling seamless workflow integration. It provides detailed visibility into data lineage, usage analytics, and access patterns through dashboards and reporting interfaces. It provides automated remediation workflows for common security issues and provides risk scoring based on data sensitivity, access patterns, and exposure levels. It also provides compliance templates that support frameworks such as GDPR, CCPA, and HIPAA, with continuous compliance monitoring and reporting capabilities.

Privacera is positioned as a Challenger and Outperformer in the Innovation/Platform Play quadrant of the DSPM Radar chart.

Strengths

Privacera scored well on a number of decision criteria, including:

• Data access intelligence: Privacera offers a strong capability here, enabling its customers to build a single policy that it then transforms and enforces across all the platforms it protects. The solution provides native controls to enforce access restrictions, helping customers streamline policy implementation across multiple data platforms.

• AI risk analysis: Privacera can deliver robust AI pipeline governance with its Trust3 AI solution, which ensures that policies protecting sensitive data in databases also safeguard it when it’s used in AI pipelines. It brings together data security and AI governance into a single solution.

• Automated data threat detection and response: Privacera provides active threat detection and remediation. Its Posture Manager delivers real-time alerts on abnormal data access and the ability to auto-apply policy fixes via its Ranger control plane. Privacera doesn’t remediate on its own without approval but fully automates threat analysis and can enforce preset global policies to contain threats.

Privacera was classified as an Outperformer due to its rapid delivery of new capabilities. It is also strong in some key emerging technology areas, such as attack path analysis and AI-specific posture management.

Opportunities

Privacera has room for improvement in a few decision criteria, including:

• Incident response and impact analytics: Privacera lacks a dedicated incident response module to provide more advanced analysis tools and insights into incidents. The solution does show exactly which sensitive data was accessed, by whom, and when, which is good telemetry for an analyst to review an incident. Privacera could further enhance this by adding specific incident response analysis, such as an automated incident summary and the ability to automatically create incident reports when a data security incident is identified.

• Data lineage: Privacera doesn’t offer traditional extract, transform, and load (ETL) lineage graphs, but it addresses lineage from a security perspective by tracing sensitive data to its access points and usage. Posture Manager itself correlates sensitive data with who accesses it and where it is accessed, effectively showing the flow of sensitive data to consumers and systems. While this provides a solid base of lineage information, lineage is a complex area for organizations, and formalizing this into a full lineage capability that tracks data through its lifecycle would be a valuable addition.

• Data mapping: Privacera provides native connectors to more than 50 data sources across AWS, Azure, and Google Cloud, as well as an open API for custom integrations. However, it currently lacks integrations with popular SaaS collaboration tools such as Microsoft 365 and Google Workspace. It also does not provide mapping of on-prem data stores. Extending support into these areas would allow customers to gain complete insight into their data estates through the Privacera solution.

Purchase Considerations

Privacera's licensing is subscription based, with contracts available for 12, 24, or 36 months. It offers public pricing on AWS Marketplace for its starter pack, although other pricing options are not publicly available on its website. Licensing is based on a platform license plus the number of connectors needed to protect an organization's data sources.

Privacera offers optional professional services for those who need support with advanced configurations. While Privacera does not require the use of its professional services, customers might need to engage with them, especially during the initial deployment phase. Implementing the solution can be complex when integrating with intricate data ecosystems, particularly for teams unfamiliar with open source frameworks like Apache Ranger. However, the SaaS option, PrivaceraCloud, and its SaaS connectors significantly reduce deployment complexity and minimize the need for professional services.

While technically this solution can be deployed in an SMB, it is likely best suited for those with more complex data estates and some operational maturity in data security.

Use Cases

Privacera addresses several enterprise DSPM use cases. It provides visibility into data lineage and usage patterns, identifies shadow data, and helps understand data flows across an ecosystem. It is well suited for enterprises with complex multicloud architectures, data lakes built on Databricks or Snowflake, and organizations requiring unified security controls across heterogeneous data platforms.

Proofpoint: Data Security Posture Management

Solution Overview

Proofpoint is a cybersecurity and compliance company that offers an integrated suite of cloud-based solutions to help companies safeguard their data.

Proofpoint Data Security Posture Management is a SaaS solution sold under a single all-in-one SKU that integrates data discovery, classification, risk assessment, prioritization, and remediation. It deploys scanners as containers in cloud or on-prem environments and can discover and classify data across a range of repositories, including public clouds, SaaS, PaaS, and on-prem data stores. It also has a native app for Snowflake environments, providing integration with Snowflake's cloud data platform.

Its one-pass scanner leverages AI to accurately identify and classify valuable and sensitive data at scale across different environments while maintaining data residency through in-place scanning and keeping data under IT control. The solution provides detailed visualizations, including attack paths and data access graphs. It quantifies risk by mapping identified vulnerabilities to the potential monetary impact on business operations, enabling organizations to assess data value and prioritize remediation efforts based on business consequences rather than technical assessments alone.

The DSPM solution integrates with Proofpoint Data Security, which offers unified protection against data loss, data exposure, and insider risks.

Proofpoint is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart

Strengths

Proofpoint scored well on a number of decision criteria, including:

• Incident response and impact analytics: Proofpoint maps attack paths that can lead to breaches or data loss and illustrates how people and resources access data. It can prioritize these risks in several ways, including assigning monetary values to data that could be lost to provide a commercial view of the risk. Results are presented through real-time visualizations. Actionable insights and guided remediations can be integrated with alerts in service management platforms, enabling efficient mitigation.

• Data mapping: Proofpoint provides comprehensive data mapping, including the ability to identify shadow and dormant repositories. It provides a clear representation of the flow of all data, especially sensitive data, and where it moves. Its data-in-transit mapping gathers data flows between users, applications, resources, and data assets in the cloud. Its interactive data attack graphs visually highlight policy violations and unauthorized access to sensitive data.

• Data lineage: Proofpoint enables users to understand how data originates and flows through their environment, including its movement to other applications. It provides a data-in-motion visualization that graphically represents the journey of data, illustrating where it starts and how it traverses through various stages within the customer environment. It also provides a similarity score index for comparing data, allowing users to identify changes and errors and gain deeper insights into data lineage. It helps identify potential data-handling issues or inaccuracies.

Opportunities

Proofpoint has room for improvement in a few decision criteria, including:

• NHI threat management: Proofpoint currently detects AI models and their data pipelines to secure custom AI deployments on Azure ML, Google Vertex, and AWS Bedrock, proactively notifying security teams when custom models are trained on sensitive data. The vendor recognises that, while a good starting point, there are further improvements, including expanding human-centric security capabilities to encompass machine entities to enable the secure adoption of AI agents. Continuing to build on these capabilities will ensure Proofpoint provides robust NHI protection.

• On-prem repository support: Proofpoint offers a strong range of on-prem support, including database and unstructured data support on file shares. However, for a solution with a strong enterprise customer base, it lacks support for NAS. The vendor plans to add this in 2026. Doing so will provide comprehensive data repository protection for its customers.

• AI risk analysis: Proofpoint offers capabilities, including custom AI deployments on Azure ML, Google Vertex, and AWS Bedrock, that proactively notify security teams when custom models are trained on sensitive data. However, its more advanced insights and potential mitigation actions (such as encrypting data to block access by assistants like Microsoft Copilot) require manual intervention, such as applying Microsoft Information Protection (MIP) labels to restrict access rather than implementing dedicated AI security measures.

Purchase Considerations

Proofpoint Data Security Posture Management uses a SaaS pricing model that allows customers to scale their licensing up or down as needed. Pricing is based on the total volume of data secured, with no additional charges per scan, per user, or for the number of scans within the subscription period. The vendor requires a minimum of a 1-year contract.

The solution is straightforward, with deployment typically completed within one hour. Proofpoint provides professional services and ongoing support through its customer success team as needed. Detailed documentation and training are available through the customer success team.

Use Cases

Proofpoint Data Security Posture Management can address many use cases, including automated data discovery and classification across a wide range of data stores and AI pipelines. The solution ensures sensitive data isn't exposed by AI services like Microsoft Copilot, secures training data for custom AI deployments, and provides APIs for real-time data sensitivity analysis for retrieval-augmented generation (RAG) models, helping customers adopt AI solutions.

Rubrik: Rubrik DSPM*

Solution Overview

Rubrik is a well-known vendor in the data protection space, having built a reputation on its data backup platform. That platform evolved into Rubrik Security Cloud, a comprehensive data security solution that protects customer data through its security lifecycle, from proactive threat protection and damage mitigation to post-attack recovery.

Rubrik DSPM is a module within Rubrik Security Cloud, which provides a single console for policy creation, alerts, ticket creation, reports, investigations, and remediation. Its value to many customers, however, lies in its unique integration of cyber resilience and cyber posture, providing both insight into data security and enabling data recovery in the event of a breach, leveraging its data protection expertise.

Architecturally, the Rubrik DSPM solution uses a SaaS management plane combined with an outpost account deployed close to data repositories. For on-prem environments, it uses Rubrik Security Cloud's agentless deployment to integrate with existing storage repositories. Cloud integrations leverage serverless functions and APIs to provide seamless connectivity.

Rubrik can discover and classify structured and unstructured data across managed and self-hosted data assets. Its DDR capabilities enable real-time breach detection and threat containment, identifying anomalous data access, exfiltration attempts, suspicious third-party access, and insider threats. It enhances data security controls through integrations with Microsoft Purview, Microsoft Azure, Google Cloud, Snowflake, and S3.

Rubrik also offers a specific DSPM solution for Microsoft 365 Copilot, helping organizations reduce the risk of sensitive data exposure by identifying overexposed, mislabeled, and misplaced sensitive data.

Rubrik is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Rubrik scored well on a number of decision criteria, including:

• Data mapping: Rubrik provides comprehensive mapping across the cloud, SaaS, and on-prem environments, supporting both structured and unstructured data. It can provide classification overlays via its MIP integration. It also provides detection of shadow or dormant data with associated risk analysis. Rubrik features misconfiguration detection, identifying excessive permissions and configuration exposure.

• Incident response and impact analytics: Rubrik can precisely identify breached data and compromised identities, enabling security and IT teams to deliver incident response, conduct thorough forensics, and execute recovery. It identifies anomalous activity, impacted data, and the potential blast radius for compromised identities or objects. It can also list which users’ personal data was exposed to streamline compliance reporting. A unique feature of the Rubrik solution is its recovery capabilities, which allow customers to rapidly restore compromised data from clean backups.

• On-prem repository support: Rubrik supports a broad matrix of on-prem environments, including Unix/Linux, VMware, SAP, and NAS. Since traditional on-prem systems lack API integration, Rubrik DSPM relies on a self-deployed, agentless architecture that pulls DSPM data from an existing Rubrik-managed backup platform.

Opportunities

Rubrik has room for improvement in a few decision criteria, including:

• Data lineage: Rubrik provides several data lineage features, including identifying data asset sources and visualizing data. However, it lacks advanced capabilities like transformation insights and dependency details. There is an opportunity for the vendor to leverage the base telemetry it collects to extend its lineage capabilities, providing a more comprehensive view for its customers.

• AI risk analysis: Rubrik DSPM for Microsoft 365 Copilot provides greater visibility and control over sensitive data, reduces the risk of exposure, and enables organizations to quickly and securely adopt Copilot. However, these capabilities are currently limited to Microsoft 365 Copilot. Extending this to other common AI tools would be a welcome step, as would expanding beyond GenAI use cases to look at areas such as AI agent and AI pipeline security.

• Data access intelligence: Rubrik offers behavioral analysis via its DDR capabilities. It provides anomaly detection, identity platform integration to gather identity details, and clear tracking of human and NHI behaviors. It also integrates with external identity providers (such as Okta) and with SOAR tools. Extending the solution to offer a range of native remediation capabilities would also be valuable, removing the need for external integrations to automate access risk mitigation.

Purchase Considerations

Rubrik DSPM follows a subscription-based pricing model based on capacity, specifically the amount of protected data within the connected environment. For existing Rubrik customers, this service can be enabled with no additional configuration required.

If needed, Rubrik professional services, customer success, and customer experience manager teams are available to support customers.

This is not a product aimed at the SMB market. Rubrik targets large enterprises and heavily regulated industries.

Use Cases

Rubrik DSPM provides strong DSPM capabilities for large enterprises and those in highly regulated industries. It helps organizations looking to integrate data security and data protection into a single solution. It also enables customers adopting Microsoft 365 Copilot by reducing the risk of misplaced sensitive data and providing a dedicated Microsoft 365 Copilot DSPM module for those looking to enhance data access governance.

Securiti: Data Command Center

Solution Overview

Securiti Data Command Center provides a centralized solution that enables the safe use of data and GenAI for customers. The vendor has recently been acquired by Veeam Software.

The Securiti solution offers a range of capabilities, including DSPM. It can be deployed as SaaS, on-prem, or in a hybrid model. The solution uses SaaS for report rendering and insights while ensuring all data processing is performed in the customer environment. It has an agentless deployment model and eases adoption with hundreds of prebuilt integrations across popular cloud, SaaS, and on-prem data repositories.

Securiti's Data Command Graph provides insights into data discovery and classification; data access governance; configuration risk management; minimizing redundant, obsolete, and trivial (ROT) data; AI security; compliance automation; and breach management. It offers detailed classification insights, including shadow data repositories, and can classify video and audio data by analyzing full clips to detect sensitive information. It also includes a Classification Tuning Agent that automatically tunes classification models without rescanning data. It provides impact analysis reporting showing risk metrics such as framework infringement, impacted users, and potential breach costs and can detect toxic combination risks, identifying linked security weaknesses.

The solution includes advanced features, such as AI security firewalls and enhanced DLP. Its flexibility is highlighted by the ease with which Securiti has integrated its capabilities alongside Veeam’s data protection tools. Its Agent Studio also allows customers to quickly build new agents to carry out specific data-related tasks.

The Securiti DSPM module must be deployed alongside the Data Discovery & Classification module.

Securiti is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the DSPM Radar chart.

Strengths

Securiti scored well on a number of decision criteria, including:

• Data lineage: Securiti provides comprehensive lineage through the Data Command Graph. It automatically captures how data flows and transforms across systems. For structured data, it parses query logs, ETL jobs, and database relationships. For unstructured data, it uses content fingerprinting to infer lineage (identifying whether the same document content appears in multiple locations). The interface presents an interactive graph showing upstream and downstream relationships for any piece of data, along with a timeline view of key events in a data object’s life.

• Incident response and impact analytics: Securiti leverages the Data Command Graph to investigate and assess the extent of data exposure in a breach. This includes identifying other potentially compromised systems. It can provide incident details, including the breach cause, impact radius, regulatory obligations, financial penalties, and breach notifications. It also provides a wide range of automated remediations, such as reconfiguring data system settings, enforcing access entitlements, and executing data deletion, movement, or quarantine actions.

• On-prem repository support: Securiti supports a wide range of on-prem repositories with full feature parity to its cloud scanning. It connects to on-prem file shares, enterprise content systems, and databases. If needed, it can be deployed entirely on-prem or in a customer’s private cloud. All core capabilities (including discovery, classification, and access analytics) operate on on-prem data, and many large Securiti deployments run in hybrid mode (covering legacy data centers and multicloud environments).

Opportunities

Securiti has room for improvement in a few decision criteria, including:

• Risk quantification: Securiti assigns a risk score to each data asset and business process, and the solution can also estimate the financial impact using metrics such as the number of records exposed and the average cost per record in a breach. Executives can see a risk heatmap plotting data assets by “Likelihood of Breach” versus “Impact if Breached.” This is a strong capability that could be improved by further simplifying the ability to quantify risk. Currently, some manual interaction is needed to apply certain quantification metrics, which could be removed with additional automation.

• Automated data threat detection and response: The solution uses AI/ML to continuously detect suspicious patterns, such as potential insider threats (downloading atypical datasets) or malware encryption activity, and generates real-time alerts mapped to MITRE ATT&CK tactics for clarity. When it finds an issue, it can take immediate action through its orchestration engine. Securiti has identified ways to improve this as it moves from security workflows designed around known threat vectors to autonomous security operations. This would enable enterprises to safely deploy sophisticated security-focused AI agents at scale, using agent-powered discovery and remediation through deep knowledge of their data estate. There is also the ability to add remediation simulation capabilities to ensure the most comprehensive response.

• NHI threat management: Securiti tracks and manages machine identities tightly. Every service account, API key, and bot identity is represented in its Identity-Data Graph, and Securiti analyzes permissions and usage for risks. It flags dormant service accounts with access to sensitive data and can automatically recommend revoking that access. Securiti also integrates with DevOps pipelines to catch exposed secrets. Remediation can be automated via its workflows. Securiti provides robust capabilities, but there are opportunities to enhance further, such as more comprehensive direct automation of secrets. These are minor improvements on what is a strong NHI threat management capability.

Purchase Considerations

The solution is modular and now offered through tiered packages: Data+AI Security Visibility & Insights (foundational) and Advanced Data+AI Security Visibility & Remediation (comprehensive). Each package is available as a 1- or 3-year subscription with term discounting. Pricing scales based on the volume of data under management and the selected package, not on user or device counts. For large enterprise agreements, modules can be sold à la carte as exceptions, though most organizations prefer the tiered packages.

The vendor does not consider the product complex to deploy, with most customers completing the initial setup quickly via agentless, API-based onboarding. Professional services are available but not typically required and are recommended primarily for customers lacking in-house expertise, requiring custom integrations, or preferring managed services.

While the solution can technically meet the needs of SMBs, it is designed for larger and more complex data infrastructures and scales naturally to mid-market organizations that value rapid onboarding and predictable pricing.

Use Cases

Securiti Data Command Center is ideal for larger and more complex environments due to its comprehensive nature. It can help address numerous use cases, including hardening data security and compliance through strong control enforcement and tackling ROT data. It can help customers looking to adopt AI through AI-SPM, providing unified visibility across sanctioned models, shadow AI tools, copilots, vector databases, and custom pipelines. It enables secure use of SaaS AI copilots through proactive, data-centric controls. Multilayered AI firewalls protect the prompt, retrieval, and response layers against threats such as prompt injection, jailbreaks, data leakage, and the generation of harmful content.

Sentra: Sentra Data Security Platform

Solution Overview

Sentra is an independent DSPM specialist that aims to help its customers reduce the complexity of managing sensitive information both on-prem and across multiple cloud platforms, automatically detecting and prioritizing risks.

Sentra Data Security Platform combines data discovery and classification, DSPM, data access governance, and DDR capabilities. It is a SaaS solution with optional lightweight on-prem connectors. The solution requires no agents and uses API-based integrations for rapid deployment.

Sentra provides broad coverage with a range of prebuilt integrations across well-known cloud services, including AWS, Azure, Google Cloud, Snowflake, Databricks, Microsoft 365, and Google Workspace. Once integrated, it performs automated data discovery, identifying known and shadow data repositories using AI-powered classifiers and smart metadata clustering. The solution analyzes more than 200 data types, including images, PDFs, CAD files, audio and video transcripts, and other complex, unstructured formats.

The solution provides analysis in its dashboard, including a security posture calculation that breaks down risks by cloud accounts, locations, and data class types. It also offers a view of compliance readiness across all data repositories. Sentra is recognized for its highly accurate data discovery and classification, leveraging contextual analysis and classifiers to identify data residing in unstructured data stores. It also learns customer-specific data types and landscapes through adaptive AI models, allowing it to classify unique data types without prior training. The vendor claims low operational costs using fewer compute resources thanks to its novel scanning capability, delivering cost-efficient classification at petabyte scale.

Sentra is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Sentra scored well on a number of decision criteria, including:

• Data mapping: Sentra captures a full data catalog, showing data stores (asset types, locations, sensitivity, and so forth) and underlying data assets (objects with data type, data class, and context). The catalog contains the relationships between datasets, ownership, lineage, tags, and more. Sentra DataTreks identifies data similarity and movement between locations; alerts on shadow, dormant, and abandoned data; and provides risk scoring to help prioritize threats and mitigation actions.

• Data access intelligence: Sentra governance and access monitoring determine which critical data risky apps and users (identities) can access and understand the business impact of unauthorized access. It monitors the read and write patterns in every data store that contains sensitive data. When threats are identified, it can enforce access restrictions via integration with IAM solutions such as Okta. It can also enforce data security controls, such as de-identification, logging, and encryption.

• Automated data threat detection and response: Sentra continuously monitors for specific threat patterns and misconfigurations and can send real-time alerts (via email or Slack) when an issue is detected. It can create tickets automatically for high-severity findings. Its approach focuses on alerting the responsible team or data owner to the issue. It also provides clear remediation guidelines in its alert descriptions and can trigger external automations.

Opportunities

Sentra has room for improvement in a few decision criteria, including:

• NHI threat management: Sentra can detect exposed secrets; identify service accounts, bots, and API-based identities; and show where they are used. However, there are several areas where additional value can be added. These include behavioral threat assessments of NHIs and automated threat remediation of NHI risks, such as tightening service account scopes, rotating exposed secrets, or enforcing least privilege.

• AI risk analysis: Sentra for Copilot allows customers to build a strong understanding of Microsoft 365 Copilot behavior. It discovers sensitive data that Copilot can access and identifies redundant, outdated, or abandoned data. It can control AI output to prevent data leakage and identify overpermissions that can be exposed by Copilot use. However, the solution currently does not extend much beyond this, and there is an opportunity for the vendor to expand support beyond Microsoft 365 Copilot to other AI tools, as well as to more advanced areas such as recognizing and inventorying AI services and detecting prompt injection or model leakage.

• Data lineage: Sentra provides sensitive data lineage, not full operational pipeline lineage. It gives security teams the insight they need to detect risky replication, drift, and propagation of sensitive data across environments. There is an opportunity to build a more comprehensive lineage offering that automatically maps out and displays how data flows across systems over time.

Purchase Considerations

Sentra Data Security Platform is licensed as a single product with all capabilities included, based on consumption measured by the volume of data scanned or protected. Component capabilities (such as DDR, classifiers, and policies) can be selectively enabled or disabled. Subscription commitments are annual or multiyear. Pricing quotations are available either directly from Sentra or through its developing channel and cloud partner ecosystem. Pricing is tailored to each environment's size and complexity and is not publicly listed.

Deployment is lightweight and typically completed in under an hour for initial cloud account connections. The process uses API-based integrations that require access credentials to connect data stores, with no agents, proxies, or infrastructure changes required. Professional services are available directly from Sentra or through its partner ecosystem and are particularly recommended for very large or fragmented hybrid environments, custom data classification policies, or governance framework development.

While the solution can technically operate across all sectors, its primary target market is Fortune 1000 and Forbes Global 2000 enterprises.

Use Cases

Sentra provides a comprehensive solution that can meet a range of use cases. These include ensuring continuous compliance for regulated data (including PCI, PHI, PII, GLBA, SOX, and GDPR) by continuously identifying regulated data, validating masking or encryption, detecting misconfigurations, and producing audit-ready reports. Sentra supports cloud and AI modernization initiatives by mapping data across environments, identifying high-risk assets, spotting shadow or abandoned datasets, and ensuring AI training data or cloud migration plans do not introduce security or compliance vulnerabilities. The solution also reduces shadow data by enforcing good data hygiene, ensuring stale or unused data is removed.

Skyhigh Security: DSPM

Solution Overview

Skyhigh Security is a cybersecurity company that offers a security service edge platform that includes DSPM as one of its key capabilities.

Skyhigh Security DSPM is delivered as SaaS. The solution integrates across cloud, SaaS, IaaS, and data stores primarily through API-based connectors in an agentless architecture. Where APIs are unavailable for specific cloud applications, data discovery can be achieved via web proxy enforcement. The solution can also interface via Internet Content Adaptation Protocol (ICAP) with third-party SWGs, allowing organizations to add DSPM capabilities without requiring network infrastructure changes.

Rather than running periodic scans, the solution acts as a continuous posture assurance layer, correlating content classification with environmental context (such as user access privileges, misconfigurations, and data lineage) to surface data at risk. Skyhigh Security DSPM utilizes a multilayered classification engine that combines AI/ML models, exact data matching, indexed document matching, and OCR.

Skyhigh Security's unified approach enables customers to leverage the full platform to discover data at rest and data in motion in real time, providing visibility across the enterprise data estate. It can also detect sensitive data in unmanaged or orphan buckets and long-tail shadow web applications. The solution provides built-in remediation capabilities that can automatically revert dangerous permissions and trigger workflows for policy violations.

While DSPM is part of Skyhigh Security’s broader SSE platform, it can be purchased as a standalone module.

Skyhigh Security is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Skyhigh Security scored well on a number of decision criteria, including:

• Data mapping: Skyhigh Security offers broad mapping across a data infrastructure. It can also map shadow data by leveraging its SSE integration. The solution detects sensitive data uploaded to personal or unauthorized apps (for example, personal Dropbox), as well as WebSocket- and E2E-based traffic, which traditional DSPM tools often miss. It also extends this further with GenAI protection, mapping non-file content like clipboard-to-AI-prompt transfers. The solution tracks and visualizes data movement (east-west and cloud-to-cloud) and highlights risks through the Enterprise Data Explorer Dashboard.

• Data access intelligence: Skyhigh Security includes strong access monitoring with UEBA integration. It also tracks differences between human and nonhuman identity interactions. It can provide native enforcement capabilities via its SSE integration. It also integrates with major IdPs to gather identity telemetry. Its Unified User Risk scoring combines DLP incidents, anomalies, and shadow SaaS usage to provide contextual risk analysis.

• Automated data threat detection and response: Skyhigh Security’s native enforcement provides closed-loop remediation without external dependencies. It can automatically revoke sharing links, quarantine files, apply encryption or DRM, and block downloads. Automations can also include human-in-the-loop review for high-impact actions via workflow approvals.

Opportunities

Skyhigh Security has room for improvement in a few decision criteria, including:

• On-prem repository support: While the solution supports a range of on-prem repositories, including NAS, Windows shares, and Unix file systems, it relies on technology from its sister company, Trellix. There is an opportunity to simplify this by consolidating the technology into a single solution, removing any confusion, both commercial and technical.

• NHI threat management: Currently, the solution identifies service accounts, bots, and API keys. It can also detect exposed secrets in code. However, the current focus of the solution is on guidance and policy-based blocking rather than autonomous identity remediation. The vendor recognizes this and has autonomous remediation as part of its roadmap. Adding this functionality would help improve threat response and operational efficiency.

• Data lineage: The solution currently focuses on data lifecycle visibility (origin, change, sharing, and proliferation) and flow mapping and can track data origin, change, and sharing. However, this is not the same as formal lineage. Adding more formal ETL-type capabilities to show how data transforms through its lifecycle would be a valuable addition, helping organizations gain full insight into data usage.

Purchase Considerations

Skyhigh Security offers both user-based and volume-based licensing models for DSPM. The user-based model includes fair use limits, with additional SKUs available for expanded data processing and extended retention. Licenses are available as annual subscriptions, with pricing accessible directly from Skyhigh Security or through partner channels.

The deployment process is well documented for proficient IT teams to deploy and commission services independently. Skyhigh Security provides professional service hours for customers who require faster deployment with full configuration support.

The solution is designed to scale from SMB to large enterprise. The vendor has also recently received FedRAMP certification.

Use Cases

Skyhigh Security DSPM addresses critical challenges for organizations managing sensitive data across complex environments. It solves compliance blind spots by providing unified visibility into where regulated data (PII, PHI, PCI) resides across cloud, SaaS, and AI workflows, ensuring audit readiness through continuous monitoring. The solution eliminates alert fatigue by prioritizing actual breach risks and distinguishing between properly secured data and dangerous exposures such as publicly accessible PII. As a modular platform, it enables customers to take a measured approach to data security, with DSPM as a starting point and additional modules to deliver proactive threat detection and remediation.

Symmetry: DataGuard

Solution Overview

Symmetry provides a data and AI security platform. It is purpose-built for organizations operating across cloud, SaaS, and on-prem environments.

Symmetry’s Modern Data Security Platform brings together DSPM and DDR to provide visibility and control over sensitive data across cloud and hybrid environments. The solution can be deployed as self-hosted, which is the preferred model for many of its customers, as well as consumed as SaaS, connecting to data stores through APIs directly or via a self-hosted Outpost deployment. Symmetry can be deployed in an air-gapped environment with no internet access required.

Core capabilities include automated data discovery and classification, utilizing ML, NER models, transformers, and SLM and LLM-based classifiers to identify sensitive data across structured and unstructured data sources. It provides real-time visibility into data location, access patterns, and security posture through a centralized dashboard that maps data flows and identifies exposure risks. It uses a graph that links identities to data through permissions and operations. Its data classification engine includes prebuilt templates for common data types and supports the creation of custom patterns. 

It offers identity-centric access analysis that maps data permissions to actual usage patterns, enabling the detection of overprivileged accounts and dormant access. The solution continuously assesses security posture, identifying misconfigurations, excessive permissions, and compliance violations. It provides automated remediation workflows via its DDR features and integrates with SIEM and ticketing systems, enabling security teams to address findings without manual intervention.

The solution includes anomaly detection capabilities that baseline normal data access patterns and alert on deviations, supporting threat detection scenarios.

Symmetry is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Symmetry scored well on a number of decision criteria, including:

• Data mapping: Symmetry scans and indexes sensitive data across cloud, SaaS, and on-prem databases, data lakes, and file stores via prebuilt connectors. Both structured and unstructured data are covered. It identifies dormant data and maintains an up-to-date data catalog. As new data stores or files appear, they’re discovered and classified in near real time.

• On-prem repository support: Symmetry offers broad on-prem support, including databases such as SQL and MongoDB, Hadoop clusters, and SMB and NFS file share access. There is also support for Linux data stores and NAS (for example, NetApp and Nasuni), as well as support for systems such as AS-400.

• AI risk analysis: With the release of its new AI Guard capability, it has added a strong range of AI risk and security capabilities. It provides strong identity‑centric visibility into which AI services and agents exist, including both known and shadow AI tools. It can assess what data they access and provide data flow intelligence of data moving into and out of AI systems. It enforces AI‑specific policies and can remediate overprivileged agents, as well as enable adherence to governance and policy requirements by preventing sensitive data from entering AI workflows.

Opportunities

Symmetry has room for improvement in a couple of decision criteria, including:

• Data lineage: Symmetry provides security-focused lineage tracing of file movement across infrastructure, showing how data flows through an organization to provide security insights into access and other file operations. This can be further developed to provide greater detail on data transformation throughout its lifecycle and to offer structured lineage visualizations to help customers tackle the complexity of data lineage.

• NHI threat management: Symmetry currently lists all identities and their data interactions, which can help identify risky NHI behavior. There is an opportunity to develop this further by adding features such as NHI-specific risk identification and guidance on NHI remediation. 

Purchase Considerations

Symmetry’s pricing is based on instance size, modules, and SaaS connectors, with subscription-based annual contracts. Licensing is managed through direct sales or its partner channel. 

Implementation complexity is relatively low for cloud-native environments due to the vendor’s API-based integration approach. The vendor provides professional services and customer success resources during onboarding. Symmetry targets SMB and large enterprises.

Use Cases

Symmetry addresses several primary use cases. Data discovery and classification enable organizations to locate and categorize sensitive information across cloud data stores, supporting compliance initiatives and risk assessment. The solution supports access governance projects by analyzing who has access to what data, identifying dormant accounts, excessive privileges, and lateral movement risks. DevSecOps teams leverage the solution to integrate data security checks into CI/CD pipelines, preventing insecure data configurations from reaching production.

Theom: Theom Secure

Solution Overview

Theom is a specialist data governance and security provider offering automatic data discovery, classification, cataloging, access governance, usage and lineage analysis, insider risk detection, breach detection, contract governance, and AI security.

Theom Secure offers flexible deployment via SaaS and self-hosted cloud images, with the latter available only under specific contracts. It is embedded directly in the data store, sitting close to the data and query layers, with no-touch deployment and no proxies or agents required. Customer data stays within their infrastructure. For stores that can't insert business logic, Theom uses APIs and snapshots. It provides full visibility by linking identity, data, and usage and detects risks like unprotected sensitive data, service account impersonation, and software vulnerabilities. Its risk dashboard highlights threats such as reconnaissance, living off the land (LOTL) attacks, and data leaks, using behavioral AI to learn normal patterns and identify anomalies.

Theom has invested in AI security and governance, now offered as Theom Secure AI, an add-on license that enhances chatbot and AI security with identity-aware task execution aligned with policies. It guards against prompt injection attacks to protect AI integrity. It can also inventory AI models in the environment and tracks usage by model, agent, user, and environment. It traces data lineage down to which rows and columns were accessed for each prompt, on whose behalf, and across which environments, feeding this into a real‑time audit and enforcement engine.

For participants in data exchange contracts, Theom provides a feature that imports compliance details from contracts and normalizes them into data protection policies. It primarily focuses on safeguarding data in data lakes, databases, unstructured data in S3, data warehouses, and Microsoft 365 and Google Workspace data stores.

Theom is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Theom scored well on a number of decision criteria, including:

• Data mapping: Theom provides comprehensive data mapping using an embedded approach, sitting directly within the data store and monitoring every access and query of the data. This positioning enables Theom to deliver unique insights and actions across the entire spectrum of modules, from data access governance to compliance and audit. It can perform a full data inventory, identify the logical data topology, and track data lineage at column-level granularity. It can also discover security gaps such as misconfigured access controls, missing security policies, and improper masking configurations.

• Incident response and impact analytics: In the event of a data incident, Theom automatically compiles the critical details to aid responders. It identifies which data was affected, which users or accounts were involved, the sequence of events, and the sensitivity or regulatory status of the data (for example, tagging that personal data subject to GDPR was in the affected set). It presents this information in an incident report that can be exported for compliance or postmortem analysis. It also retains a forensic audit trail of the incident, which is valuable for investigations.

• NHI threat management: Theom actively manages machine and service accounts. It automatically identifies NHIs with access to sensitive data and monitors their behavior for anomalies (for example, a service account suddenly accessing data outside its typical scope). It flags service accounts that are overprivileged or unused and suggests tightening their permissions. Theom also performs secret scanning via integrations. If an API key is found in code or chat that could access data, Theom will determine what data that key can reach and raise a risk alert. It integrates with DevOps workflows to ensure leaked credentials are rotated or disabled promptly.

Theom was classified as an Outperformer due to its rapid development and strong roadmap. The vendor is already performing well across all of our emerging technology areas, and we expect this to continue.

Opportunities

Theom has room for improvement in a couple of decision criteria, including:

• Data lineage: Theom delivers end-to-end data lineage for sensitive information. It automatically links data objects across systems via its Data Graph. For unstructured data, it uses content matching to infer lineage. It also maintains a chronological log of data events (creation, copy, move) so teams can trace a file’s journey step by step. The vendor has identified opportunities to improve this further, such as identifying data movement between on-prem and cloud environments and providing a visualization of data usage over its lifecycle.

• Automated data threat detection and response: Theom already provides strong capabilities here, continuously monitoring for suspicious data activity and responding in real time. It can automatically act to contain any incident, such as revoking a user’s access session, locking down a data store, or triggering an alert to the security team. There is an opportunity to further extend these capabilities with more advanced features, such as the ability to simulate remediation before execution. This would make the solution one of the most comprehensive.

Purchase Considerations

Theom offers three distinct packages for its solution: Theom Secure, Theom Secure AI, and Theom Data Governance for Data Meshes. Within Theom Secure, customers can turn individual components on or off. Theom offers two pricing models. The first is an "all you can eat" subscription model reserved for very large enterprises with a minimum entry point, available with 3- or 5-year options. The second is a consumption-based pricing model with discount tiers that can be metered by data store activity level or data volume. Pricing is available directly from Theom or through channel partners.

While the solution is not considered difficult to deploy, the vendor offers professional services as an option for those requiring custom integration with on-prem data stores. It also offers an outcome-based model that allows customers to buy a single service engagement that’s defined by a specific, predetermined criterion.

While the solution can meet the needs of SMBs, it is primarily aimed at larger enterprises.

Use Cases

Theom addresses a range of use cases for its target market. For data and access observability, it provides a comprehensive visualization of the data environment to ensure compliance with security guidelines and regulations. Theom also detects and drives workflows to manage ROT data, including orphaned, dark, and shadow data, while reporting access control divergence between source data and redundant copies. For those seeking real-time protection against human and nonhuman account risks, its continuous monitoring of data access and movement via data lineage tracking, abnormal data activity, and real-time blocking of unauthorized data movement will be an asset.

TrustLogix: TrustDSPM*

Solution Overview

TrustLogix provides a data security platform designed to address modern risks across cloud, hybrid, and regulated environments, with a focus on security, trust, and privacy for enterprise data.

TrustDSPM is part of the TrustLogix Data Security Platform. TrustLogix can be deployed as SaaS or via TrustLet Private Cloud in the customer’s private cloud. It is agentless and works via APIs. TrustDSPM provides automated data discovery and classification capabilities that scan structured and unstructured data across multiple cloud environments, including AWS, Azure, Google Cloud, and Snowflake.

The solution's core technical capabilities include real-time data classification using ML models, automated discovery of sensitive data across data lakes and warehouses, and continuous monitoring of data access patterns and permissions. TrustDSPM provides granular visibility into data lineage, tracking how sensitive data flows across systems and identifying potential exposure points. The solution includes policy enforcement capabilities that automatically remediate misconfigurations and overprivileged access through integration with native cloud security controls, ensuring the controls remain intact even if TrustLogix is removed.

TrustDSPM supports role-based access control (RBAC) policies and provides compliance mapping to frameworks such as GDPR, HIPAA, PCI-DSS, and SOC 2. It includes a centralized dashboard that aggregates security posture metrics, risk scoring, and actionable remediation recommendations.

TrustLogix is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the DSPM Radar chart.

Strengths

TrustLogix scored well on a number of decision criteria, including:

• Data access intelligence: TrustLogix delivers intelligence through real-time monitoring across multicloud environments. The solution integrates with enterprise IAM systems to provide complete visibility into access patterns for both human users and NHI. AI-driven behavioral analysis automatically identifies anomalous access, privilege creep, and dormant accounts. The solution can enforce fine-grained RBAC and attribute-based access control (ABAC) policies natively within each data platform it protects.

• AI risk analysis: TrustLogix TrustAI represents a sophisticated approach to AI data security, addressing the emerging challenge of protecting sensitive data in AI workflows. The solution monitors data flows to AI agents, models, and training pipelines while enforcing identity-aware access controls that ensure AI applications can only access data the requesting user is authorized to see. Automated data masking protects sensitive information before it enters AI context windows, preventing exposure of PII, PHI, and financial data. Real-time monitoring detects risky exposure and unauthorized data sharing in AI interactions. This comprehensive AI governance capability positions TrustLogix ahead of traditional DSPM vendors in securing the AI-native enterprise.

• Automated data threat detection and response: The solution generates real-time alerts for suspicious activity, policy violations, and security risks, and provides AI-driven remediation recommendations. One-click remediation options enable rapid response to critical threats. Integration with SIEM and governance, risk, and compliance systems facilitates orchestrated incident response workflows. The solution's native policy enforcement architecture enables automated actions such as access revocation and data masking without external dependencies.

Opportunities

TrustLogix has room for improvement in a few decision criteria, including:

• Data lineage: TrustLogix provides data flow visibility across multicloud and hybrid environments, tracking data movement across major platforms such as Snowflake, Databricks, and Power BI. However, the TrustLogix solution is more access focused than transformation focused in its lineage capabilities. Adding more lineage-specific insights, such as transformation logic, visual dependency graphs, and impact analysis, would further enhance the value of the lineage capabilities and make them more comprehensive for customers.

• On-prem repository support: TrustLogix delivers robust on-prem repository support with native connectivity to SQL Server, PostgreSQL, MySQL, and Oracle databases. The solution provides complete feature parity between cloud and on-prem environments. However, it currently lacks support for unstructured data stores, such as file shares. The solution is strategically designed to focus on structured stores, and unstructured coverage may never be part of the solution. Customers should be aware of this.

• Incident response and impact analytics: TrustLogix provides capabilities to identify policy violations and security incidents in real time across the data estate. The solution assesses which data repositories, users, and systems are affected and prioritizes remediation based on data sensitivity and business impact. There is an opportunity to further enhance this by offering features such as incident blast radius visualization and formalized incident response playbooks, providing additional value for enterprise security operations centers.

Purchase Considerations

TrustLogix presents some pricing guidance on its website for departmental deployments. It also offers a free POC tier for 30 days. Custom pricing is available for enterprise customers. TrustLogix uses an annual subscription model, with pricing calculated per data source, and is not impacted by the number of data users, policy users, or the amount of data stored in the data source.

The solution is agentless and proxyless, reducing deployment risk and complexity. It is unclear from publicly available information whether the vendor offers professional services to support implementation for those who want them.

This solution can be deployed to customers of all sizes, from SMBs to large enterprises.

Use Cases

The TrustLogix solution is ideal for those with structured data security requirements who want to monitor for misconfigurations, shadow access, exfiltration risk, and policy violations to reduce data threats. It also helps those looking to enhance data security on those platforms by proactively masking and anonymizing data to enable safe data sharing while preserving privacy.

Varonis: Unified Data Security Platform

Solution Overview

Varonis is a well-established data security vendor whose Unified Data Security Platform protects complex data ecosystems. It boasts a large global customer base across all industries.

Varonis offers its Unified Data Security Platform as SaaS. The solution is comprehensive, with a wide range of integrations across SaaS, on-prem, IaaS, PaaS, and databases. Integration is either via API or a local collector. Agents are only needed where native APIs don't provide adequate visibility and control (for example, Windows or Linux servers).

The solution provides detailed threat analysis, with dashboards that display data classifications, exposure, permissions, and usage. It assesses threat posture against global frameworks, highlighting issues such as misconfigurations that affect compliance. Built-in automated remediation repairs configurations such as permissions and stale access directly from the UI, avoiding tickets or third-party workflows. It includes more than 166 threat detection policies covering exfiltration, lateral movement, and intrusion.

Varonis details human and nonhuman interactions, including AI. It has strong AI security to detect AI interactions, monitor prompts and responses, and track files in AI tools like Microsoft 365 Copilot and ChatGPT, including the ability to show how Copilot has built responses to prompt queries. Its recent launch of Atlas extends this Copilot and ChatGPT monitoring capabilities to cover the full AI lifecycle across any LLM, agentic framework, or custom AI system.

The solution gives customers access to its incident response team, which monitors environments to identify and inform customers about risks. Varonis provides a managed data detection and response service that combines threat detection with threat hunters, forensics analysts, and responders who triage, investigate, and respond.

Varonis is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Varonis scored well on a number of decision criteria, including:

• Incident response and impact analytics: Varonis provides dashboards and reporting options for investigations. These tools include a dedicated investigation screen featuring an embedded AI Security Operations Center (AI SOC) assistant, Athena AI. Risk dashboards display open alerts and investigations, top-alerted users, assets, devices, and threat mitigation recommendations. Alerts map to MITRE ATT&CK tactics and techniques where applicable, making it easier to inform investigations, responses, or security improvements. The vendor also provides a complimentary incident response service accessible to all customers.

• NHI threat management: Varonis identifies and monitors service accounts and differentiates “normal” service account behavior from anomalies. For example, a backup service account suddenly accessing HR files would trigger an alert. Varonis also identifies stale or unmanaged accounts, which are flagged for review or removal. It can detect credentials or secrets that appear in places they shouldn’t. For example, if someone saved a database password in a file, it would be flagged as a potential exposure. Integration with directory services helps ensure that when accounts are disabled or roles change, data access is updated accordingly.

• Data access intelligence: Varonis provides deep insight into permissions and data usage. It aggregates effective permissions for every file and data store. It monitors every access event through its sensors (file opens, emails sent, and so on). It then uses UEBA to identify anomalies. Varonis clearly identifies sensitive data that is overexposed and can even automatically revoke excessive permissions via its automation engine. It differentiates between normal user access and administrative or service account access, allowing more granular policy enforcement and detection.

Opportunities

Varonis has room for improvement in a couple of decision criteria, including:

• Data lineage: Varonis offers capabilities such as tracking data movement and changes. However, it lacks some finer lineage features, such as the ability to view data dependencies and track data transformations. Adding these would help organizations address the complex challenge of data lineage tracking.

• Automated data threat detection and response: Athena AI SOC assistant helps to triage alerts, explain context, and recommend next steps. It offers automated response playbooks that can generate tailored remediation steps and summaries directly within the alert interface. Varonis also offers a Managed Detection and Response service that can automate actions for customers. However, there are still areas to improve. Some automation actions still require manual triggering or PowerShell scripts rather than addressing issues through integration, and adding a more intuitive workflow engine would help customers build more complex workflow orchestrations.

Purchase Considerations

Varonis is licensed per data store and its users, except for IaaS platforms, which are licensed based on dataset size. Licenses are available as an annual subscription that can be canceled at any time. Pricing is available directly or through the partner channel.

The solution is lightweight and easy to deploy, and the vendor offers dedicated resources to support customer adoption through standardized onboarding. Training options are available through the Varonis Customer Community. For those needing additional resources to manage DSPM, Varonis offers a managed data detection and response service.

This solution is designed for larger enterprises and is likely unsuitable for SMBs.

Use Cases

Varonis addresses a range of use cases for larger enterprises. This includes data protection and risk reduction by mapping and normalizing granular permissions to identify where sensitive data is overexposed, both internally and externally. A context-rich audit trail of events makes it easy to understand how data is being used and by whom, enabling the investigation of threats, including lateral movement across the environment, and providing organizations with detailed insight into data activity.

Wiz*

Solution Overview

Wiz is a cloud security company that offers a range of security capabilities across cloud development, cloud threat management, and security posture management, including DSPM. The company is expected to be acquired by Google in 2026.

The Wiz solution is modular, with core services supplemented by add-ons. The Wiz Cloud and Wiz Defend tools provide visibility into security risks, risk prioritization, and threat detection and response for cloud platforms, including the data they hold. Wiz has also expanded capabilities in areas such as enhanced AI security, expanded cloud support, and support for compliance frameworks. It is designed to protect IaaS and PaaS environments but lacks support for some common SaaS platforms, such as Microsoft 365, as well as for on-prem environments.

The solution's DSPM capability provides continuous discovery and classification of sensitive data, detects data risks and attack paths, and automates compliance assessment against data regulatory frameworks. Its Data Security Dashboard provides data security and governance, risk, and compliance teams with a centralized view of security posture, which includes a data security score, compliance posture, and data access governance insights. It can build detailed data risk assessments, identifying where sensitive data is exposed by underlying cloud architecture, poorly configured access rules, or configuration vulnerabilities.

The solution also offers detection and response capabilities, with real-time threat-detection rules that can trigger automated responses. Wiz has further improved this by integrating with SIEM tools and expanding security graph capabilities for better attack path analysis.

Wiz also offers AI security capabilities, including AI-SPM, which provides comprehensive insights into data risk across AI pipelines, model security, and AI infrastructure.

Wiz is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the DSPM Radar chart.

Strengths

Wiz scored well on a number of decision criteria, including:

• AI risk analysis: Wiz’s AI-SPM capability can identify AI services running against data. It can provide detailed insights, identify risks in the AI pipeline, and offer remediation steps for analysts, including code to address challenges. It supplements this with attack path analysis, which can assess for vulnerabilities and misconfigurations in the AI pipeline.

• Incident response and impact analytics: Wiz Defend provides detailed incident insights through an investigation timeline and a Security Graph. It offers automated capabilities via playbooks and AI-generated response steps. It also provides a broader context through blast radius calculation and attack path analysis, showing the impact of potential breaches. The Cloud Threat Landscape database and MITRE ATT&CK mapping provide additional comprehensive threat context.

• Data access intelligence: Wiz provides strong data access intelligence with comprehensive visibility into who has access to what, effective permissions analysis, and anomaly detection through behavioral analytics. This has also increased its automation capabilities. It can automate some permission removal and provide remediation guidance.

Opportunities

Wiz has room for improvement in a few decision criteria, including:

• On-prem repository support: Wiz now supports on-prem data repositories, though this is currently limited to Linux file shares. Windows file shares are on the roadmap. Adding more support for areas such as NAS and structured data repositories should be a consideration for the vendor to extend its appeal to many organizations that still have on-prem data infrastructure.

• Data lineage: Wiz provides good security-focused lineage through the Security Graph, showing data flows, access relationships, and impact analysis. Currently, its focus is on who can access what data rather than on providing robust, detailed data lineage that shows the full data lifecycle. Extending this to show data transformation as data moves through its lifecycle would be a valuable addition.

• Automated data threat detection and response: Wiz’s capabilities have improved with the introduction of Wiz Defend, which provides a robust automation platform. It identifies sophisticated risks in real time, automates complex responses (including runtime blocking, access revocation, and cloud-native containment), and maintains an audit trail with an investigation timeline. There is an opportunity to further develop these capabilities by providing a comprehensive orchestration solution that enables customers to build complex automated playbooks.

Purchase Considerations

Wiz Cloud licenses are subscription based and calculated on the number of cloud workloads in the customer environment. Workloads include compute workloads like VMs, containers, and serverless functions.

The solution is cloud based and requires little integration beyond connecting to existing cloud environments. However, professional services are available where needed. Wiz continues to expand its partner ecosystem to broaden its customer support.

The solution primarily focuses on securing IaaS and PaaS environments, with expanding support for SaaS security posture management. However, limited support for on-prem environments and common SaaS platforms could limit its appeal for smaller organizations.

Use Cases

Wiz can meet the needs of mid-market and larger organizations looking to secure their cloud workloads. It can help address cloud compliance with its real-time cloud reporting and, for those seeking automated cloud security, with its automated discovery, detection, and response capabilities. The solution is particularly well suited for organizations with complex multicloud environments, AI/ML workloads that require security oversight, and those that need comprehensive cloud-native application protection.

Zscaler: Data Security Posture Management (DSPM)*

Solution Overview

Zscaler’s Data Security Posture Management (DSPM) offering is part of the company's broader security portfolio and is available as an add-on for existing platform users. Its solutions are designed to provide enterprise-grade protection.

Zscaler DSPM is a cloud-native data security solution that provides visibility and protection across multicloud and SaaS environments. The solution operates within the broader Zscaler Zero Trust Exchange architecture, leveraging its global cloud infrastructure for inline data inspection and policy enforcement. Integration is API based for SaaS applications and uses agentless scanning for cloud storage resources, minimizing deployment overhead.

The solution delivers comprehensive data discovery capabilities across structured and unstructured data stores and a broad range of SaaS applications. It employs AI-powered classification engines with more than 300 prebuilt data identifiers covering global regulatory frameworks. The solution performs continuous scanning to identify sensitive data, track data movement, and assess exposure risks. It also provides comprehensive insight into AI services and models, including the ability to identify and remediate hidden risks.

Zscaler DSPM includes automated data classification, access rights analysis, data lineage tracking, and risk scoring based on sensitivity and exposure. The platform integrates with Zscaler's DLP engine to enable inline policy enforcement and remediation. It provides detailed visibility into data permissions, identifying overly permissive access and shadow data stores.

The solution includes native integration with SIEM and SOAR tools to automate security workflows. Zscaler DSPM offers centralized policy management through a unified console and provides preconfigured compliance templates to accelerate deployment and regulatory alignment.

Zscaler is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the DSPM Radar chart.

Strengths

Zscaler scored well on a number of decision criteria, including:

• Data access intelligence: Zscaler DSPM ingests cloud IAM configurations (AWS IAM roles, Azure AD permissions, and Google Cloud IAM bindings) to determine which identities (human or machine) are entitled to each sensitive data store. It provides overprivilege detection, with the system automatically flagging cases of excessive or unnecessary access. Its Adaptive Access Intelligence capability provides a granular, user-centric view of all access paths to critical data. Integration with Zscaler’s SSE tools enables not only the discovery of access risks but also the enforcement of strong controls.

• Data mapping: Zscaler DSPM automatically scans multicloud environments (AWS, Azure, and Google Cloud) to discover and classify sensitive data and builds a unified inventory. It continuously tracks new data stores as they appear, addressing shadow data gaps. The solution creates an accurate map and inventory of data assets, helping security teams locate sensitive data, see who has access to it, and understand how it is being used.

• On-prem repository support: The solution provides strong support for on-prem data stores. It provides agentless scanning via its on-prem orchestrators and can scan structured data stores such as Oracle, SQL Server, MySQL, and PostgreSQL, as well as support for unstructured stores such as file servers.

Opportunities

Zscaler has room for improvement in a few decision criteria, including:

• Automated data threat detection and response: The solution provides detailed exposure analysis, risk prioritization, threat correlation, and in-depth guided remediation. However, much of this is identifying risks and providing remediation guidance rather than identifying threats and fully automating the response. Adding native automated remediation for identified threats would speed risk mitigation and reduce operational overhead.

• Data lineage: Zscaler focuses on tracking data exposure paths and usage patterns. DSPM identifies how data could flow to users or outside the organization (via misconfigurations or identity links) and correlates that into attack paths and access insights. However, the solution cannot provide more formal data lineage, such as a graphical view of data lineage through pipelines or how that data transforms during its lifecycle. Adding this would be a useful way for customers to tackle the complexities of data lineage.

• NHI threat management: Zscaler DSPM secures NHI by visualizing access lineages to sensitive data. It detects hardcoded credentials and overprivileged service accounts, calculating the blast radius of potential leaks. This is a strong capability, but Zscaler can further enhance it by providing native auto-remediation of NHI risks, such as credential rotation, as well as more advanced NHI lifecycle capabilities.

Purchase Considerations

Zscaler DSPM is offered as a standalone add-on module to the Zscaler platform. It is a subscription service with pricing typically structured around the volume of data scanned and the number of protected data sources. Zscaler provides information about product bundles and features on its website.

As a SaaS solution, initial deployment and integration should be straightforward. It is a comprehensive offering, though customers may want to seek expert advice to fully leverage its capabilities. This support can be provided by the vendor or its extensive partner ecosystem.

Zscaler's solutions are suitable for smaller businesses, though it is positioned as an enterprise platform and primarily targets mid-market to large enterprise customers.

Use Cases

Zscaler DSPM addresses multiple use cases. It is especially strong for those with predominantly cloud-based infrastructure, offering discovery and classification of sensitive data across multicloud environments and providing visibility into shadow data repositories that bypass traditional security controls. For customers already using Zscaler, the integration with Zscaler DLP enables organizations to discover sensitive data through DSPM and automatically enforce inline protection policies, creating a comprehensive security workflow.

The DSPM landscape is developing rapidly, with the widespread adoption of AI tools in enterprises serving as a catalyst for this growth. Since our last assessment, the market has continued to evolve, with increasingly comprehensive solutions that also include developments such as AI risk analysis, NHI security, and emerging areas such as risk correlation and attack analysis.

Market consolidation persists as vendors are acquired to fill security portfolio gaps and data security-adjacent providers (such as data protection companies) are merging to offer comprehensive data management that spans security and resilience. The market remains strong, with many vendors to consider.

There are a number of strong vendors in this space, but there are some common themes among the leaders. Data lineage is one such area. While many vendors can track basic data movement, only a few offer advanced insights into data dependencies and transformations throughout the data lifecycle. Support for on-prem data stores also remains a significant consideration. With some vendors primarily focused on cloud DPSM, coverage for on-prem repositories can be limited or nonexistent, although this is a relatively small number of vendors in this year's report.

Evolving areas such as AI and related fields have been key differentiators among vendors in this report. AI risk analysis is where top vendors offer more comprehensive coverage, developing modules for public GenAI models, agentic AI, and pipeline security. NHI security is also prominent, with leaders providing specialized capabilities that recognize the differences of NHI, especially in agentic AI. AI remains central to data security, making vendor solutions that provide relevant protections crucial to evaluate.

When considering DSPM solutions, organizations must ask themselves specific questions to identify potential vendors. While vendors we evaluated are capable of discovery and classification, there are areas of differentiation that an organization should consider.

• DSPM goals: As with all data security-centric projects, customers must have a clear goal in mind before embarking on the venture. Goals may include meeting compliance needs, building a detailed view of data controls, or reducing security risks. Determining which objective applies is essential in finding the right solution.

• AI adoption: Organizations increasingly treat data security as a core requirement of AI adoption. That means understanding what AI systems are being introduced, which tools are involved, and what controls are necessary to protect data and maintain compliance. Security posture should be evaluated both before deployment and continuously afterward, with monitoring capabilities that identify and manage risk across the full AI stack.

• Data lineage: This is a significant differentiator. Lineage requirements vary by organization. Some teams need full visibility into the data lifecycle: how data is created, transformed, and propagated across systems. Others focus primarily on security lineage: who accessed the data, where it moved, and when. For many environments, that audit trail is sufficient. But organizations with formal ETL lineage requirements should evaluate whether a vendor can provide end-to-end transformation tracking, not just access and movement logs.

• Roadmap: DSPM is an evolving space, and having vendors with a forward focus will be key to ensuring investments continue to deliver value. Risk correlation, risk quantification, and AI-SPM are areas companies may want to consider. Organizations should understand how vendors can help address these challenges and provide valuable insights that support proactive data security.

Understanding these areas will help companies quickly focus on the correct partners capable of meeting their needs.

This sector will continue to develop, perhaps most significantly in response to the growing adoption of AI by organizations. There is and will continue to be an increasing need for tools that help customers deploy AI securely and ensure only clean data is used to train models. DSPM providers recognize this and see themselves as valuable partners in these endeavors.

To learn about related topics in this space, check out the following GigaOm Radar reports:

• GigaOm Radar for Microsegmentation

• GigaOm Radar for Application and API Security

• GigaOm Radar for Identity and Access Management

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Paul Stringfellow has more than 25 years of experience in the IT industry helping organizations of all kinds and sizes use technology to deliver strong business outcomes. Today, that work focuses mainly on helping enterprises understand how to manage their data to ensure it is protected, secure, compliant, and available. He is still very much a “hands-on” practitioner and continues to be involved in a diverse range of data projects. Paul has been recognized across the industry and has spoken at many industry, vendor, and community events. He writes for a number of industry publications to share his enthusiasm for technology and to help others realize its value.

Paul hosts his own enterprise technology webcast and writes regularly on his blog.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "GigaOm Radar for Data Security Posture Management (DSPM)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.