Data Loss Prevention

Five DLPs in one. Single pass.

One engine protects data in one place across web, SaaS, IaaS, email and the endpoint, inspected once, governed by one policy, SASE-ready. Here is exactly how it fits together.

Advanced Cloud DLP

5-in-1, single-pass, SASE-ready.

Every device on the left reaches everything on the right through one engine in the middle. Hover or tap any capability to see what it does.

Endpoint deviceDLP CLOUD Managed deviceFORWARD PROXY Unmanaged deviceREVERSE PROXY NETSKOPE SECURITY CLOUD 3,000+ dataidentifiers,1,600+ file types ContextualPolicies 40+ComplianceTemplates SkopeAIML-enhancedClassification Exact Match,Fingerprinting,OCR Single-PassDLP Outbound emailSMTP Managed & unmanagedSAAS & IAAS WebsitesWEB TRAFFIC Data at restAPI INTEGRATION
SkopeAI · ML classification

Find the sensitive data others miss.

Machine-learning models recognise content by type, not pattern, classifying data in motion and at rest, inline and via API, with no OCR or regex limits.

15
97% precision84% recall

Document classifiers

Source code · 23+ langsTax formsM&A formsPatentsResumesOffer lettersNDAsBank statementsStock agreementsPower of attorneyMedical formsLoan agreements
12
98% precision

Image classifiers

Driver licencesPassportsSocial securityCredit cardsMedical cardsChequesScreenshotsWhiteboardsPhoto IDsPersonal IDsMedical images

27+ identifiers and growing

Inline & API coverage

Classifies data in motion and at rest, including UEBA alerts for encrypted data movement.

No OCR or regex limits

Recognises content by type, removing pattern-match accuracy and performance constraints.

R103 model

An 80% increase in parameters resolves prior false positives, mainly on screenshots and IDs.

The packages

Three tiers of capability.

Standard DLP

Proven detection across every channel

  • Data in motion and at rest for managed cloud, apps and email
  • 40+ regulatory compliance templates
  • 3,000+ data identifiers, 1,600+ file types
  • Custom regex, patterns and dictionaries
  • Pre-built document classifiers
  • Incident management and remediation
SkopeAI DLP

Machine learning finds what patterns miss

  • ML classification for patents, M&A, tax forms and source code
  • Image classifiers: screenshots, whiteboards, passports, IDs
  • Train your own classifiers on your data
  • UEBA alerts for encrypted data movement
Advanced DLP

Precision matching, false positives near zero

  • Exact data match against specific records
  • File fingerprinting with degree of similarity
  • Optical character recognition (OCR) inside images
Microsoft Purview + Netskope

Where Microsoft ends, Netskope extends.

Microsoft Purview DLP is strong inside the Microsoft estate. Netskope honours the same labels and carries enforcement everywhere Microsoft can’t reach. Here is who does what.

CapabilityMicrosoft Purview DLPNetskope
Exchange, SharePoint, OneDrive, TeamsCore Microsoft 365 workloads
Native
Built in from E3, the strongest place for Microsoft’s own DLP.
Complements
Adds out-of-band CASB API scanning and a second enforcement point.
Endpoint DLPUSB, copy/paste, print, local apps
E5 only
Requires E5 / E5 Compliance, on Microsoft-managed Windows and macOS.
Native
Endpoint DLP via the Netskope client, independent of Microsoft tier.
Web & browser uploadsAny site, any browser
Limited
Edge for Business only, via Endpoint DLP.
Extends
Full inline SWG inspection of all web traffic, any browser, on or off network.
Non-Microsoft SaaS70,000+ cloud apps
Via Defender
Partial, through Defender for Cloud Apps.
Extends
Inline and API DLP across sanctioned and shadow SaaS, with instance awareness.
IaaS & cloud storageAWS, GCP, Azure buckets
Minimal
Not a focus of Purview DLP.
Extends
CASB API and DSPM scan data at rest across multi-cloud.
Sensitivity labels (MIP)Classification & labelling
Native
Microsoft creates and classifies; the label travels with the file.
Reads & enforces
Consumes MIP labels and enforces them inline across every channel.
Classification engineFinding the sensitive data
SITs + trainable
Sensitive info types and trainable classifiers.
+ SkopeAI
Adds ML classifiers, exact match, fingerprinting and OCR for detection. Writing sensitivity labels automatically still relies on Microsoft Purview auto-labelling (E5).
OCR & image recognitionData hidden in pictures
Limited
Basic OCR on select paths.
Native
OCR and image classifiers for IDs, screenshots and scans.
Real-time inline controlBlock / coach in the moment
Mostly at rest
Policy tips in Office apps; enforcement largely at rest and on endpoint.
Inline
Real-time proxy enforcement with user coaching across all apps and web.
BYOD & unmanaged devicesContractors, personal devices
Limited
App protection policies, narrow scope.
Extends
Reverse proxy and Enterprise Browser bring DLP to any device, agentless.
Non-Microsoft file formatsBeyond Office
Office-centric
Strongest on Microsoft Office formats.
1,600+ types
DLP across 1,600+ file types, including non-Microsoft formats.

What Netskope does that Microsoft can’t alone

Inline control everywhere

Real-time block and coach across 70k+ apps and the open web, not just Microsoft 365.

One policy, every channel

A single engine and policy for web, SaaS, IaaS, email and endpoint in one pass.

Agentless BYOD DLP

Protect data on unmanaged devices via reverse proxy and the Enterprise Browser.

Advanced detection

SkopeAI ML, exact match, fingerprinting and OCR beyond pattern matching.

Endpoint DLP without E5

Device, USB and print control independent of the Microsoft licence tier.

Multi-cloud data at rest

CASB API and DSPM across AWS, GCP and Azure, not only Microsoft stores.

Microsoft licensing for Netskope DLP

Netskope DLP runs independently of Microsoft, it inspects, classifies and enforces with its own engine, so no Microsoft DLP licence is required for it to work. Microsoft licensing only matters for how the two integrate:

  • To read & enforce Microsoft sensitivity labels, you need Purview Information Protection: manual labels from Microsoft 365 E3 or Business Premium; automatic and default labelling from E5 or the E5 Compliance add-on.
  • Microsoft’s own DLP covers Exchange, SharePoint, OneDrive and Teams from E3; Endpoint DLP and on-premises require E5 / E5 Compliance.
  • Recommended pairing: E3 (or Business Premium) to create and apply labels, with Netskope enforcing them everywhere; step to E5 only where you want Microsoft auto-labelling at scale.

Indicative. A licensing review confirms the cheapest path for your tenant.

Microsoft & Netskope · better together

Microsoft classifies. Netskope enforces, everywhere.

Microsoft protects data well inside its own ecosystem. Netskope extends that protection to the other 70,000+ cloud apps and the open web, adds Endpoint DLP and full data-at-rest control via CASB API, and enforces every Microsoft label end to end.

Sources · where data lives & moves
Microsoft 365
Microsoft Azure
70,000+ cloud apps
Open web
Microsoft-native controls
Purview Information Protection
Labelling & classification
Entra ID
Identity & conditional access
Defender for Cloud Apps
Native M365 app security
Netskope · single enforcement plane
Zero Trust Data Protection
Threat Protection
NewEdge Network · NPA & SD-WAN
+Cloud apps
+Endpoint DLP
+Web
+OCR & image recognition
+Private apps
+Fingerprinting
+Non-Microsoft Office formats
+Data at rest, via CASB API
Reverse proxy Netskope client Forward proxy
The DLP journey · a phased approach

Switched on all at once, DLP breaks things.

We take a balanced approach that protects data without slowing the business: start simple, refine, then add complexity, favouring in-the-moment user coaching over blunt block-or-allow, and scaling each stage only once it is adopted.

In-line · data in motionOut of band · data at rest
Actionable user coaching

Coach in the moment, don’t just block.

Move beyond block-and-allow. Gain context into what users are doing and why, and steer them to sanctioned tools. Organisations typically cut shadow IT and duplicate app subscriptions by around 30% combining Netskope SWG and CASB with coaching.

Cornerstone Cyber · security notification

Use an approved AI assistant

You’re about to paste client content into a personal ChatGPT account. Your sanctioned AI is Microsoft Copilot and ChatGPT Enterprise, which keep matter data inside the tenancy.

Open CopilotRequest access
Cornerstone Cyber · security notification

High-risk storage detected

This file-sharing site is not approved for client data. OneDrive for Business gives every employee encrypted storage that meets our data-protection obligations.

Go to OneDriveProceed (logged)
Cornerstone Cyber · security notification

This file matches a protected matter

The document matches a fingerprinted client dataset. Tell us why you need to proceed; your reason is recorded against the matter file.

Business reason (required)…
ProceedCancel
The core of DLP

Six things every DLP programme balances.

Data

Accurately resolve and always protect your company’s data, everywhere it lives and moves.

Users

Gain descriptive intelligence while screening behaviour that would put data at risk.

Risk

Inform risk by isolating exposure and acting across the whole estate.

Comply

Meet compliance, and manage the cost of non-compliance and reputation.

Scoring

Risk-based scoring of activity and user behaviour to focus effort where it counts.

Control

Control the means and the final stage of remediation and response.

One DLP policy across every channel.

Netskope DLP

Stop sensitive data leaving via the web, SaaS and AI.

Inline DLP for every session, with Microsoft labels honoured.

What is data loss prevention (DLP)?

Controls that detect sensitive content (financial, health, personal info, intellectual property) and block or warn when it is shared inappropriately. See our data protection page for the wider picture.

What does Netskope DLP cover?

Inline DLP for every web, SaaS and AI session. It sees data leaving via web upload, SaaS sync, browser paste, or AI prompt, and applies your policy in the data path.

How is it different to Microsoft Purview DLP?

Purview covers data inside Microsoft 365; Netskope covers data leaving via the rest of the internet. They complement; we usually deploy both.

Can it catch shadow AI use?

Yes. Inline DLP on prompts and uploads to ChatGPT, Gemini, Claude and other public AI tools.

Does it use Microsoft sensitivity labels?

Yes. Netskope honours Microsoft Information Protection labels for unified policy across both engines.

How fast can we deploy it?

Most clients are inline within weeks. Full DLP rule design and tuning takes longer but goes live in stages.