DLP Review: Benchmark Testing of 6 DLP Products in 2026
Leveraging my 2 decades of experience as a cybersecurity practitioner, I selected the top DLP software for securing sensitive information & complying with regulatory standards. I tested 6 of these DLP solutions over a month, focusing on key features like channel coverage, ease of deployment, and classification accuracy. See the results below:
Product | Existing features | Missing features |
|---|---|---|
17 | 0 | |
16 | 1 | |
Teramind DLP | 14 | 3 |
Sophos Intercept X | 12 | 5 |
Trellix DLP | 10 | 7 |
Acronis Cyber Product | 6 | 11 |
See benchmark results below to see which features are provided and which are missing:
Benchmark results: Feature comparison
We compared these products across four dimensions. You can see the descriptions of these dimensions or check our benchmark methodology. To assist businesses in selecting the right DLP product, we conducted a comprehensive benchmark review of six popular DLP solutions, all offering free trials.
Channel coverage
* Attachments that are assigned as sensitive data can be blocked or audited, and internal & external users can be blocked by software.
** Allowance for specific applications to open, edit, or screen capture sensitive data by software.
Administration
Data classification
Other capabilities
* Acronis is offering a web filtering option as an add-on, categorized as ‘cloud-based URL filtering’.
How to choose the right DLP for your business?
While all tested DLP tools effectively cover primary data channels such as peripherals, email, and applications, data classification remains a persistent challenge. Accurate classification is critical for preventing data loss while avoiding false positives. Based on our findings, we offer the following best practices for testing DLP solutions safely and effectively:
- Simulate realistic data: Generate test datasets to mimic confidential information. This minimizes risk while allowing you to evaluate the tool’s capabilities without exposing sensitive business data.
- Leverage masked employee data: If test data creation isn’t feasible, use anonymized or masked datasets with controlled access. Build a separate database for this purpose, ensuring data integrity and security.
- Limit data scope: Test solutions on a small, controlled group of employee data rather than complete production datasets to mitigate risks and maintain compliance.
- Avoid using production data in PoC environments: Proof-of-concept or trial systems can inadvertently expose sensitive information, so prioritize test environments free from live production data.
Our analysis also highlights that while off-the-shelf classifiers can provide basic functionality, their effectiveness is often limited. Customizing data classification policies to align with your organization’s unique needs is essential to achieve optimal protection and reduce false positives.
Netwrix Endpoint Protector
We tested Netwrix Endpoint Protector and looked at its DLP capabilities. Our findings are summarized below:
Summary of findings:
- Effective features:
- Granular control over 30+ devices.
- Device monitoring through a control dashboard.
- Deep Packet Inspection for network file transfers.
- Predefined and custom policies.
- Effective rights for policy creation.
- eDiscovery for sensitive data detection.
- USB encryption.
- Notifications and alerts for blocked actions.
- Customizable client notifications.
- Audit trail.
- Tamper protection.
- Ineffective features:
- No device management.
1. Channel coverage
Endpoint Protector enables granular control over 30+ device types, including USB devices, Bluetooth devices, smartphones, and more.
Peripheral devices
Device control
Administrators can set up access control for defined devices such that devices can be allowed or blocked from connecting to the clients’ computers.
Applications
Deep Packet Inspection
It enables the administrator to manage network file transfers. Administrators can set up controls for webmail, drives, and third-party applications listed below. When enabled, CAP and device control settings work in compliance with DPI scans.
2. Data classification
Content Aware Protection (CAP)
Predefined policies
Predefined policies are available in 3 groups based on the client’s operating system: Windows, Mac, & Linux.
There are 86 predefined policies for Windows. These policies are, for example, as follows:
- File transfers: File transfers based on their content (graphic, archive, or programming) can be blocked.
- HIPAA: File transfers based on their content must comply with HIPAA, or else they are blocked.
- GDPR: File transfers based on their content must comply with GDPR, or else they are blocked.
Custom policies
Custom policies can be defined based on policy exit points, users, and the policy action of choice.
3. Administration
Access rights
Effective rights enable policy creation (access proper control rule) based on a specific user/device/format (file type).
Global rights are device-control rights that apply in general. You can set different access rights for different devices.
Policy creation
To create a policy, the administrator can select from predefined or custom options.
The administrator can order policies by priority level (the administrator may prioritize one policy over another).
eDiscovery
Detects sensitive data at rest and enables encryption, decryption, and deletion at the target. You can create policies based on file types and file content. The policy defines the objects to be scanned.
The scan output helps the administrator see where sensitive data resides and take action.
Custom classes
Enables custom class creation and settings for devices such that administrators can assign “Trusted Device (TD)” based on device information, such as its serial number and type.
Deny & allow lists
Helps with defining sensitive content. CAP and eDiscovery set detection as their objective. It asks you to determine which file types, custom content, file locations, scan locations, regex, domains, URLs, and e-mail domains are allowed and which are disallowed.
USB encryption
Endpoint Protector enables USB device encryption. The administrator can automate the action.
Notifications & alerts
When trying to attach an .xlsx file type with the name “Confidential” and with social security number information inside in WhatsApp, Endpoint Protector blocked the action; it notified the administrator as below:
The administrator can see event logs in the Content-Aware Report window. The event log includes details such as event, time, user, device, destination, and file.
Other features
- Microsoft AD and Microsoft Entra ID synchronization are supported by the program.
- Client notifications can be customized.
ManageEngine Endpoint DLP Plus
We leveraged ManageEngine Endpoint DLP Plus’ free trial. Enabling users to notify administrators about false positives was a helpful feature that not all other providers offer.
Summary of findings:
- Effective features:
- Effective data classification.
- Effective email and application protection.
- Customizable data rules.
- Users can notify administrators about false positives.
- Option to report false positives.
- Offers active inventory integration.
- Offers tamper protection.
- Comprehensive audit trail.
- Ineffective features:
- No device management.
- No cloud deployment.
- No file search.
1. Channel coverage based on selected policy enforcement or audits
Printers, USB devices, applications, etc., can be added to a trusted devices or applications list. You can specify a device by entering the device instance path.
Network and USB printers are the two types available. Disk drivers and CD-ROMs are the two options available for removable storage devices.
If a device or application is not trusted, communication with it will be blocked. You may also choose to audit devices or applications.
ManageEngine Endpoint DLP Plus can be configured to protect assigned sensitive data by blocking its upload to the designated browser.
How does ManageEngine Endpoint DLP Plus block files?
Once sensitive data has been assigned in the data rules section, ManageEngine Endpoint DLP Plus applies the specified policies.
The option to report false positives to the administrator was included for the user. This functionality is not provided in all DLP solutions.
2. Data discovery & classification
The solution enables users to choose from the rules library or create custom rules for sensitive data discovery.
Step-by-step guide on the configuration of data rules for sensitive data discovery:
Data classification is based on regular expressions. AIMultiple hasn’t come across any semantic classification capabilities.
Custom rule based on file extension: It is offered to assign files ending (for example) in PNG and JPEG to the sensitive data category.
Custom rule based on regex (regular expression): It is offered to assign files with the expressions, like the expression “ba” as sensitive data.
3. Administration experience
Users with different access levels:
After installing agents, custom agent groups can be used to associate policies based on agent group membership. Policy deployment asks the user to provide a custom group of agents, policy of choice, and data rules.
Data rules and policy associations work in collaboration. Data rules define sensitive data, and as a result, it is assumed that the related policies should protect this object.
The image below provides a summary of the program’s process units:
Based on agent audit requirements, ManageEngine prepares audit reports based on the desired frequency:
The program’s user interface keeps the administrator informed about events involving a policy breach in the home segment and in the reports segment.
False positive notifications
The program allows users to notify the admin about false positives. This allows the admin to adjust policies in light of false positives.
Deployment
The free version of ManageEngine Endpoint Control Plus is limited to 30 days of use and cannot be deployed in the cloud; it must be installed on the admin’s device.
Sophos DLP platform
In this section, we provide a summary of our findings, along with detailed findings categorized into channel coverage, data classification, and administration.
Summary of findings:
- Effective features:
- Effective email, peripheral, and application protection.
- Tamper protection works effectively.
- Offers Active Directory integration.
- Customizable data classification.
- Offers file search/tags with hashes.
- Comprehensive audit trail.
- Supports peripherals.
- Ineffective features:
- Some features, like peripheral protection, require custom policies.
- No user behavior analytics.
- No device management.
1. Channel coverage
In both Peripherals and email, while default base policies did not stop file transfers, we were able to block them with custom policies, as seen in the image below.
Custom policy:
- Application: The application control feature restricted file transfer to other platforms, such as Google Drive.
- Email/IP-based exceptions: Users can be directly included or excluded from the policies.
- Peripherals: 9 types of removable devices can be monitored and controlled, which is fewer than other competitors like Endpoint Protector.
2. Data classification
- Automated data classification was ineffective, as it classified risky emails as low-severity.
- Customized data classification: You can customize the data classification parameters. The following options are available for customization.
- Data classification verification: Our team could reach a comprehensive list of files and their classification status.
3. Administration
- Tamper protection: Restricted devices from tampering with the agent software and required a password share to uninstall the agent file. This feature worked during our test (see image below).
- Audit trail: Sophos Central successfully recorded audit logs of user activities.
- Files search/tags with hashes: Sophos offers this through its discovery features to identify risky files.
Teramind DLP platform
In this section, we provide a summary of our findings, along with detailed findings categorized into channel coverage, data classification, and administration.
Summary of findings:
- Effective features:
- Effective protection for peripherals, email, and applications.
- Detailed data classification customization.
- Comprehensive audit trail.
- Offers Active Directory integration.
- Offers file search.
- Ineffective features:
- Ineffective data classification.
- Custom policies are difficult to manage.
- No tamper protection.
- No OCR.
1. Channel coverage
- Peripherals: USB blocking policies were effective, but they also blocked non-confidential files from being copied to peripheral devices.
- The types of devices were not mentioned in the removable devices policies.
- Email: Email policies are effective; however, they also prevent internal users from sending emails.
- Application: The application protection policy restricts all data from being transferred to applications such as Google Drive.
- Email/IP-based exceptions: You can exclude specific emails or domains from policies.
2. Data classification
- Data classification was ineffective because it could not distinguish between confidential and non-confidential data.
- Customized data classification: Detailed customization options are available for this feature. However, some familiarity with the platform is required to use them.
- Data classification verification: Our team verified the details of the classified data.
3. Administration
For behavior policies, see the image below:
- Tamper protection: It was ineffective, as the user could easily tamper with the agent file.
- Audit trail: We were able to monitor each user’s activity trail. Alerts were also sent to the admin’s email (see image below).
- OCR data identification: Teramind lacks web-based OCR support in the free trial.
Acronis Cyber Protect
In this section, we offer a summary of our findings and detailed findings categorized into channel coverage, data classification, and administration.
Summary of findings:
- Effective features:
- Supports USB devices in its device control policy.
- Effective data classification.
- Effective application protection.
- Comprehensive audit trail.
- Offers Active Directory integration.
- Ineffective features:
- Ineffective email protection policies (have problems with some file formats)
- No data classification customization.
- No tamper protection.
- No files search/tags with hashes feature.
- No comprehensive web filtering.
1. Channel coverage
- Peripherals & email: The base policy worked fine on blocking USBs for agents. However, emails with confidential data were not blocked. Email-specific policies were also not found. Ten types of removable devices are covered in its device control policy.
- Application: The data protection policy restricted confidential data from being transferred to cloud storage, such as Google Drive.
2. Data classification
- Effective data classification: The data classification feature worked on confidential data being copied to removable storage devices.
- Customized data classification: While the DLP features include data classification capabilities, the predetermined classifications cannot be edited.
- Data classification verification: Our team could not verify the data that was classified by the set policies.
3. Administration
- Tamper protection: Our team did not find any tamper protection options on Acronis Central.
- Audit trail: Each user’s activities are recorded, and there is a separate audit log for all devices.
- Files search/tags with hashes: Our team could not find any features to tag files with hashes.
Trellix DLP
In this section, we provide a summary of our findings, along with detailed findings categorized into channel coverage, data classification, and administration.
Summary of findings:
- Effective features:
- Wide channel coverage
- Comprehensive email and application protection.
- Customizable data rules.
- Offers an audit trail.
- Offers tamper protection.
- Offers web filtering.
- Ineffective features:
- No active directory integration.
- No file search.
- No user behavior analytics.
- No OCR.
1. Channel coverage
Trellix DLP covers a wide range of endpoint and network channels but lacks uniformity across certain critical areas.
Email Protection
- Trellix can detect when a user configures Outlook to send sensitive files through personal email accounts and can quarantine emails containing sensitive information.
- However, the release of quarantined emails can be cumbersome, requiring manual approval from the sender, sender’s manager, or data owner through email notifications rather than a streamlined, automated process.
- Additionally, Trellix does not fully support filtering sensitive data from being synchronized to mobile devices via ActiveSync for certain user groups.
Device control / peripheral devices
- Monitoring and control of peripheral devices are possible.
- Trellix does not support a unified policy (single set of rules) for all channels, which limits flexibility in environments where multiple peripheral devices are used.
- Administrators can set up access controls for USB devices and other peripherals.
- Policy implementation can sometimes be inconsistent, especially across newer channels such as mobile devices.
- Advanced support, like encryption for USB devices, requires additional subscriptions.
Applications
- Trellix supports DLP policies for various applications.
- Chrome, for instance, is not fully supported, allowing users to bypass DLP policies in certain scenarios, like while uploading files from a public Wi-Fi.
2. Data classification
Predefined policies
Trellix’s predefined policies cover a range of common regulatory frameworks, such as PCI-DSS and GDPR.
- The policy templates are not as comprehensive or accurate as those of competitors, leading to potential gaps in detection.
Custom policies
- The administrator can create custom policies using keywords, regular expressions, and file fingerprinting.
- However, Trellix does not support more advanced features like machine learning or behavioral risk-based protection.
OCR data identification: Trellix lacks full OCR support for web detection and prevention, as it can only inspect graphical documents like PDFs with scanned content for discovery purposes, not for prevention.
3. Administration
Trellix DLP’s administration capabilities offer basic features, but some essential functionalities are missing or underdeveloped.
Access rights: Administrators can assign rights based on users or groups, but Trellix lacks role-based delegated administration, limiting the ability to assign specific roles for policy management and incident handling.
Other features: Trellix offers standard features such as USB encryption and endpoint DLP policy enforcement. However, advanced options like risk-adaptive protection and native behavioral analytics are either limited or require third-party integration, which adds complexity to deployment.
Notifications & alerts: Alerts are generated for incidents such as sensitive data transfers via email, but the lack of customization in reporting and limited incident management capabilities may require additional manual oversight by administrators.
Focus points of benchmark testing
1. Channel coverage
Data communication can take place across different channels, which need to be secured.
- Peripherals: DLP technology makes use of device control to prevent the unauthorized movement of data to removable storage devices like USBs or other peripherals like printers.
- USB Devices/drives/memory cards
- Printers(policy based control)
- Webcams
- iPhone/Android phones
- Bluetooth Devices
- Communication channels like Discord, WhatsApp, etc.
- Email: Including message body and attachments
- Applications: Certain applications that may not involve communication (e.g., Word) may need to be blocked or allowed to operate on sensitive files with the help of data classification. Especially critical applications include Microsoft Office, Google Docs, Google Drive, Zoom, and Skype.
- Email/IP-based exceptions: Testing to see if users or agents are excluded from the policy through email or IP address.
- Active Directory (AD) integration: Active Directory integration in DLP software enables centralized management of user access and policies based on directory services.
- Device management: Device management and DLP are essential components of a comprehensive mobile security strategy. Device management focuses on device-level management and control, while DLP ensures data protection and prevents unauthorized disclosure.
All of the providers offer MDM as an add-on. The free trial versions didn’t offer device management.
2. Administration / other
Deployment: Some solutions offer only on-premises or SaaS options for administrators. With the SaaS option, DLP product companies must provide a fully isolated environment and a written guarantee to the customer about the safety of their data.
Audit trail: DLP solutions must record user actions to maintain an audit trail of sensitive information. All benchmarked solutions provided this. All benchmark solutions offer it, but the details vary from one to another.
For example, the detailed version contains detailed traces of administrative activities surrounding policies, users, and roles, service configurations, incident access, remediation, and structured and unstructured configuration profiles. The basic version includes only user logins and activities.
Tamper protection for agent files: This prevents the uninstallation or other tampering with the software on agent devices. Additionally, DLP agents should be protected with long, complex passwords to prevent unauthorized uninstallation or interruption of their services.
Agent/group rule assignment: We checked if policies and rules can be assigned to individual agents/users and agent/user groups.
Files search/tags with hashes: We checked whether the ‘search’ or ‘discovery’ features support tagging files with hashes.
Built-in data security policies: Many DLP tools include policy templates for common types of sensitive data, such as personally identifiable information, protected health information, and IBAN/crypto wallet ID detection.
Device monitoring through a control dashboard: The DLP Dashboard lets you view the data and content-related activity in your network based on the data control policies. The screen contains several widgets that provide visibility for the different data violation criteria. The screen also lets you filter according to a specific time frame to drill down and focus on the relevant data violations and events in your account.
Notifications and alerts for blocked actions: The DLP alerts provide detailed information about each alert, including the type of policy violated, the user involved, and the data that was attempted to be shared or leaked, allowing security teams to quickly identify potential data breaches and take action.
Option to report false positives: When a user performs an action that is restricted by the DLP policy, a block event triggers an alert message. Sometimes, the alert event is for an action that is legitimate but, for some reason, is considered forbidden by the DLP policy. Such incidents are false positives. To overcome this issue, the block can be marked as a false positive, allowing the user to then access the sensitive file.
Customizable data rules: DLP allows users to create custom data rules, offering flexibility for tailored data protection to navigate specific needs.
3. Data classification
Automated data classification
Classifying data into designated sensitivity levels helps ensure that sensitive information is protected with appropriate measures. DLP products enable the automatic detection of sensitive data based on predefined data categories (data discovery).
These categories are determined by pre-established policies after identifying and defining the company’s data and critical data assets. Data classification can be coordinated with the predefined policies provided in the “Policies” section.
All benchmarked providers offer automated data classification capabilities.
Effective data classification
AIMultiple tested the correctness of auto data classification with a few files, including:
- Personal health record
- Confidential due diligence document, which included the statement “private and confidential” at the bottom of every page
- Trade secret (i.e., source code for a website function)
Customized data classification
Data classification can be customized with regex, file extensions, etc.
Data classification verification
Classified data needs to be verifiable by administrators and members of the GRC team to ensure that the classification works correctly. During the testing or proof-of-concept (PoC) phase, personnel from the GRC team should participate alongside administrators.
They can legally check and confirm the data classifications. Typically, solutions provide lists of files that are classified in a certain way (e.g., financial data, healthcare data.
OCR
We checked if the vendors offer OCR data identification from images or visuals.
The providers that don’t have the OCR feature in the free trial have it as an add-on.
Benchmark methodology
- Software installation: We installed the admin and agent modules on separate PCs.
- Policy addition: Additional policies were added to compare the effectiveness of basic policies with the custom ones.
- Data input: Various files containing different levels of confidential and financial data were shared through other channels, each with distinct security settings.
- Gather evidence: Screenshots were taken of relevant parts of the platform.
Findings: The findings are presented and summarized in this benchmark.
FAQ
Be the first to comment
Your email address will not be published. All fields are required.