BIPI
BIPI

Why Your DLP Catches Nothing — and What Actually Works

Cybersecurity

Most DLP deployments produce thousands of false positives and zero real catches. Content-pattern matching is the wrong tool for modern exfiltration. Behaviour-based detection is.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 19, 2026 · 7 min read

#dlp#data-protection#insider-threat#detection

Of the dozen production DLP deployments we have audited in the last year, the count of real exfiltration events caught by content-matching rules is close to zero. The count of false positives is in the millions. The cost of the deployment is in the millions too. The economics are dire and they are not improving.

DLP fails because it bets on content patterns that exfiltration tools learned to evade a decade ago. Modern attackers do not paste credit card numbers in emails. They take screenshots, archive into encrypted ZIPs, fragment files into innocuous chunks, exfiltrate over DNS or via Slack uploads. The content-pattern match has nothing to find.

Why content-pattern matching fails

DLP was designed for a 2010 world where the threat was an employee accidentally pasting a Social Security number into a Gmail compose. The pattern works there because the data is in cleartext and the channel is monitored. In 2026 most exfiltration is intentional, not accidental, and the channels have moved.

Three failure modes we see. First, encryption. The exfil ZIP file's content is bytes; no pattern matches. Second, fragmentation. The 10 MB customer database becomes 10,000 1 KB messages over Slack DMs; no individual message hits a threshold. Third, channel migration. The DLP sees email and endpoint web traffic; it does not see Slack, Notion, or AI assistants that the user pasted data into.

Behaviour-based detection is the upgrade

Forget the content. Watch the behaviour. The signals that work in our deployments:

  1. Volume anomalies. A user who normally sends 50 MB outbound per day suddenly sends 5 GB in two hours. Forget what is in those bytes. The volume itself is the alert.
  2. Destination anomalies. A user who has never connected to a personal Gmail address now uploads a large file to one. The destination domain is the signal.
  3. Time-of-day anomalies. The export job that runs at 2 AM on a weekend, by a user who has never been seen logging in outside business hours.
  4. Concurrent-action anomalies. A user who creates a sales report, downloads it, then immediately opens a personal email tab. The sequence is suspicious; either action alone is innocent.
  5. Privileged-data access patterns. Database queries that return more rows than the user has ever returned before, from an account that has been quiet for three months.

What to deploy in practice

Step one: turn off the DLP content-pattern rules that are producing more than 100 alerts per day. They are noise. Their alert volume is hiding real signals from human reviewers.

Step two: instrument egress. NetFlow on the office network. Cloud network logs (VPC Flow Logs in AWS, equivalent in GCP and Azure). Identity logs from your IDP. These three feeds are the substrate for behaviour detection.

Step three: build five behaviour-based rules from the list above. UEBA tools (Splunk, Elastic, Exabeam) ship with rule libraries; pick rules and tune. Or write the SQL yourself if your data lives in a SIEM with sane query language. The rules are not complex; the discipline is in tuning them down to high-signal alerts.

What good looks like

A defensible exfiltration program in 2026 has three properties. The DLP system is not the spine of detection — UEBA is. The DLP system is reduced to the narrow case it actually solves (accidental email send). The exfiltration alerts that fire are reviewed within four hours, not buried in a queue of 10,000 noise alerts.

Closing

The DLP industry sells a 2010 product into 2026 threats. Most teams buy it because procurement asked for 'a DLP' and the checklist needed a vendor. The teams catching real exfiltration are the ones who quietly invested in behaviour-based detection on top, kept the DLP for accidents, and stopped expecting content patterns to save them.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.