Data Loss Prevention (DLP) is the discipline of detecting, classifying, and acting on sensitive data in motion as it crosses an enforcement boundary — endpoint, network egress, SaaS API, browser session, or, increasingly, the prompt-and-response surface of an AI runtime. The buyer noun is data flows — what is moving, of what classification, to where, via which channel — not people (IRM) or data at rest (DSPM). The architectural anchor is a classification engine paired with one or more enforcement primitives (block, encrypt, watermark, quarantine, alert-only), wired into channels the buyer cares about 12. The 2026 product narrative has shifted from regex-and-fingerprint pattern matching as the primary substrate toward AI-classifier substrates — LLM-driven semantic models, ML-trained file classifiers, vendor-proprietary "Large Lineage Model"-style engines, and computer-vision classifiers — and from "stop the file from leaving" toward "stop the sensitive content from being typed into a chatbot or pasted into an agent's tool call" 345. Incumbents are stacking AI-classifier modules onto their heritage classification pipelines 26; AI-native entrants ship AI-classifier substrates as the primary detection engine 34.
Where the categories overlap. DLP overlaps with IRM on user-context-aware enforcement, with DSPM on data classification, and with SSE on cloud-edge enforcement. Per the report's taxonomy 7, DLP owns the data movement primitive — channel coverage and enforcement primitives — while IRM owns the people primitive and DSPM owns the discovery primitive. The category test is which question a vendor's product actually answers: DLP answers what data is moving where, and should we stop it; IRM answers who is doing what, and why; DSPM answers what data exists, and who can reach it. When a vendor's hero page claims all three, the practical test is which question their channel coverage, policy library, and enforcement defaults are actually built around.
The DLP category sits in the data-flow / enforcement quadrant. IRM shares the people side; DSPM shares the data-classification substrate. SSE bundles DLP modules into the cloud-edge enforcement layer; AI Security entrants are extending DLP into the AI-runtime channel.
What DLP IS. A classification-and-enforcement workflow for data movement. Policies are content-driven (PII, PHI, source code, financial data, IP) and channel-aware (which egress paths are blocked outright, which alert, which are encrypted in-flight, which are watermarked). Enforcement is inline where the buyer has chosen to block (browser uploads, USB writes, SaaS API egress) and asynchronous where they have not (SaaS-API-discovered exposures, retrospective audit). The 2026 DLP product surfaces commonly include: endpoint agent, network/proxy egress inspection, SaaS API connectors, browser extension, email gateway integration, and (newly) AI-runtime hooks for prompt and output inspection 28.
What DLP IS NOT. Not an IRM (the workflow does not centrally orchestrate HR-and-Legal review of a person's risk trajectory; alerts are content-and-channel-centric, not person-centric), not a DSPM alone (DSPM maps data at rest and access paths; DLP enforces on the wire), not an AI Security platform (AI App Sec governs the runtime of AI applications — agents, tool calls, output filtering — while DLP governs data egress whether or not it traverses an AI runtime 7), and not an SSE (SSE bundles DLP as a module of a cloud-edge security platform; a standalone DLP vendor sells the primitive without the full SASE stack).
Three common buyer misconceptions. First: "DLP is a solved problem — we've had it for fifteen years." The Symantec and Forcepoint lineage products that defined the 2010s category were built on regex-and-fingerprint paradigms that, on the public evidence, struggle with semantic data — paraphrased source code, summarized contracts, screenshots of sensitive material. Both incumbents have layered ML and behavioral-analytics modules on top of the heritage classification pipeline 69, but as of 2026 neither has shipped a vendor-flagship AI-runtime-egress capability at the level the AI-native entrants are positioning around 345. Second: "SSE-bundled DLP from Netskope or Zscaler covers our needs — we don't need a standalone DLP." This is true for cloud-edge channels and increasingly true for browser, but materially less true for endpoint, USB, print, and AI-runtime channels where SSE platforms have shallower coverage than standalone DLP specialists. Third: "AI-runtime DLP is just prompt-inspection — any LLM gateway does it." Prompt inspection is the visible surface; the harder problem is output inspection (sensitive content generated by the LLM in response to non-sensitive prompts 10) and agent tool-call inspection (sensitive content moving through an agent's downstream calls 11). Vendor claims here are not yet stabilized; the 2026 RFP language is forming, with Operant AI currently the only named-outlet-sourced vendor publicly addressing the MCP-protocol-level tool-call inspection problem 1112.
Market sizing — three estimates, NOT averaged. DLP market-size figures diverge by roughly an order of magnitude across named private forecasters depending on whether scope is "DLP software only" or "data loss prevention solutions and services." Fortune Business Insights places the 2026 market at USD 4.22B under a "solutions and services" definition, projecting USD 23.76B by 2034 at 24.10% CAGR 13. Mordor Intelligence places it at USD 42.87B under what it describes as "strictly DLP software solutions," projecting USD 111.98B by 2031 at 21.17% CAGR; cloud-based held 67.31% of 2025 revenue per the same report 14. P&S Market Research's USD 4.9B 2025 figure with 21.3% CAGR (2026–2032) 15 sits near the Fortune band. The takeaway is not a precise number — it is that DLP "market size" is a scope-definition question more than a measurement question, and any vendor or buyer citing a single DLP TAM should be asked which definition they are pricing against. Two of three named estimates project low-to-mid 20s CAGR, indicating a market that is structurally growing at AI-and-cloud rates regardless of which baseline is correct. Gartner discontinued the DLP Magic Quadrant in 2018 and now publishes a Market Guide only 16; IDC publishes a MarketScape Worldwide DLP Vendor Assessment (2025 edition cited by Forcepoint 17). Neither publishes a freely accessible TAM number; both shape vendor positioning narrative rather than the dollar-size number.
Buyer trends. Five shifts shape the 2026 DLP buyer. First, DLP-as-module-of-DSPM-platform consolidation: Forcepoint positions its 2026 offering as unifying "DSPM, DDR and DLP in an AI-native platform" 18; Cyberhaven's February 2026 unified platform bundles DSPM + DLP + IRM + AI Security 19; BigID announced "DSPM-Augmented DLP" on March 24, 2026 20; Microsoft Purview ships a productized DLP migration assistant for Symantec and Forcepoint customers 21. The buying motion has shifted from "buy DLP" to "buy a data-security platform whose DLP module replaces my legacy DLP." Second, the legacy-DLP rip-and-replace renewal cycle: a five-vendor consensus (BigID, CrowdStrike, Cyberhaven, GTB, Concentric) in 2026 published material frames Symantec/Forcepoint/McAfee-era DLP as structurally unable to handle cloud-first architectures and AI-driven access 2223242526. Third, identity-platform-led DLP: Palo Alto Networks closed its USD 25B acquisition of CyberArk on February 11, 2026 — the largest transaction in cybersecurity history — with the framing "secure every identity across the enterprise — human, machine, and agentic" 2728. Combined with Prisma Cloud DLP / Prisma SASE / Cortex XSIAM, this reframes DLP as an identity-controlled-access problem. Fourth, "secure enablement" replaces "block and deny": 2026 vendor messaging (Strac, BigID, Nightfall, Concentric, Cyberhaven) converges on language describing a shift from blocking to secure enablement of sanctioned AI usage with redaction at the exfil case 292230. Fifth, compliance-evidence-generation as a discrete RFP line item: Strac frames AI DLP as a compliance-evidence-generation tool for SOC 2, HIPAA, GDPR, and EU AI Act Article 10 29; Hyperproof's 2026 brief treats DLP as feeding audit-readiness rather than purely preventive control 31.
User trends. The end-user picture has bifurcated. The browser is the new dominant exfil surface — Strac cites that 80% of generative AI data leaks happen in the browser 29; the user is no longer attaching a file, the user is pasting a prompt. Employees average 66 GenAI applications per organization while only 17% of organizations have technical controls capable of preventing uploads to public AI tools, per IBM's Cost of a Data Breach 2025 cited in 2026 republication 3230. AI-generated content moves both ways across the perimeter: outputs returning to enterprise systems from external models are themselves a classification surface, because the model may have memorized or recombined sensitive material 2933. Vectra's 2026 benchmark places AI-related data-policy violations at 223 per enterprise per month; shadow AI added USD 670,000 to average breach costs in IBM's 2025 data, with 20% of organizations reporting breaches specifically caused by shadow AI 3432. The dominant structural failure mode at the reviewer tier is alert overload, not missed alerts 22 — mirroring the IRM reviewer-fatigue pattern that Microsoft Purview's Triage Agent and Cyberhaven's Linea AI Analyst Agent address in IRM.
Tech trends. Four shifts. DSPM-augments-DLP convergence is no longer optional — Forcepoint, Cyberhaven, BigID, Microsoft Purview, and Palo Alto Prisma Cloud all bundle DSPM with DLP in 2026 platform pitches 1819202127. Detection has moved from content-aware to content-and-context-aware via data lineage (where data originated, who touched it, how it moved); Cyberhaven claims 90%+ false-positive reduction via lineage-context versus pattern-match 30, a vendor claim, not independent validation. A four-surface AI DLP architecture has codified in 2026 buyer conversations: Browser DLP (extensions inspecting prompts to ChatGPT/Claude/Gemini), Endpoint DLP (OS-level monitoring of AI coding agents), SaaS DLP (governance of AI connectors), and MCP DLP (auditing Model Context Protocol connections) 2935. MCP itself transitioned "from zero to standard in under twelve months" per Strac's framing 29; AI agents autonomously connect to databases, source repos, and internal APIs via MCP, with legacy DLP/CASB/proxy controls holding zero visibility into the resulting machine-to-machine traffic 33. Identity-context has become a primary enforcement input post-Palo Alto/CyberArk close — machine identities outnumber human identities 80-to-1 per the Palo Alto closing release 27, a ratio that argues content-rule DLP cannot scale to machine-identity volume even in principle.
Regulatory trends. Five drivers. EU AI Act Article 10 high-risk-system obligations take effect August 2, 2026 with DLP as a primary control for the data-governance requirements 3637; high-risk categories span biometrics, critical infrastructure, education, employment/HR, essential services, law enforcement, migration, and justice — substantially overlapping regulated-industry DLP buyer profiles. GDPR enforcement has uplifted against AI-data flows, with TechGDPR and IAPP both flagging that GDPR already covers AI personal-data processing and the AI Act adds a second layer rather than a replacement 3839. The US state privacy law mosaic (CCPA/CPRA plus equivalents in CO, CT, UT, VA, plus 2024-2025 additions in TX, FL, OR, MT) now requires jurisdiction-aware policy enforcement in multi-state-operating enterprises 314041. Sectoral rules (HIPAA, PCI-DSS, SOX) have gained AI-specific overlays, creating a budget-bypass channel where AI-DLP gets bought under sectoral renewal even when AI-governance is unbudgeted 313042. And the EU Digital Markets Act Two-Year Review names AI and cloud as priority enforcement areas going into 2026–2027, with downstream-tenant inheritance effects through Microsoft 365 / Google Workspace / AWS / Azure defaults 43.
Nine vendors evaluated across three tiers: 3 Gravity (public or post-$100M private), 4 Attention (analyst-mentioned, growing into category visibility), and 2 Wildcard (named-outlet-sourced emerging entrants).
Reading the quadrants — upper-left: narrow channel + LLM-semantic detection (AI-runtime-first specialists). Upper-right: multi-channel + LLM-semantic detection (platform vendors with modern classification). Lower-left: narrow channel + regex/policy detection (legacy single-channel tools). Lower-right: multi-channel + regex/policy detection (heritage enterprise DLP suites). Tier colors mark Gravity (orange), Attention (green), and Wildcard (grey).
Author's read of public material, May 2026. Vendor positions are conceptual, not data-derived.
"In Microsoft Purview, you implement data loss prevention by defining and applying DLP policies. A DLP policy can help you identify, monitor, and automatically protect sensitive in Enterprise applications & devices and Inline web traffic data." — Microsoft Learn product docs, accessed 2026-05-13 44
Purview DLP is the volume leader by distribution reach. The buyer rarely makes a standalone DLP purchase decision — DLP activates as part of a broader Microsoft 365 E5 / E5 Compliance rollout. Stated USP is the breadth of Microsoft 365 signal coverage paired with a layered classification stack (policy templates, exact-data-match, fingerprinting, trainable classifiers, and ML-based adaptive protection scoring user risk into policy) 4445. Microsoft 365 Copilot integration extends classification to prompt-and-output for Microsoft-tenant Copilot specifically 46. Target buyer is the CISO at a Microsoft-standard enterprise, with purchase routed through the M365 enterprise contract. Pricing signal: bundled inside E5 + Microsoft Purview Suite add-on (user-based) or pay-as-you-go (data-estate-based); no standalone DLP price visible. Architectural classification: SaaS, Microsoft-tenant-bounded, endpoint agent for Windows/macOS/Linux, Edge browser hooks, no inline network proxy. Published-material tier: heavy — Microsoft Learn docs, Mechanics videos, FastTrack rollout playbooks, Gartner Peer Insights footprint, the productized Symantec/Forcepoint migration assistant 21.
Symantec DLP carries the Vontu (2007 Symantec acquisition) → Symantec → Broadcom (2019 acquisition) lineage 47 and is the architectural reference platform that defined the 2010s enterprise-DLP category. Stated USP is multi-channel enterprise DLP across endpoint, network, storage, cloud, and email — the broadest channel-count DLP suite by heritage, with Described Content Matching, Exact Data Matching, Indexed Document Matching, and Vector Machine Learning layered into the classification stack 48. The combined product naming ("DLP & Data Protection") signals that Broadcom positions Symantec as the DLP layer of a broader Information Protection portfolio, not a standalone hero product; the vendor's hero positioning has migrated up-stack to software-platform framing, with the Vontu lineage preserved in the product name rather than in active hero positioning. Target buyer: Global 2000 enterprise security architect standardized on the Symantec stack, dense in financial services, healthcare, and government. Pricing: enterprise contract, not public. Architectural classification: hybrid on-prem Enforce server (central policy + incident management) with cloud option; multi-channel detection servers (Endpoint, Network Prevent for Web/Email, Storage, Cloud); regex/EDM/IDM/VML detection stack. Material tier: vendor-controlled thin; named-outlet medium; a decade of Gartner MQ Leader history pre-Broadcom is the strongest external anchor. NASDAQ: AVGO public parent.
"Prevent Data Loss and Adapt to Risk in Real Time. Unify data security for AI, cloud, web, email and endpoint with real-time, intelligent enforcement and sweeping compliance coverage." — Forcepoint DLP product page, accessed 2026-05-13 49
Forcepoint is owned by Francisco Partners, with its commercial-side DLP business retained after the January 2024 Everfox carve-out of the federal G2CI business that TPG acquired for USD 2.45B 5051. Stated USP is risk-adaptive DLP — Forcepoint's "Adapt to Risk in Real Time" framing integrates user-behavior risk scoring from Forcepoint Behavioral Analytics into enforcement decisions, structurally differentiated from Symantec's static-policy heritage and Microsoft's bundled-template approach 4952. Lineage: Websense → Raytheon (2015 acquisition of Websense + Stonesoft) → Triton → Forcepoint (2016 rebrand) → Francisco Partners (2021); behavioral-analytics fusion comes from the Raytheon-acquired RedOwl heritage. Target buyer: organizations handling PII/PHI/PCI in hybrid-work environments under multi-jurisdictional regulatory exposure; the page calls out "AI, cloud, web, email and endpoint" as five coverage channels. Pricing: "Request Pricing" CTA only, enterprise contract motion. Architectural classification: hybrid endpoint + on-prem management server + Forcepoint ONE SSE cloud plane, with Risk-Adaptive Protection module cloud-hosted 4952. Material tier: vendor-controlled medium — body copy and analyst-recognition framing fully extractable, post-Everfox-carveout commercial Forcepoint surface healthier than expected.
"DLP Reimagined. We questioned every assumption and built a DLP solution from the ground up to protect data in a better way." — Cyberhaven DLP product page, accessed 2026-05-13 53
Cyberhaven's $100M Series D in April 2025 at $1B post-money valuation 54 crossed the post-$100M-private threshold, but the company's positioning and analyst footprint still sit in the Attention tier rather than Gravity — earnings visibility has not reached public-vendor-grade depth. The dedicated DLP page hero is materially more category-redefining than the corporate homepage ("AI & data security platform unifies DSPM, DLP, Insider Risk, and AI Security"), signaling Cyberhaven's product team positioning the DLP module to win standalone RFPs, not just as a row on a platform-bundle line item. Stated USP is data lineage — the "where did this data come from, who touched it, where is it going" graph — fed into the proprietary "Large Lineage Model" classifier substrate that the vendor markets as enabling "semantic understanding of data, people, and applications…without any rules, definitions, dictionaries, or policies" 53. Target buyer: AI-era CISO consolidating multiple data-security line items into one platform. Pricing: enterprise subscription, not public. Architectural classification: cloud-analytics plane with multi-source collection (endpoint agent + browser extensions + cloud SaaS apps) — the same architecture as Cyberhaven's IRM module in Front 1, sharing the data-lineage substrate. Material tier: medium — PR Newswire funding cycle, Latka revenue disclosures ($52.4M FY 2026), February 2026 unified platform launch press cycle. Cross-reference: Cyberhaven also appears in IRM Front 1 Attention tier — same vendor, primary DLP primitive evaluated here.
"Stop data leaks to AI — and everywhere else. Nightfall helps you put data loss prevention on autopilot across AI apps, endpoints, and SaaS." — Nightfall AI homepage, accessed 2026-05-13 55
Nightfall is the AI-native cloud DLP positioned from inception around ML-classifier detection rather than regex/fingerprint, with a multi-paradigm AI/ML stack the vendor describes as "100+ AI-based models, LLM based file classifiers and Computer Vision models" 55. Stated USP is breadth of pre-built classifiers for cloud-native content types (Slack, Microsoft 365, Google Workspace, GitHub, Salesforce, Jira, Confluence, OneDrive, SharePoint, Notion, Zendesk) plus generative-AI tools (ChatGPT, Copilot, Gemini, DeepSeek, Claude, Perplexity), endpoint via lightweight macOS/Windows agent, and browser plugin 55. Target buyer: "Startups to Fortune 500" — cloud-native mid-market and enterprise SecOps teams standardizing on SaaS-first DLP, often at SaaS-collaboration-heavy organizations. Pricing: /pricing page exists with "6x Average ROI" claim; no tier names on homepage. Architectural classification: cloud-SaaS API-first, deployable in minutes; lightweight endpoint agent + browser plugin for AI-tool coverage. Material tier: medium — TechCrunch, BusinessWire funding announcements, analyst-mentioned in cloud-DLP coverage. Funding staleness note: most recent public round is Series B ~$40M in September 2022; the press page shows active 2026 content cadence (2026 AI Agent Risk Report, current webinars) but no Series C announcement at access time 55. Positioning is current and AI-native; the staleness flag attaches to the war-chest signal, not the messaging substrate.
The digitalguardian.com domain now 301-redirects to fortra.com/platform/data-loss-prevention — the Digital Guardian sub-brand has been absorbed into the Fortra platform 56, parallel to the Code42 → Mimecast Incydr redirect documented in IRM Front 1 Pattern Claim 1. Stated USP is endpoint-led DLP with managed-service deployment option (Digital Guardian Managed Security Program), with deep endpoint agent telemetry across Windows, macOS, and Linux 57. Lineage: Verdasys (founded 2003, endpoint-DLP pioneer) → Digital Guardian (2014 rebrand) → Code Green Networks network-DLP acquisition (2014) → HelpSystems (2021) → Fortra (2022 portfolio rebrand). Target buyer: regulated-industry CISO with strong endpoint-control requirements; pharma, financial services, and defense-industrial-base customer base historically dense. Pricing: enterprise contract; managed-service tier disclosed in vendor case studies. Architectural classification: endpoint-led, hybrid analytics, content-aware + context-aware + DBRM fingerprinting (structured and unstructured) 57. Material tier: thin on vendor-controlled; medium on named-outlet (acquisition coverage 2021–2022).
"Stop Data Loss — Modernize your data loss prevention program. Prevent data loss from careless, compromised and malicious users." — Proofpoint Enterprise DLP product page, accessed 2026-05-13 58
Proofpoint is a Thoma Bravo take-private (August 2021, USD 12.3B transaction value 59) that reportedly crossed $2B ARR mid-2024 under Thoma Bravo ownership 60. The Enterprise DLP product is a distinct surface from Insider Threat Management (ITM, which lives in IRM Front 1 [^c4 in IRM chapter]) — same parent company, two distinct product lines. The DLP product family bundles email-DLP heritage with the Dathena AI-classification engine (2023 acquisition 61) and Tessian behavioral-AI email DLP (2024 acquisition 62) — a material architectural reshape across 2023–2024. Stated USP is adaptive, human-centric DLP combining unified-console oversight, Nexus AI classifiers, and cross-channel coverage (email + cloud + endpoint). Target buyer: email-security-led CISO who has standardized on Proofpoint and is rationalizing data-protection line items into the Proofpoint platform. Pricing: not disclosed; per-user bundled into Proofpoint platform pricing. Architectural classification: hybrid — primarily cloud-SaaS for email channel; endpoint agent for endpoint coverage; cloud-hosted management plane. Material tier: vendor-controlled heavy. Pillar surprise: less aggressive than expected — Proofpoint's DLP page does NOT lead with the unified-platform narrative that Cyberhaven, Cyera, and Microsoft Purview lead with. The unified-suite framing surfaces one level up at the Information Protection product family page; on the DLP product page itself Proofpoint sits one structural step behind the 2026 convergence narrative.
"One AI brain. Zero noise. DLP, finally working. Every alert pre-analyzed and ready to act on." — Cyera DLP product page, accessed 2026-05-13 63
Cyera closed a USD 400M Series F at $9B post-money in January 2026 — a triple-up from $3B in June 2025 — co-led by Lightspeed, Greenoaks, and Georgian, with Accel, Sapphire, Coatue, Sequoia, Redpoint, and new investor Blackstone participating; three independent named-outlet anchors (Fortune, Calcalist, BusinessWire) plus the company press release 6465. Stated USP per the verbatim DLP product page pillar: AI-native overlay that sits above existing DLP tooling rather than replacing it. Architectural reality per tech-credibility.md: Cyera is DSPM-primary at founding (2021); the DLP capability ("Omni DLP") is a derivative use of the core AI classification engine, positioned as the unified-decisioning layer consuming signals from upstream enforcement points (legacy Symantec/Forcepoint estates) and presenting prioritized DLP alert workflows 63. The marketing pillar is DLP-overlay-on-top-of-DSPM; the architectural truth is DSPM-primary with DLP as a layered enforcement module — agentless, cloud-native, no endpoint agent, "<1 day to value" per vendor framing 63. Cross-segment placement note: Cyera is DSPM-anchored, included in this DLP front because the 2026 vendor narrative explicitly bridges DSPM↔DLP and Cyera's funding visibility makes it the strongest-sourced emerging-tier vendor in the data-security-platform space. Pricing: /pricing link present, no tier names visible, enterprise motion.
"Operant AI has launched Operant Endpoint Protector, a new addition to its AI Defense Platform that enables enterprise IT and security teams to discover, detect, and defend against threats across every AI tool, coding agent, and Model Context Protocol (MCP)-connected workflow used by employees, directly at the endpoint where most consequential AI activity takes place." — Help Net Security, republishing Operant launch announcement, 2026-05-04 66
Operant AI's homepage leads with "Secure Your AI" and positions broadly as AI-runtime defense, not DLP-specifically; the DLP-relevant positioning is extractable only via named-outlet republication of the May 4, 2026 Endpoint Protector launch (Help Net Security + GlobeNewswire 6667). The product features include multi-dimensional PII/PCI/PHI policies enforced inline within prompts, agent loops, and MCP traffic, with auto-redaction for secrets and keys in motion. Architectural classification per tech-credibility.md: multi-component (endpoint agent + MCP Gateway + AI Gatekeeper inline runtime component + cloud management plane). Operant was founded as a Kubernetes/cloud-native runtime-security product before pivoting to AI-runtime egress in 2025–2026; the May 4 endpoint launch added the endpoint-agent leg. The CEO/founder quote names "the largest blind spot in the enterprise security stack" — the endpoint where AI agents actually meet enterprise data. Target buyer: enterprise IT and security teams at organizations where AI agents are actively in production. Pricing: not disclosed. The phrase "MCP DLP" is analyst-coined rather than vendor-claimed at the verbatim level — the chapter describes Operant as participating in a MCP-DLP-shaped category without attributing the literal phrase to Operant's own marketing. Material tier: named-outlet covered, no analyst inclusion yet, no public reference customers in the launch material — the typical early-stage signature.
Five strategic moves in motion across 2026.
Snapshot of recent funding events, valuations, strategic investors, and any documented distress signals across the DLP front. All figures trace to vendor-controlled surfaces, SEC filings, or named-outlet journalism (CNBC, Reuters, Bloomberg, Calcalist, BusinessWire, GlobeNewswire, PRNewswire, SecurityWeek, Fortune). Executive departures appear only when corroborated by two or more named outlets; LinkedIn-only signals are treated as positioning facts, not distress events.
A six-year compression of the DLP money story: Broadcom's $10.7B acquisition of Symantec Enterprise Security in 2019; Thoma Bravo's $12.3B take-private of Proofpoint in 2021; the Cyberhaven Series C-to-D ramp 2024–2025 crossing $1B valuation; TPG's $2.45B carve-out of Forcepoint G2CI to Everfox in October 2023; and the Cyera Series F at $9B in January 2026 — the largest DLP-adjacent mega-round of the period.
| Vendor | Most Recent Round | Valuation (if public) | Strategic Investor | Distress Signal |
|---|---|---|---|---|
| Microsoft (Purview Data Loss Prevention — module within Microsoft 365 E5 / E5 Compliance) 73 | n/a — bundled within M365 E5 licensing 74 | Public parent (NASDAQ: MSFT); Purview DLP revenue not broken out separately | n/a — incumbent platform | (empty — no public distress event) |
| Broadcom (Symantec Data Loss Prevention — within Broadcom's Enterprise Security Group) 75 | Public — Symantec Enterprise Security acquired by Broadcom in 2019 for ~$10.7B cash; Symantec DLP 25.1 released Oct 1, 2025 7677 | Public (NASDAQ: AVGO); Symantec DLP revenue not separately disclosed | n/a — public parent | (empty — no public distress event specific to the DLP product line; integration into Enterprise Security Group is positioning fact, not distress) |
| Proofpoint (private; DLP via Email DLP + Tessian acquisition + Information Protection suite) 78 | Take-private by Thoma Bravo closed Aug 31, 2021 at $176.00/share cash, ~$12.3B transaction value 7980; ARR crossed $2B mid-2024 under Thoma Bravo ownership 81 | Thoma Bravo (PE sponsor) | (empty — no public distress event; see IRM front cross-reference for Jan 2024 enterprise-level layoff disclosure) | |
| Cyberhaven (data lineage / content-aware DLP) 82 | Series D — $100M led by StepStone Group, with Schroders and Industry Ventures, announced Apr 2, 2025; total funding $250M 8384 | StepStone Group (NASDAQ: STEP); prior rounds: Adams Street, Khosla Ventures, Redpoint, Costanoa, Vertex, Wing | $1B post-money valuation (7× in 12 months from $488M Series C in Jun 2024) 85 | (empty — no public distress event) |
| Forcepoint (commercial; private; pure-play data security after Oct 2023 G2CI divestiture) 86 | Acquired by Francisco Partners from Raytheon Technologies in Jan 2021; G2CI government business divested to TPG for $2.45B closing Oct 2, 2023 (rebranded Everfox Jan 2024) 875051 | Francisco Partners (PE sponsor) | Private — not disclosed | (empty — no public distress event; planned CEO succession announced per company PR is positioning fact, not distress) 88 |
| Cyera (Wildcard — DSPM-led platform converging DSPM + DLP + identity) 89 | Series F — $400M co-led by Lightspeed, Greenoaks, Georgian, with Accel, Sapphire, Coatue, Sequoia, Redpoint, and new investor Blackstone, announced Jan 8, 2026; total funding $1.7B+ 6465 | Blackstone (NYSE: BX) — new strategic investor in Series F; prior rounds led by Sequoia, Accel, Coatue | $9B post-money valuation (triple-up from $3B in Jun 2025) 90 | (empty — no public distress event) |
The DLP war chest tilts toward the scaled incumbents and PE-owned consolidators more than IRM does. Microsoft Purview DLP, Broadcom-owned Symantec DLP, and Thoma-Bravo-owned Proofpoint together represent the three deepest balance sheets in the segment; none discloses DLP-specific revenue and none carries a same-paragraph distress anchor 737681. The VC-funded specialist tier is thinner than IRM's — Cyberhaven is the single $1B-tier pure-play with a 2025-fresh round 84; Forcepoint's commercial business is a private PE asset reshaped by the $2.45B G2CI divestiture to TPG 50. Zero public distress signals populate the DLP front at access time — a material structural difference from IRM, which carried Varonis's October 2025 re-rating, 5% layoff, and securities class action. The Wildcard is Cyera at $9B post-money (Jan 2026 Series F) with Blackstone joining the cap table, materially better-capitalized than the IRM Wildcard cohort 64. Watch signal: Nightfall AI has been funding-silent for over three years (last public round September 2022 Series B 91) — positioning is current and AI-native, but absent a 2026–2027 round announcement the staleness shifts from messaging to balance-sheet visibility.
Not investment advice. See front-matter disclosure.
Three themes shape what's winning and losing in DLP today. Each is anchored to public evidence, framed explicitly as opinion, and stated as a falsifiable prediction the next twelve months will either confirm or refute.
Winners.
forcepoint.com/blog/insights/best-dlp-software unifies DSPM + DDR + DLP 69) generates documented buyer-side platform displacement or remains positioning-tier only.digitalguardian.com 301-redirect to fortra.com/platform/data-loss-prevention signals sub-brand absorption 56 parallel to Front 1's Code42 → Mimecast Incydr absorption. Watch signal: hero-pillar refresh on the Fortra platform page, any named-customer reference, or pricing surface changes through H2 2026.No DLP Contender earns a Losers label in this chapter. A vendor reaches this section only when a cited public event — layoff, missed quarter, down-round, named executive departure, or customer-churn disclosure — is specific to that vendor's DLP business, not a parent-company-wide action. As of May 2026, no DLP Contender meets that bar in the public record reviewed for this chapter. Proofpoint's enterprise-level layoff disclosures cross-reference IRM Front 1's Watch treatment. The Forcepoint CEO succession is company-PR-only and reads as positioning, not distress; the Symantec sub-brand absorption into Broadcom is a positioning fact, not a casualty. Quarterly refreshes will populate this section if DLP-specific signals emerge.
Five watchlist items for H2 2026.
Three companion artefacts. Same research, three formats.
Disclosure: The author is Head of Product (Fractional) at AXIA, which competes in DLP. This chapter uses only publicly available material and reflects the author's personal view, not AXIA's position.
This report does not constitute investment, legal, tax, or accounting advice. No claim in this report should be relied upon as the basis for any investment decision. The author has no trading position in any named public security and is not compensated by any named vendor. Readers who use this report in investment contexts bear sole responsibility for their decisions.
Jump to slide:
Enter ↵ to go • Esc to close