Data Security Posture Management (DSPM) is the discipline of finding sensitive data wherever it lives across cloud, SaaS, on-prem, and AI-training surfaces; classifying it; mapping who and what can reach it; and recommending or executing posture changes to close exposure gaps. The buyer noun is data at rest — what exists, where it sits, who can touch it, and how exposed it is — not data flows (DLP) or people (IRM)12. The architectural anchor is a discovery-and-classification engine paired with an access-and-permissions graph, wired into the data estates the buyer cares about: object storage, managed databases, data warehouses and lakehouses, SaaS data tenants, AI training corpora, and (increasingly) the vector stores and embedding indexes feeding production LLM and agent workflows. The 2026 product narrative has shifted from regex-and-fingerprint classification toward AI-classifier substrates, and from cloud-storage-only coverage toward a multi-estate scope that explicitly includes AI training pipelines and unstructured SaaS data34.
Where the categories overlap. DSPM shares substrate with DLP on data classification, with IRM on access-pattern visibility, and with CNAPP on cloud asset discovery. Per the report's taxonomy5, DSPM owns the discovery primitive — finding data, classifying it at rest, mapping access paths — while DLP owns the enforcement primitive (stopping egress) and IRM owns the people primitive (who is doing what, and why). The category test is which question a vendor's product actually answers: DSPM answers what data exists and who can reach it; DLP answers what data is moving where, and should we stop it; IRM answers who is doing what, and why; CNAPP answers what is the security posture of this cloud workload. When a vendor's hero page claims more than one, the practical test is which question their discovery scope, classification engine, and remediation defaults are actually built around.
The DSPM category sits in the data-at-rest discovery quadrant. DLP shares the data-classification substrate; IRM shares the access-pattern visibility surface. CNAPP claims data security as a sub-feature of cloud-workload protection — a boundary the chapter dissects below. AI Security entrants are extending DSPM into AI-training-pipeline and vector-store coverage.
What DSPM IS. A discovery-and-posture workflow for data at rest. Coverage scope spans cloud object storage (S3, Azure Blob, GCS), managed databases and warehouses (RDS, Aurora, Snowflake, BigQuery, Databricks), SaaS data tenants (M365, Salesforce, Workday, ServiceNow), increasingly on-prem and hybrid file shares, and — newly — AI-training pipelines (training data corpora, vector embeddings, RAG indexes)613. Classification is AI-classifier-led in 2026 vendor narratives, with regex-and-fingerprint relegated to fallback paths. The action posture spans pure visibility (recommendation-only, leave remediation to DLP and IAM controls), guided remediation (the platform proposes posture changes that the buyer approves and applies through downstream tools), and automated remediation (the platform applies posture changes inline — IAM tightening, encryption-at-rest enforcement, sensitive-data quarantine, or — in the most aggressive vendor positioning — automated DLP-style inline blocking on egress). The 2026 DSPM product surfaces commonly include: cloud-data-store connectors, SaaS-tenant API connectors, IAM and permissions-graph ingestion, sensitivity-classification engines (LLM-based or trained ML), remediation workflows, and increasingly DDR (Data Detection and Response) for runtime data-access monitoring.
What DSPM IS NOT. Not a DLP alone (DLP enforces on egress; DSPM maps and recommends posture, with some vendors extending into enforcement primitives but most leaving that to DLP integration). Not a CNAPP (CNAPP secures the cloud workload — compute, network, identity, secrets — with data security as one feature among many; DSPM treats data-at-rest as the load-bearing primitive). Not a CSPM (CSPM checks cloud-configuration posture against benchmarks; DSPM checks data posture across cloud-stored data). Not an AI Security platform (AI App Sec governs the runtime of AI applications; DSPM governs the data feeding and produced by them — a separate scope5). And not a data catalog or data governance tool (Collibra, Alation, OneTrust DataDiscovery) — those products lead with metadata management and governance workflows; DSPM leads with security posture and exposure reduction.
The DSPM category is the muddiest of the data fronts in 2026 because four distinct vendor archetypes claim DSPM territory, each with different load-bearing primitives, and the term "DSPM" appears on product pages in ways that range from primary-category-anchor to feature-bullet-buried-in-CNAPP-taxonomy. The boundary commentary that follows uses verbatim pillars from each archetype's product surface to make the distinction concrete; the report's §3.2c scoping rule is that vendors whose primary product page leads with "DSPM" or "Data Security Posture Management" as the headline category are in §3.3 Contenders, while vendors that mention DSPM as a sub-feature of CNAPP or as one capability inside a broader platform appear in §3.4 Plays only.
Archetype 1: DSPM-native specialists. Cyera's dedicated DSPM product page leads with "Modern DSPM. Complete data clarity. Actionable intelligence. Built for the AI era."3. Sentra positions itself as a DSPM-led platform with adjacent Data Detection and Response7. Symmetry Systems self-identifies as a DSPM leader recognized in Gartner's Market Guide for DSPM (2025) and ships DataGuard as its core DSPM product8. Concentric AI similarly references its Gartner Market Guide recognition under the DSPM category and leads its homepage with data-security-governance framing9. These are the cleanest §3.3 placements — DSPM is the headline category, the product taxonomy is DSPM-anchored, and the rest of the platform is built outward from the DSPM primitive.
Archetype 2: Platform-incumbents-with-DSPM-module. Microsoft Purview ships DSPM as a dedicated module of the Purview compliance suite, with the documentation surface explicitly titled "Learn about Data Security Posture Management (classic)" and a successor "new DSPM" with expanded data-source coverage1. BigID leads its homepage with "The Only Platform Built for AI Risk at Every Layer"10 and presents DSPM as the first sub-pillar under its Data Security product line — a "platform-led, DSPM-first" framing distinct from Cyera's DSPM-as-headline approach. Varonis, by contrast, leads varonis.com with "Secure AI and the Data That Powers It" and positions DSPM as a use-case module of its Data Security Platform ("Improve your data security posture automatically")11 — DSPM is a feature surface, not the lead category. The report's §3.2c rule resolves these by surface evidence: Microsoft and BigID have dedicated DSPM product surfaces that lead with DSPM-as-category, so they are in §3.3; Varonis's hero leads with AI+Data Security Platform and DSPM lives in the use-case nav, so Varonis is a §3.4 Plays / §3.6 Pattern Claims reference.
Archetype 3: CNAPP-extensions claiming DSPM. Wiz leads wiz.io with "Protect Everything You Build and Run" and positions data security inside its code-cloud-runtime CNAPP taxonomy12; DSPM is not a primary pillar on the homepage. Orca leads orca.security with platform-positioning copy and self-describes as "industry-leading CNAPP" in its meta-description13; DSPM is not mentioned on the homepage. CrowdStrike Falcon Cloud Security leads crowdstrike.com/platform/cloud-security with "Stop cloud breaches from code to runtime" and is positioned in IDC's MarketScape for Worldwide CNAPP and Frost Radar™ for CNAPPs14; the page taxonomy includes CSPM, ASPM, and AI-SPM, but DSPM is absent — even though CrowdStrike acquired Flow Security in 2024 for its DSPM-adjacent capability, the marketing surface continues to lead with CNAPP. FortiCNAPP, the post-acquisition rebrand of Lacework, leads with "Cloud-Native Application Protection Platform (CNAPP)"15 and similarly does not surface DSPM as a primary pillar. These four are §3.4-only references in this chapter; the §3.6 candidate Pattern Claim "The CNAPP-Absorbs-DSPM Thesis" examines whether their structural pull eventually displaces standalone DSPM specialists.
Archetype 4: Data-governance-and-privacy pivots to DSPM. Securiti.ai leads securiti.ai with "Your Data Command Center™"16 — an umbrella positioning that includes DSPM as one capability alongside Gencore AI (safe enterprise AI) and Agent Commander (agentic AI risk). Securiti's heritage is PrivacyOps; the 2024-2026 pivot is to Data Command Center framing that explicitly bundles DSPM but does not lead with it. The §3.2c rule places Securiti in §3.4 Plays. BigID's pivot from data-governance heritage to DSPM-first product taxonomy makes it a §3.3 inclusion despite the platform-led hero — the structural primitive is data discovery and classification, and DSPM is named as a lead product surface even when the hero copy is platform-level. The two pivots are different vectors of the same underlying motion: legacy data-governance and privacy vendors are repositioning around DSPM language as the buyer term-of-art shifts.
The boundary problem is itself a load-bearing observation for §3.6 Pattern Claims. The §3.3 in-scope vendor list of eight names covers Archetypes 1 and 2; the §3.4 section covers Archetypes 3 and 4. Three candidate Pattern Claims emerge from this scope decision and are seeded for §3.6 authoring: The CNAPP-Absorbs-DSPM Thesis (Archetype 3 displaces Archetypes 1 and 2 on cloud workloads), The Data-Governance-Pivot Thesis (Archetype 4 — and BigID-style §3.3 vendors — reshape buyer expectations around DSPM as data-governance-with-security-teeth), and a third claim on AI-training-pipeline coverage as the emerging differentiator that separates Archetype 1 specialists from Archetype 3 CNAPP-extensions. This boundary discussion is methodological scaffolding the reader can interrogate; if the surface evidence shifts (a CNAPP vendor re-hero-positions DSPM, or a DSPM-native folds into a CNAPP suite), the §3.3-vs-§3.4 split reads differently and the Pattern Claims need to update with it.
Three common buyer misconceptions. First: "DSPM is just a fancier CSPM — if I have Wiz or CrowdStrike for cloud security, I have DSPM coverage." CSPM checks cloud-configuration posture against benchmarks; DSPM classifies the actual sensitive data sitting in those clouds and maps who can reach it. The two answer different questions, and 2026 vendor evidence shows that CNAPP-leading vendors materially de-prioritize DSPM on their hero surfaces (Wiz, Orca, CrowdStrike, FortiCNAPP all surface CNAPP/CSPM/CWPP first; DSPM appears as a sub-feature or not at all)12131415. Buyers who treat CNAPP-bundled DSPM as equivalent to a DSPM-native product are accepting a coverage-and-classification depth gap that surfaces during real-incident investigations. Second: "DSPM is a discovery tool — I'll buy it once, build the inventory, and the data won't change." The 2026 data estate changes weekly: SaaS connectors get added, AI training corpora grow, vector stores spin up for new agent workflows. Continuous discovery and re-classification is the actual job; one-time scans are the failure mode the 2018-era data-discovery products got wrong. Third: "DSPM and DLP are the same product with two names — vendors are just renaming legacy DLP." DLP enforces on egress; DSPM discovers and classifies at rest, with most §3.3 contenders surfacing remediation guidance rather than inline enforcement primitives. The convergence is real — Cyera, BigID, and Proofpoint DSPM all ship classify-and-protect bundles — but the buyer test is which primitive is load-bearing: a DSPM-led product makes posture-and-discovery decisions first and treats DLP as one of several enforcement options; a DLP-led product makes enforcement decisions first and treats discovery as setup. The §3.4 DSPM-augments-DLP Play (carried over from DLP Front 2 §2.2 Buyer Trends) is the structural motion that's blurring this line, but the buyer's evaluation question stays distinct.
DSPM is the youngest of the three data fronts and the one where "market size" is most clearly a category-boundary claim rather than a measurement. Three named forecasters reach 2026-vintage estimates that differ by approximately 80×. Frost & Sullivan places the 2024 baseline at USD 415M growing at 37.4% CAGR through 2029, under a narrow software-only "DSPM tool" definition1718. Sentra-cited material places the 2024 baseline at USD 1.86B growing to USD 22.5B by 2033 (~32% CAGR implied) under a multi-cloud DSPM platform definition19. Relyance AI's republication of InsightAce Analytic projects USD 34.2B by 2034 at 34.2% CAGR under a broader data-security-platform-including-AI-workloads definition20. The spread is itself the finding: any vendor or buyer citing a single DSPM TAM should be asked which scope (tool, platform, data-security-broad) they are pricing against. Palo Alto Networks' own DSPM Market Size Guide surfaces four additional named forecasters with seven-estimate range wider than 80×18. Gartner's only publicly-citable DSPM figure is not a dollar amount but a penetration trajectory — below 1% in 2022, projected past 20% by 20262122. That penetration framing may be the most defensible "size of the opportunity" claim in 2026 reporting.
Buyer trends. Three transactions in a six-month window reshape the DSPM buyer conversation from "buy a DSPM tool" to "evaluate the DSPM module of my cloud, identity, or data-resilience platform." Google closed its USD 32B Wiz acquisition on March 11, 2026 — the largest cloud-security deal in history; Wiz had previously absorbed DSPM into its CNAPP via the Gem Security acquisition, and the Google close embeds DSPM into the Google Cloud product surface2324. Veeam closed its USD 1.725B Securiti AI acquisition on December 11, 2025 — Securiti described in the press release as "the #1-ranked DSPM platform" by Veeam — and unveiled the DataAI Command Platform at VeeamON on May 13, 2026, mapping DSPM against 100+ regulatory frameworks including EU AI Act, DORA, GDPR, HIPAA, and NIST2526. Palo Alto Networks closed its USD 25B CyberArk acquisition on February 11, 2026, restructuring identity-led data security at scale with DSPM sitting adjacent to identity governance under the Prisma Cloud and Cortex XSIAM umbrellas27. Standalone DSPM as a procurement category may be approaching its renewal-cycle limit. The Palo Alto Networks 2026 DSPM Adoption Report cites 92% of enterprises using multi-cloud architectures and 83% of IT and cybersecurity leaders identifying lack of data visibility as a primary security-posture weakness28, and Sentra's 13-criteria 2026 CISO buying rubric codifies the procurement reframe: agentless-everywhere deployment, in-environment operation, >98% unstructured-data classification accuracy, petabyte-scale cost efficiency, full remediation-workflow automation, and usage-based pricing19.
User trends. DSPM has a buyer/user-split problem unlike DLP. DLP has a relatively clean buyer-user mapping — security team buys, security team operates. DSPM's day-two operator is ambiguous across security, data, and privacy teams. The Wiz academy piece names "security and IT teams" as the operating unit29; BigID's 2026 guide describes a "data security, privacy, and compliance teams" multi-stakeholder operating model30; Cyera's platform documentation references "data owners" as in-scope remediation actors31. The buyer is the CISO; the operator is increasingly outside the CISO's direct org. Modern DSPM platforms route alerts to the right operator with context — Sentra's "issues routed directly to data owners" framing19 is representative, and Forcepoint's February 2026 "Top 8 DSPM Trends" piece names trend #1 as "DSPM becomes an active security layer, not a reporting tool"32. A second user-side shift sits beneath this: as agentic AI moves from discovery (read-only) to action (read-write) on data, the operator question becomes "who approves the agent's read-write to sensitive data classes?" — historically a privacy / data-governance call, increasingly a security-team call when handled in real time28.
Tech trends. Four architectural shifts define the 2026 surface. First, AI training pipelines, model artifacts, vector databases, fine-tuning datasets, and RAG context stores are newly in-scope data classes. Thales, Zscaler, and Wiz all 2026-position AI-training-data as the primary new frontier for DSPM coverage333435; Zscaler explicitly markets "D(AI)-SPM" as the AI-extended DSPM category34. Second, discovery is splitting into two camps — manifest-based scanning (catalog-and-inventory-driven) and semantic-AI-driven classification (LLM-based content classification including unstructured text). Forcepoint's 2026 trends piece names "AI-powered classification becomes table stakes" as trend #532; Sentra's >98% unstructured-data classification accuracy threshold19 is the semantic-AI camp's marketed bar. Third, inline enforcement — historically rare in DSPM — is emerging as the active-security-layer pivot. Veeam's DataAI Governance framing ("enforces control at the data source, not at the agent, so known and unknown agents cannot access sensitive data if that data is governed at the source"25) is the strongest 2026 named-vendor articulation. Fourth, DSPM/CNAPP convergence at the platform layer is the structural pattern post-Wiz: Wiz/Google, Palo Alto Prisma Cloud, Microsoft Defender for Cloud, CrowdStrike Falcon Cloud Security, and SentinelOne Singularity Cloud all embed DSPM within CNAPP by 2026. The standalone-DSPM category survives only where data-coverage breadth or AI-data-specific positioning materially exceeds what cloud-native CNAPP can offer.
Regulatory trends. EU AI Act Article 10 high-risk-system obligations take effect August 2, 2026363738 and are the most-cited single 2026 regulatory deadline in DSPM buyer-facing material. Article 10 requires data-governance practices including "examination in view of possible biases," "appropriate data preparation processing operations," and traceability of training datasets — which maps directly onto DSPM's discovery + classification + lineage + access-governance surface. Thales, Zscaler, and Wiz all 2026-position DSPM as the compliance-evidence-generation layer for Article 10333435, and the Veeam DataAI Compliance product line maps explicitly against EU AI Act, DORA, GDPR, HIPAA, NIST, and AI RMF25. GDPR Article 30's records-of-processing requirement was historically a documentation exercise; in 2026, with AI training datasets as a new processing class, the burden is operationally infeasible without DSPM-native data inventory and lineage39. The Israeli Privacy Protection Law Amendment 13 took effect August 14, 2025 — the most significant reform of Israeli privacy law since 1981404142 — substantially expanding Privacy Protection Authority enforcement powers, mandating DPO appointment, and strengthening the Protection of Privacy Regulations (Data Security) 5777 baseline. For the cluster of Israeli-headquartered DSPM vendors (Cyera, Sentra, BigID by heritage), Amendment 13 is both a home-market compliance driver and a positioning asset. The US state privacy law mosaic — CCPA / CPRA plus equivalents in CO, CT, UT, VA, TX, FL, OR, MT — extends through 2026 with jurisdiction-aware policy enforcement increasingly an RFP line item4344.
Eight vendors evaluated across three tiers: 2 Gravity (platform incumbents with structural distribution moats), 4 Attention (DSPM-native or platform-flagship vendors with strong analyst and named-outlet sourcing), and 2 Wildcard (Series B or earlier specialists with descriptive-only treatment per the chapter's published-material discipline).
Reading the quadrants — upper-left: narrow-scope + automated-enforcement (depth-first specialists). Upper-right: broad-scope + automated-enforcement (platform vendors pushing past visibility into inline remediation). lower-left: narrow-scope + visibility-led (single-environment discovery tools). lower-right: broad-scope + visibility-led (multi-cloud DSPM-natives still maturing their remediation primitives). Tier colors mark Gravity (orange), Attention (amber), and Wildcard (pale amber).
Author's read of public material, May 2026. Vendor positions are conceptual, not data-derived.
[cross-front: see IRM Front 1 + DLP Front 2]"Microsoft Purview Data Security Posture Management (DSPM) enables you to quickly and easily monitor cross-cloud data and user risk through dynamic reports and trend analysis." — Microsoft Learn product docs, accessed 2026-05-14 45
Microsoft Purview DSPM is the volume leader by distribution reach, the same way Purview DLP is in Front 2 and Insider Risk Management is in Front 1. The buyer rarely makes a standalone DSPM purchase decision — DSPM activates as part of a broader Microsoft 365 E5 / E5 Compliance rollout or via the Microsoft Purview Suite. Microsoft now distinguishes "classic" DSPM (the surface the canonical Learn URL was first pulled from) from a "new" DSPM that "extends coverage to more data sources, introduces guided workflows for proactive risk management, and streamlines data security operations" — the new surface adds third-party SaaS and IaaS coverage via Microsoft Sentinel data-lake integrations and partner connectors (Google Cloud Platform, Snowflake, Databricks named explicitly), and integrates with partner solutions Varonis, Cyera, BigID, and OneTrust46. The structural positioning is distinct from the standalone-DSPM cohort: Microsoft Purview DSPM is the visibility-and-recommendation layer on top of an enforcement estate Microsoft already sells (DLP + Insider Risk Management + Information Protection + Adaptive Protection), not a standalone discovery product. AI-and-agentic posture is the strongest sub-claim in the field for Microsoft-tenant cases: the new DSPM ships a dedicated AI observability page tracking agent-specific activities across Microsoft and third-party environments including the recently released Agent 365; the Apps and agents discovery page lists the top 20 most-recently-used agents with sensitive-data-access detail; and Activity Explorer's AI activities tab captures generative-AI prompts and responses against sensitivity-classification and DLP-rule matches46. Stated USP: a correlation layer that processes signals from co-resident Purview solutions and surfaces recommendations to close policy-coverage gaps. Target buyer: Microsoft-standardized enterprise CISO with the M365 Purview admin as the operator. Pricing signal: bundled within M365 E5 / E5 Compliance and Microsoft Purview Suite (user-based); no standalone DSPM price disclosed. Architectural classification: SaaS-platform delivery, Microsoft-tenant-anchored with cross-cloud coverage via Sentinel and partner connectors; visibility + recommendation + guided/automated remediation for Microsoft sources, integration-mediated for non-Microsoft sources. Material tier: vendor-controlled heavy — Microsoft Learn documentation surface across both classic and new versions, Mechanics videos, FastTrack rollout playbooks, partner-integration documentation. Cross-front coherence: structurally consistent with Purview's IRM and DLP product surfaces; each module has its own product page and its own verbatim pillar.
"DSPM That Goes Beyond Visibility. Most DSPM tools stop at mapping your cloud data. BigID goes further: deep discovery, advanced classification, automated remediation, and continuous governance across every environment: not just a static snapshot." — BigID DSPM product page, accessed 2026-05-14 47
BigID is the data-governance-heritage vendor that pivoted to DSPM language as the buyer term-of-art shifted, and the only Gravity-tier vendor in the chapter whose product taxonomy leads with DSPM as a headline category. Stated USP per the verbatim DSPM-page pillar: DSPM that "goes beyond visibility" — deep discovery + advanced classification + automated remediation + continuous governance across multi-cloud, SaaS, IaaS, PaaS, hybrid, and AI environments4748. The five named sub-pillars on the DSPM product page are "Agentic Risk Remediation," "Unmatched Coverage," "Identity-Aware Discovery," "Industry-Leading Classification," and "From Insight to Action," with the hero framing explicitly comparative — positioning BigID against the visibility-only DSPM-natives and against the CNAPP-extensions where DSPM is a static sub-feature47. Architectural lineage: BigID launched as data-discovery + privacy-ops (Series C–F era), pivoted to "data security platform" umbrella with DSPM as the first sub-pillar; the structural primitive remains data-classification-plus-context, now layered with "agentic, AI-guided prioritization and remediation"48. Action posture is the broadest in the field on paper — guided and automated remediation actions including "delete toxic data, redact secrets, revoke risky access, enforce retention" branded as "Agentic Risk Remediation"48. AI/agentic posture covers the model-side data lineage explicitly ("Govern training data, track lineage, remove toxic inputs, and detect shadow AI") plus identity-aware discovery linking data risk to real identities48, but the DSPM product page does not describe vector store inspection, LLM prompt classification at runtime, or agent-tool-call-boundary controls in the way Symmetry Systems or Bedrock Data do — placing BigID as broadest-coverage-with-data-governance-heritage rather than depth-first AI-runtime entrant. "Agentic" in BigID's 2026 messaging primarily refers to AI-assisted prioritization and remediation of discovered data risks, not to inline agent-runtime data-access governance. Target buyer per the verbatim DSPM-page framing: "enterprises who need more than dashboards — built to scale, take action, adapt, and stay ahead"47. Pricing: enterprise contract motion only, not publicly disclosed. Architectural classification: cloud-native agentless SaaS at petabyte scale, broad-but-visibility-led at the architectural primitive level despite the "Agentic Risk Remediation" pillar. Material tier: vendor-controlled heavy — dedicated DSPM product page, corporate homepage, seven-sub-pillar product taxonomy, Gartner-recognized DSPM Representative Vendor placement; Series E at $60M led by Riverwood Capital in March 2024 with $1B+ post-money valuation and CEO disclosure of approaching $100M ARR at round close49. The March 2024 round sits at the edge of the positioning-staleness window — flagged for refresh if a 2026 round surfaces.
[cross-front: see DLP Front 2]"Modern DSPM. Complete data clarity. Actionable intelligence. Built for the AI era." — Cyera DSPM product page, accessed 2026-05-14 50
Cyera closed a USD 400M Series F at $9B post-money in January 2026, a triple-up from $3B in June 2025, with Blackstone joining the cap table alongside Accel, Coatue, Cyberstarts, Georgian, Greenoaks, Lightspeed, Redpoint, Sapphire, Sequoia, and Spark — anchored across Fortune, BusinessWire, Calcalist, and TechCrunch and the company press release515253. The DSPM product page is a dedicated surface distinct from the Cyera corporate homepage and from the company's DLP-product framing in Front 2; the DSPM pillar emphasizes the foundational platform (classification + scale + signal-to-noise), the DLP pillar emphasizes the decisioning overlay above existing DLP enforcement (Front 2 row 8). The two are complementary, not contradictory — DSPM as the data-context layer; DLP as the alert-decisioning overlay above existing DLP tooling — and consistent with Cyera's umbrella positioning as an AI-native data security control plane. Stated USP per the DSPM-page architecture: three top-level pillars on the DSPM page — "Fast deployment, limitless scale" (agentless architecture, "Deploy in minutes and see immediate value... scan hundreds of petabytes"), "Goodbye regex blind spots" (AI-native classifier with 95%+ precision, no manual rules or tuning), "Cut through the noise to prioritize real risk" (contextual risk-prioritization)54. Architectural reality per the product surface: agentless cloud-native SaaS with documented support for in-cloud and on-prem deployment modes — "entirely within your cloud or on-prem environments so sensitive data remains in place"54 — though the on-prem mode is mid-broad on architectural disclosure and buyers evaluating sovereign-data or air-gapped DSPM should ask for an architectural diagram and named on-prem datastore connectors. Data-source coverage spans AWS, Azure, GCP, Snowflake, Databricks, Salesforce, ServiceNow, Microsoft 365 / Copilot, plus NetApp on-prem file systems (with a vendor-cited proof-point of "82M+ NetApp on-prem files scanned in under 40 days"). Action posture extends past visibility into automated remediation at scale: 30+ out-of-the-box actions including revoke access, mask sensitive data, trigger predefined workflows, or route issues directly to data owners54. AI/agentic posture has named product extensions — AI Guardian for shadow AI / LLM defense, AI-SPM for shadow AI / prompt monitoring54 — and Cyera publishes an LLM-driven classifier research note that anchors the classifier substrate. Target buyer: enterprise CISO / data security director / Chief Data Officer at a multi-cloud organization with petabyte-scale data estates. Pricing: not publicly stated; demo-request is the primary motion. Architectural classification: agentless cloud-native, broad-multi-cloud-and-SaaS scope with mid-broad on-prem disclosure, mid-high action posture. Material tier: vendor-controlled heavy (dedicated DSPM product page) plus named-outlet heavy on the Series F cycle. Valuation trajectory: $1.4B April 2024 → $3B Series D November 2024 → $6B Series E June 2025 → $9B Series F January 2026 — four rounds in 21 months, the largest valuation-acceleration on record in the data-security-private cohort and the strongest discrete signal of where data-security capital is concentrating55.
"Prevent Data Security Catastrophes Before Copilot Rollouts. Sentra delivers unmatched AI-data governance and continuous compliance at speed and scale previously unimagined." — Sentra homepage, accessed 2026-05-14 56
Sentra is the most segment-specific positioning of the eight vendors — leading not with the DSPM category name (Cyera, BigID, Bedrock Data) or with a workflow definition (Microsoft Purview) but with a use case tied to a concrete enterprise buying trigger (Copilot adoption). The product taxonomy includes DSPM + Data Detection & Response (DDR) + Sentra for AI/ML + Sentra for M365 Copilot — four distinct product lines with DSPM as the foundational layer5657. Stated USP: agentless cloud-native DSPM as Copilot-readiness infrastructure, with the hybrid-intelligence classification approach explicitly described — "For structured data we use advanced statistical analysis" and "for unstructured data we use LLMs and ML to accurately understand the context of data"57. The classifier substrate places Sentra in the same multi-paradigm AI-classifier camp as Cyera and Nightfall (Front 2), rather than the LLM-classifier-first or proprietary-substrate camps. Coverage spans AWS, Azure, GCP, M365 Copilot, AI/ML training assets, and on-prem environments via a dedicated offering57; the homepage features comparative cost framing ("~$40,000/yr to scan 100 PB" versus competitors at "$400,000+/yr") — a cost-comparative signal disclosed at the homepage level without specific list pricing. Action posture progresses from visibility through recommendation and guided remediation into automated response, with Data Detection & Response as a distinct product capability that extends DSPM into a real-time data-event response posture57. Target buyer: Fortune-500 enterprise security teams mid-rollout or pre-rollout on Copilot — "VP, Security Architecture" customer attribution at SoFi anchors the buyer narrative. Pricing: indirect cost-comparative signal stated; specific pricing not publicly disclosed. Architectural classification: agentless cloud-native SaaS with on-prem option, mid-scope on cloud-coverage (broad on AWS/Azure/GCP/M365 but lighter on the SaaS-tenant breadth Cyera and BigID emphasize), mid action posture with DDR as the differentiating remediation primitive. Material tier: vendor-controlled medium (homepage + DSPM product page + DDR / AI/ML / Copilot product pages). Series B at $50M led by Key1 Capital in April 2025 with Bessemer, Zeev Ventures, Standard Investments, and Munich Re Ventures, cumulative funding $100M+5859. Sentra's deepest "AI pipeline" claims surface in blog and buying-criteria material rather than in product-page architectural documentation — vendor-controlled disclosure of vector-DB inspection at platform-product-page granularity was not surfaced during the snapshot pass, so the AI/ML coverage claim is broader than it is deep on the canonical surface.
[cross-front: see IRM Front 1 + DLP Front 2]"Proofpoint Data Security Posture Management. Proofpoint and Normalyze, a leader in data security posture management, have joined forces to discover, classify and protect data across SaaS, PaaS, multi-cloud, on-premises and hybrid environments." — Proofpoint integration page, accessed 2026-05-14 60
Proofpoint DSPM is the third Proofpoint product appearing in this report (after Proofpoint Insider Threat Management in Front 1 Gravity and Proofpoint Information Protection / Enterprise DLP in Front 2 Attention). The standalone normalyze.ai domain 301-redirects to the Proofpoint integration page as of access time, completing the absorption of the acquired Normalyze platform into the Proofpoint surface; the page preserves the Normalyze coverage scope claim (SaaS + PaaS + multi-cloud + on-prem + hybrid) and reframes it as a Proofpoint product, including explicit mention of Databases-as-a-Service (DBaaS) and CI/CD coverage60. Stated USP: discover, classify, and protect across all major data environments with "joined forces" framing positioning the integration as a partnership-of-equals narrative rather than an absorption, even though the standalone Normalyze domain has been retired. Action posture spans visibility ("Classify structured and unstructured data... using AI"), recommendation ("Prioritize human-centric risks... with recommended steps"), and guided/automated remediation ("Remediate security and compliance issues quickly with recommended steps and automated IT workflows")60. Inline blocking is not claimed at the DSPM surface — enforcement is recommendation-and-workflow-routed. The convergence story between Normalyze DSPM and Proofpoint Information Protection (cross-reference to Front 2 §2.3) is the load-bearing platform pitch: "By combining Proofpoint's leading human-centric security platform with Normalyze's pioneering DSPM technology, we can provide you with comprehensive visibility and control"60. The page does not name a shared classifier substrate, a unified control plane, or specific data-flow handoffs between DSPM-discovered classes and Information Protection enforcement points — which makes the convergence read as a go-to-market claim more than a shipped architectural integration at the time of the snapshot. Buyers should ask for a reference architecture before assuming DSPM-to-DLP / DSPM-to-ITM enforcement integration is shipping at product-flagship maturity. Target buyer: email-security-led CISO at a Proofpoint-standardized organization rationalizing the data-security stack into the Proofpoint platform — same buyer narrative as the Front 1 ITM and Front 2 DLP products, extended to DSPM. Pricing: not publicly stated; bundled into Proofpoint platform pricing motion. Architectural classification: vendor-controlled medium on the integration page (vendor-controlled heavy at the parent Proofpoint platform), agentless cloud-native inherited from the Normalyze legacy though deployment-model granularity is not specified on the integration page itself; broad coverage scope, mid action posture. Material tier: vendor-controlled medium (integration page; standalone Normalyze domain retired); Proofpoint is a Thoma Bravo take-private (August 2021, USD 12.3B transaction value) that reportedly crossed $2B ARR mid-2024 under Thoma Bravo ownership. The DSPM page reads as a recent-integration Normalyze-line, not as a mature Proofpoint-flagship like Information Protection — Attention tier holds at this snapshot. Move to Gravity at next refresh if the hero positioning shifts across the parent Proofpoint surface.
"Secure Data. Control Agents. Unleash AI. You can't truly secure your data or govern your AI without knowing who or what can reach both. Symmetry unifies identity, data, and AI risk into one view – so you can act, not just observe." — Symmetry Systems homepage, accessed 2026-05-14 61
Symmetry Systems is the most architecturally heterogeneous deployment story in the eight-vendor list and the candidate that most cleanly tests the chapter's Action Posture Y-axis. Five named deployment options — Managed SaaS (SOC 2 Type II certified), Outpost (classification compute inside customer VPC / on-prem), In-Your-Environment (self-managed IaC), Geographically Federated (separate instances per region, "Data never crosses sovereign boundaries"), and Air-Gapped ("World's first air-gapped DSPM for defense, federal, and healthcare environments")62. Stated USP: the Identity × Data Graph as the structural differentiator — "The only unified graph connecting every identity to every data object" that fuses humans, service accounts, AI agents, and third-party vendors into one access-and-permissions view62. Two named product anchors: DataGuard (DSPM core with built-in enforcement) and AIGuard (AI agent identity and governance). Coverage spans AWS, GCP, Azure, OCI, on-prem infrastructure, SaaS applications, and AI/LLM data — with "every AI agent and copilot" access-governance positioning as the 2026 emphasis62. Action posture extends past visibility into automated remediation with built-in enforcement: "DataEnforce automatically remediates misconfigurations, revokes excess permissions, and enforces policy"62. AI/agentic posture is the sharpest in the field — Symmetry positions AI agents as first-class principals "not retrofitted" and names the structural problem: agents "authenticate via shared service accounts your IAM treats as trusted infrastructure — no session, no MFA, no individual identity to inspect," to which Symmetry responds with native AI agent visibility giving agents "their own identity, access graph, scope policies, and audit trail"62. The control point is the data-store access boundary, not the LLM-or-agent-runtime boundary — architecturally cleaner than inline-prompt inspection but worth flagging for buyers who expect "control AI agents" to mean prompt-time or tool-call-time intervention. Target buyer: enterprise security leaders at organizations operating large-scale identity infrastructure (Active Directory / Entra / Okta-heavy estates) with AI agents emerging as first-class principals; customer types named on the page span Fortune 50 retailers, Big 4 consulting, healthcare RCM, biotech, and defense contractors. Pricing: not publicly stated; a "Start free trial" CTA appears alongside the standard "Request a Demo" — the only self-serve signal across the eight vendors, though no tier or price is shown. Architectural classification: hybrid SaaS / in-environment / air-gapped, mid-broad on cloud-coverage scope but broadest on deployment-architecture dimension, high action posture (DataEnforce remediation plus AI-agent identity enforcement at the data-store boundary). Material tier: vendor-controlled medium (homepage + product page); Gartner DSPM Representative Vendor 202563 and 2024 Strong Performer Peer Insights Voice of the Customer. Last named-outlet funding round is the July 2023 $17.7M inside round led by ForgePoint Capital — ~34 months stale at access time, which fails the chapter's positioning-staleness window; per the snapshot policy this is a War Chest-row staleness, not a §3.3 positioning concern, and the product-page material is current and on-brand. The funding-staleness disposition is treated separately in §3.5.
"Intelligent data security made easy. Governance for your data at rest, data in motion, and GenAI applications." — Concentric AI homepage, accessed 2026-05-14 64
Concentric AI is one of two Wildcard placements in the chapter, treated descriptively per the chapter's published-material discipline. Stated USP: Semantic Intelligence™ as the proprietary technology layer — vendor-named as "patented context-aware AI" with capabilities described as "precise labeling powered by categorization"64, though the technical substrate (deep-learning architecture, training corpus, fine-tuning approach) is not publicly disclosed at vendor-page granularity. The hero framing is the simplest, broadest, least segment-specific of all eight vendors — "made easy" is the structural marker of a vendor differentiating on deployment ease rather than on architectural primitive. The subhero names three coverage states (rest + motion + GenAI applications) placing Concentric on the multi-channel side of the chapter's coverage-scope X-axis. Coverage spans cloud (Snowflake, AWS S3, Google Workspace, Microsoft 365), on-prem (named natively), SaaS / collaboration (Slack, Confluence, Salesforce, Microsoft Exchange), GenAI applications (Claude, ChatGPT, Microsoft Copilot, Google Gemini, Perplexity named explicitly), and infrastructure (NetApp, Amazon RDS, Microsoft SQL Server)64. The differentiator claims are "Agentless" and "10 Minutes POC deployment time" — speed and friction are the primitives, targeting buyers frustrated with deployment-heavy DSPM tooling. Action posture spans visibility (foundational discovery and classification), recommendation (risk identification and insight generation), and automated remediation ("Centralized remediation" capability); inline blocking is not detailed on the homepage. GenAI posture is the strongest sub-claim — visibility into Claude / ChatGPT / Copilot / Gemini / Perplexity conversations plus named integrations for prompt monitoring — placing Concentric in the prompt-inspection sub-category alongside Cyera AI Guardian, with vector-store or agent-tool-call inspection not described at product-page granularity. Target buyer: enterprise CISO / CIO / VP of Infrastructure (named customer roles on the page). Pricing: usage-based model disclosed — "Prices are based on the amount of structured and unstructured data scanned"64 — the only vendor of the eight to publicly disclose its pricing model, even without disclosing the rates. Architectural classification: agentless API-based SaaS, mid-broad coverage scope, visibility-led with mid action posture. Material tier: vendor-controlled medium; Gartner Recognized Vendor for DSPM per the page; Series B at $45M led by Top Tier Capital Partners and HarbourVest Partners in October 2024, cumulative funding $67M+6566. The October 2024 Series B sits at the edge of the positioning-staleness window — flagged for refresh in next quarterly cycle.
"THE AI-NATIVE DSPM. Prevent data leakage and misuse as your data accelerates across cloud and on-premise. Bedrock Data autonomously classifies petabytes in hours to drive native policy enforcement." — Bedrock Data homepage, accessed 2026-05-14 67
Bedrock Data is the second Wildcard, treated descriptively. The company rebranded from "Bedrock Security" to "Bedrock Data" in mid-2026 — the bedrock.security domain now 301-redirects to bedrockdata.ai, no rebrand-announcement banner appears on the page, and the wordmark shifted from .security TLD positioning to .ai TLD positioning. The product still leads with DSPM as the headline category, so the chapter scoping discipline holds: Bedrock is in §3.3 on product-positioning grounds. Stated USP: AI-native DSPM with autonomous classification at petabyte scale and native policy enforcement as the structural primitive67. The opening sentences make three claims — AI-native classification, petabyte-scale-in-hours speed, and native policy enforcement (not just visibility) — backed by a comparative claim of "25x lower infrastructure cost" versus competitors, the only explicit cost-comparative claim among the chapter's Wildcards. Architectural primitive: the Metadata Lake and Serverless Outpost — "serverless Outpost scans SaaS, IaaS, and on-premise environments" under a "Zero Data Access architecture" that keeps scanning "entirely within your perimeter"67. Coverage spans SaaS, IaaS, and on-prem at "petabyte" scale; the page makes named claims about AI training pipelines — "Confidently deploy assistants, RAG systems, and autonomous agents" via the ArgusAI module — but does not explicitly enumerate vector stores or embedding databases at product-page granularity67. Action posture progresses from visibility through assessment to guided and automated remediation, plus native enforcement that "syncs granular sensitivity tags and labels directly to data stores" and enforces "least privilege access... automating policy controls"67. AI/agentic posture has named claims — "Model consumption of sensitive datasets is audited, preventing AI assistants from surfacing restricted content" and ArgusAI "connects the Metadata Lake to AI applications to trace data flow and user interaction" — these are RAG-pipeline-anchored claims, distinct from Symmetry's identity-graph-anchored AI-agent control and from Cyera / Concentric's prompt-inspection claims. The Zero-Data-Access metadata-only architecture is structurally attractive for sovereign-data and regulated-industry buyers but creates a trade-off — RAG-pipeline visibility and AI-inference-time auditing depend on what metadata gets indexed and how completely the Metadata Lake mirrors the underlying data store, so buyers should ask for a clear scope-of-coverage document before assuming RAG inference monitoring is comprehensive. The deeper architectural disclosure — Metadata Lake schema, classifier training methodology, ArgusAI integration depth with the named integration targets (Microsoft Purview, Snowflake, AWS) — is not yet in publicly-citable form, so the AI-data-flow claims read as a forming category-extension rather than a fully-shipped architecture. Target buyer per the page: enterprise organizations managing sensitive data across multi-cloud environments, with a customer quote attributed to "Sr. Director Product Security, Fastest Growing US Fintech Co." anchoring financial services as a key target. Pricing: not publicly stated; comparative cost claim disclosed without absolute pricing. Architectural classification: agentless / serverless hybrid, mid-broad coverage scope, mid-high action posture with native enforcement. Material tier: vendor-controlled medium (homepage is current and on-brand; product page leads with DSPM as headline); Series A at $25M led by Greylock Partners in November 2025 (prior $10M seed from Greylock in 2024), 2024 RSA Conference Innovation Sandbox Finalist6869. Brand transition is a positioning fact, not an M&A indicator.
Five strategic moves shape the DSPM front through H2 2026 and into 2027.
varonis.com with "SECURE AI AND THE DATA THAT POWERS IT," with the opening "Confidently adopt AI, reduce data exposure, and stop AI-powered threats, automatically" — repositioning the broader Varonis Data Security Platform around AI-data-security as the hero category rather than DSPM78. The DSPM use-case page is a module of the platform, not the lead category; module language reads "Improve your data security posture automatically." Varonis Q1 2026 results released April 28, 2026 (revenue $173.1M, +27% YoY; SaaS ARR ex-conversions $522.6M, +29%; total SaaS ARR $683.2M including conversions)79 show the public-vendor side of the story; the cross-front context from the IRM Front 1 chapter (October 28, 2025 stock drop, ~5% layoff, securities class action filed January 2026) frames the repositioning push.Snapshot of recent funding events, valuations, strategic investors, and any documented distress signals across the DSPM front. All figures trace to vendor-controlled surfaces, SEC filings, or named-outlet journalism (Fortune, TechCrunch, Reuters, Bloomberg, Calcalist, BusinessWire, GlobeNewswire, PRNewswire, SecurityWeek, Times of Israel, SiliconAngle). Executive transitions appear as positioning facts when corroborated by company PR plus a named outlet; LinkedIn-only signals are not used.
A three-year compression of the DSPM money story: Symmetry Systems' July 2023 $17.7M inside round; BigID's March 2024 Series E at $1B+ valuation; Concentric's October 2024 Series B; Proofpoint's October 2024 absorption of Normalyze; Sentra's April 2025 Series B; Bedrock Data's November 2025 Series A; Veeam's December 2025 close of Securiti AI at $1.725B; Cyera's January 2026 Series F at $9B post-money; and Google's $32B close of Wiz in early 2026 as the cross-front anchor for the CNAPP-Absorbs-DSPM thesis.
| Vendor | Most Recent Round | Valuation (if public) | Strategic Investor | Distress Signal |
|---|---|---|---|---|
| Microsoft (Purview Data Security Posture Management — module within Microsoft Purview / Microsoft 365 E5 / E5 Compliance) 80 | n/a — bundled within M365 E5 + Defender for Cloud licensing | Public parent (NASDAQ: MSFT); FY25 total revenue $281.7B (+15% YoY); Purview DSPM revenue not broken out separately | n/a — platform parent | (empty — no public distress event) |
| BigID (private; legacy data-governance vendor repositioned to DSPM + AI-data-security) 49 | Series E — $60M led by Riverwood Capital with Silver Lake Waterman and Advent, announced March 20, 2024; cumulative funding $320M | $1B+ post-money valuation; CEO disclosed approaching $100M ARR at round close | Riverwood Capital; prior rounds: Silver Lake Waterman, Advent, Tiger Global, Bessemer | (empty — no public distress event; March 2024 Series E is at the 24-month positioning window edge; flagged for refresh if a 2026 round surfaces before chapter publication) |
| Cyera (private; DSPM-native; cross-front to DLP Front 2) 55 | Series F — $400M led by funds managed by Blackstone with Accel, Coatue, Cyberstarts, Georgian, Greenoaks, Lightspeed, Redpoint, Sapphire, Sequoia, Spark, announced January 8, 2026; cumulative funding $1.7B+ | $9B post-money valuation (Jan 2026 Series F); trajectory $1.4B Apr 2024 → $3B Series D Nov 2024 → $6B Series E Jun 2025 → $9B Series F Jan 2026 | Blackstone (NYSE: BX) — new strategic investor in Series F; prior round leads: Sequoia, Accel, Coatue, Lightspeed, Greenoaks, Georgian | (empty — no public distress event) |
| Sentra (private; DSPM-native, AI-data-security positioning) 58 | Series B — $50M led by Key1 Capital with Bessemer Venture Partners, Zeev Ventures, Standard Investments, Munich Re Ventures, announced April 22, 2025; cumulative funding $100M+ | Private — not disclosed | Key1 Capital; prior rounds: Bessemer Venture Partners, Zeev Ventures, Standard Investments, Munich Re Ventures | (empty — no public distress event) |
| Concentric AI (Wildcard — private; DSPM with semantic deep-learning classification) 65 | Series B — $45M led by Top Tier Capital Partners and HarbourVest Partners with Ballistic Ventures, Engineering Capital, Clear Ventures, Citi Ventures, CyberFuture, announced October 23, 2024; cumulative funding $67M+ | Private — not disclosed | Top Tier Capital Partners; HarbourVest Partners; Citi Ventures | (empty — no public distress event; Wildcard descriptive treatment per chapter discipline) |
| Bedrock Data (formerly Bedrock Security; Wildcard — private; AI-native DSPM with Metadata Lake / ArgusAI) 81 | Series A — $25M led by Greylock Partners, announced November 19, 2025; prior $10M seed from Greylock 2024; cumulative funding $35M | Private — not disclosed | Greylock Partners | (empty — no public distress event; 2024 RSA Innovation Sandbox Finalist; brand transition from Bedrock Security to Bedrock Data is positioning fact, not distress) |
The DSPM funding cycle is the loudest of the three data fronts in this report. Cyera's January 8, 2026 Series F at $9B post-money is the single largest data-security-private mark on the table and the strongest discrete signal in the pilot — Blackstone joining the cap table on a triple-up from $3B (November 2024) → $6B (June 2025) → $9B (January 2026) inside fourteen months55. Sentra's $50M Series B (April 2025) and Concentric's $45M Series B (October 2024) cluster a second tier of well-capitalized DSPM-natives5865; Bedrock Data's $25M Series A (November 2025, led by Greylock) sits at the early-Wildcard band81. Vendor absorption is the second pattern — Proofpoint absorbed Normalyze (October 2024)82, Veeam closed its $1.725B Securiti AI acquisition (December 2025)83, and Google's $32B Wiz close (early 2026) puts DSPM-adjacent CNAPP behind a hyperscaler84. Two vendors evaluated for vendor-card inclusion above but treated separately here: Symmetry Systems' last named-outlet round is the July 2023 $17.7M inside round (ForgePoint Capital), ~34 months stale against the chapter's freshness window — Symmetry remains an in-scope Attention vendor on product-positioning grounds but does not carry funding-side material at the named-outlet sourcing bar66. Securiti AI (Veeam absorption) and Normalyze (Proofpoint absorption) are no longer independent vendors and appear as M&A absorption anchors in the strategic-moves and pattern-claim sections rather than as standalone rows. Varonis is a public-company cross-reference to the IRM Front 1 chapter — the October 28, 2025 single-day stock drop, ~5% layoff, and January 2026 securities class action are all anchored in IRM and not duplicated here; the DSPM-front positioning is platform-relevant (the broader Varonis Data Security Platform reframed around AI-data-security), not distress-relevant. See Phase 3 Venture Landscape chapter for deep analysis.
Not investment advice. See Disclosures.
Two themes shape what's winning and losing in DSPM in 2026. Each is anchored to public evidence, framed explicitly as opinion, and stated as a falsifiable prediction the next twelve to eighteen months will either confirm or refute.
Not investment advice. See Disclosures.
Winners.
No standalone DSPM contender in The Contenders earns a Losers label in this chapter. A vendor reaches this section only when a cited public event — layoff, missed quarter, down-round, named executive departure, or customer-churn disclosure — is specific to that vendor's DSPM business, not a parent-company-wide action. As of May 2026, no contender meets that bar in the public record reviewed for this chapter. Two acquired vendors warrant a closing note. Normalyze (now Proofpoint DSPM) was absorbed by Proofpoint in October-November 202494 — this is a category-structure absorption, treated in Pattern Claim 1 as evidence of the DSPM Absorption Chain, not as a vendor-specific casualty94. The Normalyze product line continues to ship inside Proofpoint, the Normalyze domain redirects to the Proofpoint integration page, and the cumulative ~$26.6M Normalyze funding base translates into a Proofpoint-portfolio asset rather than a closing event. Securiti AI was acquired by Veeam for USD 1.725B (close December 11, 2025)95 — the largest DSPM-pure-play exit on record; CEO Rehan Jalil joined Veeam as President of Security and AI; the Securiti DSPM platform is now the core of Veeam's DataAI Command Platform announced at VeeamON on May 13, 2026. Both transactions are absorption events at favorable terms, not distress events, and are framed as Pattern Claim 1 anchors rather than as the sentinel kind of casualty signal War Chests & Casualties reserves for cited distress95. Quarterly refreshes will populate this section if DSPM-specific distress signals emerge.
Five watchlist items for H2 2026 and into 2027.
Three companion artefacts. Same research, three formats.
taxonomy.md §2.2 (DLP ↔ DSPM), §2.3 (IRM ↔ DSPM), §2.6 (AI Security ↔ DLP/IRM/DSPM). Internal reference; published with this report. ↩varonis.com/use-cases/dspm page existed at original access time with module language "Improve your data security posture automatically," but on 2026-05-20 link-audit it 301-redirected to the homepage — confirming that DSPM is not a headline category in Varonis's current positioning (§3.2c lead-test). ↩lacework.com 301 redirect to Fortinet. Verbatim hero: "Cloud-Native Application Protection Platform (CNAPP)." Opening: "FortiCNAPP provides unmatched visibility and context to simplify securing everything from code to cloud." Page confirms FortiCNAPP is built on Lacework technology post-Fortinet acquisition. https://www.fortinet.com/products/forticnapp ↩normalyze.ai 301 redirect). https://www.proofpoint.com/us/normalyze-is-now-proofpoint ↩bedrock.security 301 redirect to bedrockdata.ai), accessed 2026-05-14. https://bedrockdata.ai/ ↩lacework.com 301 redirect to Fortinet), accessed 2026-05-14. https://www.fortinet.com/products/forticnapp ↩varonis.com/use-cases/dspm page existed at original access time but 301-redirected to the homepage on 2026-05-20 link-audit; the homepage is now the authoritative Varonis-DSPM positioning surface. ↩Disclosure: The author is Head of Product (Fractional) at AXIA, which competes in the Data Loss Prevention segment, adjacent to but not within Data Security Posture Management. This chapter uses only publicly available material and reflects the author's personal view, not AXIA's position.
This report does not constitute investment, legal, tax, or accounting advice. No claim in this report should be relied upon as the basis for any investment decision. The author has no trading position in any named public security and is not compensated by any named vendor. Readers who use this report in investment contexts bear sole responsibility for their decisions.
Jump to slide:
Enter ↵ to go • Esc to close