Endpoint DLP

Endpoint DLP provides real-time data loss prevention for API traffic and data pipelines. It inspects data as it moves through your systems — before it reaches storage — to detect and act on sensitive information in transit.

For scanning data already at rest in cloud storage and databases, see Connectors and Scan Management. Endpoint DLP focuses on data in motion.

How It Works

Endpoint DLP integrates with your API gateways and data pipelines to inspect payloads in real-time:


API Request / Data Pipeline Event
        ↓
  Slim.io Inspection (inline or async)
        ↓
  Detect → Classify → Act (allow / redact / block / alert)
        ↓
  Findings logged to Dashboard

Integration options include REST API calls for synchronous inspection and webhook-based async processing for high-throughput pipelines. See the API Reference for available endpoints.

Detection Capabilities

Every scanned object is inspected for sensitive data using:

170 built-in detection patterns covering PII, PHI, PCI, and credential categories across 50+ countries
AI-assisted classification for borderline findings via the multi-provider LLM pipeline
Confidence scoring that combines pattern matching, proximity keywords, and contextual signals
Custom classifiers defined in YAML using the Detection-as-Code system

See Data Classification for the full list of built-in patterns and how to create custom classifiers.

Inspection Actions

When sensitive data is detected, Slim.io can take the following actions based on your policy configuration:

Action	Description
Log	Finding is recorded in the dashboard for review
Redact	Sensitive values are replaced with `[REDACTED]` in a remediated copy
Tokenize	Sensitive values are replaced with encrypted tokens; original values can be restored
Quarantine	Object is flagged and moved to a quarantine location pending review

Policy Configuration

Endpoint DLP policies follow the YAML governance policy schema:


apiVersion: slim.io/v1
kind: EndpointDLPPolicy
metadata:
  name: block-ssn-in-storage
spec:
  mode: enforced
  targets:
    - connector: aws-prod-s3
    - connector: gcp-analytics-bucket
  conditions:
    - category: SSN
      min_confidence: 0.75  # tune for your environment, see Settings > Detection
    - category: Credit Card
      min_confidence: 0.75  # tune for your environment, see Settings > Detection
  actions:
    - type: quarantine
    - type: alert
      config:
        channels:
          - slack://security-alerts

Monitoring

Endpoint DLP provides visibility into scan activity through the Customer Dashboard under DLP > Scan Activity:

Scan coverage — Total objects scanned across connected storage
Finding rate — Percentage of objects containing sensitive data
Risk score distribution — Breakdown of findings by severity
Top categories — Most frequently detected PII types across your storage
Remediation status — Count of findings by remediation state (open, resolved, suppressed)

Best Practices

Start in log-only mode — Deploy with log actions first to understand your baseline before enabling quarantine or redact.
Tune confidence thresholds — Lower thresholds catch more but increase false positives. Start in the High tier and adjust based on findings under Settings > Detection.
Scope connectors carefully — Grant Slim.io read access only to the buckets and prefixes that require scanning.
Use Detection-as-Code — Store classifier definitions in Git and sync them automatically for version-controlled policy management.
Review the Executive Scorecard — Monitor category distribution and risk trends to identify areas that need attention.