The modern data-security stack, decoded
The category has fragmented into distinct-but-overlapping layers. DSPM (Data Security Posture Management) discovers sensitive data across cloud stores and maps who can access it — the fastest-growing layer. Data discovery & classification finds and labels PII, PHI, and secrets wherever they sprawl. DLP (Data Loss Prevention) enforces policy at the egress points (email, endpoint, cloud). DAG/DAM (data access governance / monitoring) watches who touches what. Most 2026 buyers start with DSPM because discovery is the prerequisite for everything else.
DSPM & data discovery leaders
The DSPM market consolidated fast — several leaders were acquired by platform vendors, which is itself a signal of how central data discovery has become.
- Cyera — AI-native DSPM leader; strong classification accuracy and access mapping across multi-cloud.
- Sentra — DSPM with strong data-flow and cloud-store coverage.
- Varonis — the long-standing leader in data access governance and monitoring, now with DSPM; deepest on on-prem + M365 permissions.
- BigID — broad data discovery, privacy, and classification platform; strong for regulated/privacy-driven programs.
- Wiz and Palo Alto Prisma Cloud — CNAPP platforms that now include DSPM, best if you want data posture inside your cloud-security platform.
- Securiti.ai — data command center spanning DSPM, privacy, and governance.
- Normalyze and Dig Security — DSPM specialists (both acquired into larger platforms).
PII discovery & classification
If your immediate need is finding personal data for a privacy program (GDPR, CCPA) or a data-subject-access-request workflow, the discovery-and-classification tools are the entry point: BigID, Securiti, OneTrust, and Cyera all classify PII/PHI at scale. The differentiator is classification accuracy on unstructured data (documents, chat, tickets) — demand a proof-of-concept scan of your real messy data, not the vendor's clean demo set.
DLP — where enforcement happens
DLP enforces policy at egress. The market splits between platform-bundled DLP (Microsoft Purview, Zscaler, Netskope, Forcepoint) and modern data-aware challengers (Cyberhaven for data-lineage-based DLP, Nightfall for SaaS/AI DLP). In 2026, "DLP for AI" — stopping sensitive data from flowing into public LLMs — is the fastest-rising use case; check whether your DLP covers the AI egress path.
How to choose without overbuying
- Start with discovery (DSPM). You cannot write meaningful DLP policy until you know what and where your sensitive data is.
- Test classification accuracy on your real unstructured data — the false-positive rate on documents and chat is where tools diverge most.
- Check cloud coverage against your actual stores (S3, Azure Blob, GCS, Snowflake, Databricks, M365, plus SaaS apps).
- Confirm the AI-egress path if stopping data leaks into public LLMs matters.
- Decide platform-bundled vs specialist — if you already run a CNAPP (Wiz, Prisma), its DSPM module may be enough before buying a standalone.