Data Loss Prevention has been stuck in the regex era for 20 years. Three technical inflections landed at the same time — small language models on the endpoint, memory-safe Rust replacing legacy C++, and AI-native build economics — and together they make a new category possible. We call it Agentic DLP. It reasons at the point of action instead of matching patterns after the fact. It runs at sub-3% CPU. It costs 10x less than the incumbents. And it works for the 80% of the mid-market that never got to buy DLP in the first place.
The question every investor asks
“Why now?” It’s the first slide any serious security founder has to earn. DLP as a category has been around since 2005. Symantec, Websense, RSA, Forcepoint, Microsoft Purview — the field is not empty. So what makes 2026 different from 2016?
The honest answer: three engineering realities changed inside a single 24-month window, and a fourth business reality changed with them. Any one of them would be interesting. All four together create the kind of dislocation that lets a small team beat vendors with 200-engineer roadmaps.
The regex era, in one paragraph
Every DLP product shipped between 2005 and 2022 is, underneath the marketing, a very expensive regex engine. It looks for credit-card numbers. It looks for social-security patterns. It fingerprints known documents (EDM/IDM). It writes those matches to a SIEM, or blocks a file transfer, or emails a security analyst who will look at it three days later. It has no idea whether the sender meant harm, whether the destination is legitimate, whether the account is the user’s corporate or personal one, or whether the “document” is actually a paste into a chat box that ships to a model hosted by a company nobody vetted.
That was fine when data left the org through a small number of channels: email attachments, USB sticks, sanctioned SaaS. It stopped being fine the day ChatGPT launched.
21 years of DLP, in five moments
| Year | What happened |
|---|---|
| 2005 | Regex-era DLP is born. Symantec, Websense, RSA. Pattern matching, keyword lists, EDM fingerprinting. Great at credit-card numbers. Blind to intent. |
| 2015 | Cloud shatters the perimeter. CASBs bolt DLP onto SaaS APIs. Still regex under the hood. Still no reasoning. |
| 2022 | ChatGPT ships. A paste box on a webpage becomes the largest uncontrolled data-egress channel in enterprise history. No DLP vendor has a native answer. |
| 2024 | SLMs land on the endpoint. Apple Intelligence, Copilot+ NPUs, Gemini Nano. On-device reasoning ships to a billion devices. |
| 2026 | Agentic DLP. Reasoning at the point of action. Account-aware. Agent-to-agent. Written in Rust. At 10x lower cost. |
Force #1 — Small language models on the endpoint
Until 2024, running a language model on the device meant one of two things: a toy model that could barely spell, or a data-center GPU strapped to your desk. Neither could power a real-time DLP decision.
That is not the world we live in anymore. Apple Intelligence ships a 3B-parameter model on every recent iPhone and Mac. Copilot+ PCs ship with NPUs delivering 40+ TOPS. Gemini Nano runs inside Chrome. The current generation of quantized SLMs — Phi-3.5, Llama 3.2, Gemma 2 — reason well enough to answer the only question a DLP engine actually needs to answer:
“Given this specific user, on this account, in this app, pasting this text — is that consistent with the org’s policy, or is it the kind of thing we should intervene on?”
Regex cannot answer that. An SLM can. And it can do it in under 50 milliseconds, on the device, with zero cloud round-trip. That is the difference between DLP that annoys users and DLP that protects them without them noticing.
Every cloud round-trip is a latency budget you spend, a data-residency question you have to answer, and a place your DLP tool becomes a bigger risk than the thing it is stopping. On-device inference removes all three.
Force #2 — Rust replaced legacy C++
The endpoint DLP agents shipping today are almost all legacy C++. That was the right call in 2005 and it is the wrong call now. CrowdStrike’s July 2024 outage — a single kernel-driver update taking down 8.5 million Windows machines — was not a fluke. It was the predictable failure mode of trusting a memory-unsafe language with kernel-adjacent responsibilities on a billion endpoints.
Rust changes the physics. The Linux kernel now accepts Rust. Windows has Rust in its kernel. AWS Firecracker, Cloudflare Pingora, and Discord’s message infrastructure moved off C++ and never looked back. Memory-safe-by-construction is now the default expectation for new safety-critical infrastructure.
An Agentic DLP agent written in Rust doesn’t just avoid a class of bugs — it gets to make different architectural choices. It can stay resident, sniff at kernel-relevant boundaries, mediate TLS traffic, and hot-reload policy, without the fear that a bad update takes down a Fortune 500 fleet. That was not a defensible product choice in 2015. It is now.
Force #3 — AI-native build economics
This is the one that keeps incumbent CTOs up at night. What used to take a 200-engineer organization five years — an endpoint agent, a browser extension, a policy engine, a management console, a threat-intel bundle, an integrations layer — a focused team now ships in months.
Not because the problem got easier. Because the ratio of engineer-to-shipped-code changed by roughly an order of magnitude. AI-assisted development is not a productivity boost. It is a category boundary. Companies that were structurally impossible to build in 2020 are shippable in 2026.
The consequence is unglamorous but decisive: a build that costs 10x less can price 10x lower and still be a better business than the incumbent. That is what unlocks the mid-market for DLP.
Force #4 — The paste box became the perimeter
ChatGPT’s launch in November 2022 did something no CASB vendor had a slide for. It made every browser tab into a data-egress channel, and every knowledge worker into a person moving corporate data across that channel a hundred times a day. Not because they’re malicious. Because it is genuinely the most productive thing they can do with their time.
The regex era literally cannot see this. A paste into a chat box does not create a document, does not fire a file-watcher, does not traverse a CASB API. It goes straight from the OS clipboard into a POST body to a domain that a URL-based rule engine has no opinion about.
Agentic DLP was designed for exactly this channel. Account-aware — it can tell a corporate Google session from a personal one on the same browser. Agent-aware — it can tell whether an MCP tool call originated from a sanctioned agent or a rogue one. And it operates at the point of action, not after the fact.
Read the visual case
The Why Now page summarizes all four forces on one screen, with the timeline, the numbers, and the comparison table.
Open the Why Now case →Regex-era DLP vs Agentic DLP, dimension by dimension
| Dimension | Regex-era DLP | Agentic DLP |
|---|---|---|
| Detection | Regex, keyword lists, EDM/IDM fingerprinting | On-device SLM + policy graph, reasons about intent |
| AI-tool coverage | “Category = web.” No ChatGPT, Claude, Gemini, or MCP awareness | Every major AI tool, MCP server, and package registry, autonomously scored |
| Account awareness | URL-based rules. Personal vs corporate Google = indistinguishable | Per-session account identity. Blocks paste into personal Gmail, allows the corp one |
| Deployment | Endpoint agent + network appliance + management server + weeks of PS | Browser extension in minutes. Optional Rust OS agent via MDM. |
| Kernel safety | Legacy C++. CrowdStrike-class blast radius | Rust, memory-safe by construction, sub-3% CPU budget |
| Pricing | $60–$120/seat/year with a mandatory multi-year contract | 10x cheaper. Self-serve. Free tier for individuals |
| Who it’s for | F500 with a dedicated DLP team and a vendor AE | Every team, from 20-person startups to F500 |
The disruption: DLP for everyone
Here is the part that matters for the market, not just the technology. Roughly 80% of the mid-market has no DLP today. Not because they don’t want it. Because the incumbents priced them out and required a professional-services engagement they couldn’t staff. A 200-person biotech does not run Symantec DLP. A 40-person AI startup pasting client data into Claude every day does not run Purview.
Agentic DLP is the first product they can actually deploy. Browser extension in minutes. Optional OS agent when they’re ready. No mandatory contract. No PS engagement. Pricing that a mid-market CFO signs off on the same day.
That is a much larger addressable market than the one Symantec and Purview have been fighting over. And it is where category creation happens — not by taking share from an incumbent, but by making the product accessible to the 10x of the market the incumbent never served.
The four objections we hear most
“Why not wait for Microsoft Purview to add this?”
Because Purview is a feature inside a suite. Agentic DLP is the whole company. AI-native build economics mean a focused team ships in weeks what a suite-vendor’s DLP PM has to fight for a quarterly release slot to ship. Purview also has a structural conflict: it can’t recommend blocking Copilot. We can.
“On-device AI means my endpoints get slower, right?”
NPUs and GPUs do the lifting. Our OS Agent budget is under 3% CPU and 100MB RAM. On any 2023-or-later device, users cannot tell it is running. On older hardware, we fall back to a smaller model — the detection quality degrades gracefully rather than eating the CPU.
“Is Rust really battle-tested for kernel-adjacent work?”
Linux kernel, Windows kernel, Firecracker, Pingora, curl, Cloudflare’s edge, most new tooling at Discord and Meta. Rust is where safety-critical infrastructure has already moved. CrowdStrike-class blast radius is an artifact of C++, not a law of nature.
“How is this different from Nightfall, Cyberhaven, or a prompt scanner?”
Prompt scanners see strings. Agentic DLP reasons about the human, the account, the tool, and the downstream agent. Account-aware enforcement, agent-to-agent trust scoring, and supply-chain guard on package installs are all outside a prompt scanner’s frame.
What changes for the buyer
Zoom out for a second. If you are a CISO in 2026, you are being asked to do three things at once:
- Let your people use AI, because the productivity gap is real and your CEO can see it.
- Stop your people from pasting the wrong thing into the wrong AI, because the breach notification is not going to say “our regex was old.”
- Do it without deploying an agent that could take down your fleet.
The regex-era stack cannot do all three. Not because the vendors are bad — because the primitives underneath the vendors are wrong for the job. That is what the Why Now argument is really saying. It is not that RRR is clever. It is that the ground moved.
Closing
Categories get created when the underlying primitives change. Cloud created SaaS. Smartphones created ride-share. On-device SLMs, Rust safety, and AI-native build economics are creating Agentic DLP. The regex era did its job for 20 years. It is not the era we are shipping into.
If you want the visual version of this argument — timeline, forces, and stats on one page — read the Why Now case. If you want to see it in direct comparison with the incumbents, we did that too: RRR vs Symantec DLP and RRR vs Microsoft Purview.
Ready to see Agentic DLP in your own browser?
The browser extension deploys in under 5 minutes. The OS agent is optional. Pricing is transparent.
See pricing →