A service account reads a client portfolio table twice in the morning, fifty records each time. Nothing flags. At 10:41 that night the same account pulls the whole table and ships it to a staging bucket in another region. Every step used valid credentials. Every step hit a destination it was allowed to reach. No content rule broke. The breach was the shape of the four moves together, and the four moves together were exactly what nothing on the wire was watching.
That is the problem DDR was built for. Data Detection and Response watches how data moves and acts when the movement stops fitting the job behind it. It does not ask whether a move is permitted. It assumes the dangerous moves are permitted, because the ones that hurt almost always are. Your most valuable data leaves on access you granted on purpose, one legitimate action at a time, and the tools you already own pass each action because each action is legitimate. DLP checks content against rules. DSPM finds where sensitive data sits. Neither reads a sequence. The pattern across moves has no owner.
For a hands-on companion, see how to prevent data exfiltration. If you are weighing vendors, see Hilt vs Cyberhaven.
Where DDR Looks That Other Tools Do Not
Most data tooling answers a question about location or content. Where does sensitive data live. Does this payload match a pattern. Both are static. Both go quiet the moment a permitted actor does something permitted at the wrong scale, hour, and destination.
The Identity Theft Resource Center tracked more than 3,300 US data breaches in 2025. Read the public ones and the pattern repeats: valid credentials, real access, data walking out a door it was issued a key to. The signal is never the single move. It is the run of moves.
Predictive tools try to call the run before it starts and guess wrong often enough to drown a team in false alarms. Forensic tools reconstruct the run after the data is gone, in time for the disclosure letter and nothing earlier. DDR sits where neither sits: on the movement itself, while it is still moving, when there is still a host to isolate.
How DDR Security Works
Three things have to happen: watch the moves, read them in sequence, contain the host when the sequence turns.
Watching is a question of vantage. Collection that lives inside applications misses the transfers that route around application APIs, which is most of the ones that matter. Hilt watches data movement at the kernel, where a move is visible before application-layer obfuscation can dress it up, and it watches metadata only by default. It sees that data is moving, who is moving it, where it is headed, and at what scale, without reading the data. Content-aware inspection is there when you want it. It is never the thing that surfaces the pattern.
The collector stays off the path. It does not sit between your workloads and the network, and it never blocks, drops, or alters traffic. Footprint runs about 0.1% of one core and 4-8 MB of memory per host, single-tenant inside your own cloud, so events never leave your account. The same model covers cloud workloads and user endpoints.
Reading is where DDR earns its name. The engine resolves each move to a probabilistic, source-dependent identity and the job behind it, then weighs that move against the moves around it. Four actions that each look normal but line up into an exfiltration shape become one case, not four hundred alerts. When a move is dangerous, Hilt responds with host-level network isolation (quarantine) from the control plane. It contains the host at the network. It does not stand in line and choke traffic. Cases and enriched signal feed your SIEM (Splunk, Microsoft Sentinel) and SOAR.
DDR vs. DLP vs. DSPM vs. UEBA
These categories overlap but solve different problems at different layers of data security:
| Category | What It Does | Detection Method | Response | Key Limitation |
|---|---|---|---|---|
| DDR | Watch data movement and respond when the pattern turns anomalous | Behavioral analysis on runtime telemetry | Host-level network isolation | Requires a runtime collector |
| DLP | Enforce content policies on known channels | Content inspection + rules | Policy-based | Blind to novel paths, permitted moves |
| DSPM | Discover and classify data posture | Scanning + classification | Posture recommendations | No real-time detection |
| UEBA | Detect anomalous user behavior | User behavioral analytics | Alert-based | Limited to user-level signals |
| EDR/XDR | Detect endpoint/extended threats | Threat intelligence + heuristics | Process-level | Optimized for malware, not data movement; on the endpoint DDR can stand in for it |
DDR watches data move and surfaces the anomalous pattern across channels, the runtime layer between DSPM discovery, DLP policy, and EDR threat detection. See the full feature comparison.
Coverage Is the Other Half of the Story
Vantage decides what you can see on one host. Coverage decides whether you can see the move at all, because exfiltration rarely stays in one place. A run that opens in the cloud often lands on an endpoint, or the reverse. A platform that watches one environment reads half a sequence and calls it normal, because half of a breach looks like a workday.
| DDR / Data Security Platform | Domains Covered |
|---|---|
| Hilt | Cloud workloads + user endpoints |
| Cyberhaven | Endpoint + SaaS |
| DTEX Systems | Endpoint |
| Varonis | File + Cloud + SaaS |
| Nightfall AI | SaaS + Email + AI tools |
| Microsoft Purview | Microsoft 365 ecosystem |
In Time to Act, or Just in Time to Document
A DDR platform either reaches the move while it is forming or reaches the analyst after the data is gone. The Sophos Active Adversary Report found exfiltration often completes within days of initial compromise, and automated scripts move large volumes in minutes. Tools built on alert-then-investigate land the alert well outside that window. Hilt reads the movement as it happens, so the case arrives while there is still a host to isolate.
Noise decides whether anyone reads the case at all. SANS reported 63% of SOC alerts are non-actionable and 67% of analysts say false positives hurt their ability to respond. Fire on isolated events and you bury the real run under a thousand harmless ones. The fix is to correlate the moves across environments, fold access, egress, and the identity behind each move into one assessment, and hand the analyst a case instead of another alert.
What the Sequence Looks Like
Here is the run from the top of this article, laid out the way DDR reads it:
| Time | Actor | Action | DDR Assessment |
|---|---|---|---|
| 10:05 | svc-analytics | Query /datasets/client-portfolios (50 records) | Normal, consistent with recent baseline |
| 10:22 | svc-analytics | Query /datasets/client-portfolios (50 records) | Normal |
| 22:41 | svc-analytics | Query /datasets/client-portfolios (large volume) | Anomalous, far above baseline volume, off-hours |
| 22:41 | svc-analytics | Bulk export to staging bucket (external region) | Exfiltration pattern, host isolated at the network |
Read any single row and there is nothing to do. Valid credentials. A legitimate bucket. No broken content policy. DLP clears every step, correctly. The thing that changed is behavior: a volume spike, off-hours, to an external region, on data this account rarely touches at scale. Resolve the four rows to one identity, read them in order, and the workday becomes a case worth containing. Hilt isolated the host at the network on row four, before the export finished.
Where DDR Sits in the Stack
DDR sits across what you run. It reads the layer none of them read, the data in motion, and hands the rest of the stack better signal. On the endpoint it can also stand in for your sensor, and many clients retire their EDR once Hilt is in place:
- DSPM + DDR: DSPM (Cyera, Securiti) classifies sensitive data at rest. DDR watches that data in motion and surfaces unauthorized movement as it forms.
- DLP + DDR: DLP (Microsoft Purview, Zscaler) enforces known-good policies on known channels. DDR catches the permitted-but-anomalous move, novel paths, and shadow AI usage. IBM found shadow AI breaches cost $4.63 million on average, $670,000 more than standard breaches. DLP does not see data pasted into an AI assistant on a path it was never told to watch.
- EDR or DDR on the endpoint: EDR (CrowdStrike Falcon, SentinelOne) detects process-level threats. DDR watches the data movement behind a process: what was accessed, where it was going, and whether the run of moves was anomalous. On the endpoint Hilt can stand in for your sensor, and many clients retire their EDR once it is in place. Keep an EDR alongside only if you also want the malware and intrusion layer, which Hilt does not cover.
- SIEM + DDR: DDR feeds high-fidelity, case-level data signal into your SIEM (Splunk, Microsoft Sentinel), reducing the non-actionable alert rate that SANS documented at 63%.
The average breach runs $4.88 million (IBM, 2024). The cost lands in the gap between when the run forms and when someone can act on it. DDR exists to close that gap, so the move is caught in motion rather than read about in a letter you mail to your customers.
How to Evaluate DDR Security Platforms
Most of the category markets on the same words. Sort the platforms on what you can actually measure:
| Evaluation Criteria | What to Measure | What Good Looks Like |
|---|---|---|
| Vantage point | Where the platform watches from | At the kernel, before obfuscation |
| Domain coverage | Cloud workloads + user endpoints | Both on one model |
| Time to first event | Minutes vs. weeks | Fast, low-friction onboarding |
| Response model | Inline vs. off the path | Off the path, host-level isolation |
| Performance overhead | CPU + RAM impact | About 0.1% of a core, 4-8 MB |
| Privacy model | Content-required vs. metadata-first | Metadata only by default |
| Deployment friction | Code changes required | None |
Map your blind spots first. Find the place a permitted-but-anomalous move would slip past your DLP, EDR, and CASB and surface to no one. That is the gap DDR fills.
Getting Started
Deploy where a move would cost the most: financial systems, IP repositories, customer databases, the AI and ML pipelines pulling from all three. Run in detection mode long enough to learn what normal movement looks like on your hosts, then turn on response once the baseline holds. Feed the cases into your SIEM and the playbooks into your SOAR. Track time to detect, time to respond, false-positive rate, and data at risk reduced. Raw alert volume measures noise, not progress. The FAQ covers deployment questions and the case studies show the rest.
If you want to see the sequence read in your own environment, single-tenant and metadata only, book a 30-minute technical call. We will walk a real move from kernel to case.
FAQ
What does DDR mean in cybersecurity? DDR stands for Data Detection and Response. It is a category of data security that continuously watches data movement across cloud workloads and user endpoints and responds when the pattern across moves becomes anomalous, surfacing the case and isolating the host at the network, rather than enforcing a static content rule.
How is DDR different from DLP? DLP enforces content-based policies on known data channels (email, USB, cloud storage). DDR watches data movement at runtime and surfaces an anomalous pattern across any channel, including the permitted-but-dangerous move that no content rule would catch. DLP is preventive and rule-based; DDR is behavioral and runtime, built for the move that is technically allowed.
Do I need DDR if I already have DLP and EDR? Yes. DLP misses the permitted move and novel paths. EDR is optimized for malware and process-level threats, not data movement. DDR fills the gap by watching how data actually flows and responding when that flow becomes anomalous, even when permissions are valid and no malware is present. On the endpoint, DDR can also stand in for your sensor, and many clients retire their EDR once Hilt is in place; keep an EDR alongside only if you want the malware and intrusion layer too.
What is the difference between DDR and DSPM? DSPM discovers and classifies sensitive data at rest; it tells you where your data lives and what exposure exists. DDR watches data in motion and responds to anomalous movement in real time. DSPM is posture; DDR is detection and response. They are complementary: DSPM informs DDR about what to watch, and DDR validates DSPM classifications with runtime evidence.
How does DDR respond without sitting inline? The strongest DDR model watches data movement off the path rather than standing inline between workloads and the network. Hilt watches at the kernel, metadata only by default, and when a move is dangerous it responds with host-level network isolation (quarantine) from the control plane. The collector never blocks, drops, or alters traffic in line; it contains the host at the network instead.