Guide

DDR Security: How Runtime Data Movement Governance Catches Exfiltration by Pattern (2026)

April 14, 2026 Alexandre Genest 9 min

Your most valuable data leaves on access you granted on purpose. DDR security watches data movement at runtime, resolves each move to an identity, and isolates the host before the pattern becomes a breach. How it fits vs DLP and DSPM.

DDR Security: How Runtime Data Movement Governance Catches Exfiltration by Pattern (2026) cover image

A service account reads a client portfolio table twice in the morning, fifty records each time. Nothing flags. At 10:41 that night the same account pulls the whole table and ships it to a staging bucket in another region. Every step used valid credentials. Every step hit a destination it was allowed to reach. No content rule broke. The breach was the shape of the four moves together, and the four moves together were exactly what nothing on the wire was watching.

That is the problem DDR was built for. Data Detection and Response watches how data moves and acts when the movement stops fitting the job behind it. It does not ask whether a move is permitted. It assumes the dangerous moves are permitted, because the ones that hurt almost always are. Your most valuable data leaves on access you granted on purpose, one legitimate action at a time, and the tools you already own pass each action because each action is legitimate. DLP checks content against rules. DSPM finds where sensitive data sits. Neither reads a sequence. The pattern across moves has no owner.

For a hands-on companion, see how to prevent data exfiltration. If you are weighing vendors, see Hilt vs Cyberhaven.

Where DDR Looks That Other Tools Do Not

Most data tooling answers a question about location or content. Where does sensitive data live. Does this payload match a pattern. Both are static. Both go quiet the moment a permitted actor does something permitted at the wrong scale, hour, and destination.

The Identity Theft Resource Center tracked more than 3,300 US data breaches in 2025. Read the public ones and the pattern repeats: valid credentials, real access, data walking out a door it was issued a key to. The signal is never the single move. It is the run of moves.

Predictive tools try to call the run before it starts and guess wrong often enough to drown a team in false alarms. Forensic tools reconstruct the run after the data is gone, in time for the disclosure letter and nothing earlier. DDR sits where neither sits: on the movement itself, while it is still moving, when there is still a host to isolate.

How DDR Security Works

Three things have to happen: watch the moves, read them in sequence, contain the host when the sequence turns.

Watching is a question of vantage. Collection that lives inside applications misses the transfers that route around application APIs, which is most of the ones that matter. Hilt watches data movement at the kernel, where a move is visible before application-layer obfuscation can dress it up, and it watches metadata only by default. It sees that data is moving, who is moving it, where it is headed, and at what scale, without reading the data. Content-aware inspection is there when you want it. It is never the thing that surfaces the pattern.

The collector stays off the path. It does not sit between your workloads and the network, and it never blocks, drops, or alters traffic. Footprint runs about 0.1% of one core and 4-8 MB of memory per host, single-tenant inside your own cloud, so events never leave your account. The same model covers cloud workloads and user endpoints.

Reading is where DDR earns its name. The engine resolves each move to a probabilistic, source-dependent identity and the job behind it, then weighs that move against the moves around it. Four actions that each look normal but line up into an exfiltration shape become one case, not four hundred alerts. When a move is dangerous, Hilt responds with host-level network isolation (quarantine) from the control plane. It contains the host at the network. It does not stand in line and choke traffic. Cases and enriched signal feed your SIEM (Splunk, Microsoft Sentinel) and SOAR.

DDR vs. DLP vs. DSPM vs. UEBA

These categories overlap but solve different problems at different layers of data security:

CategoryWhat It DoesDetection MethodResponseKey Limitation
DDRWatch data movement and respond when the pattern turns anomalousBehavioral analysis on runtime telemetryHost-level network isolationRequires a runtime collector
DLPEnforce content policies on known channelsContent inspection + rulesPolicy-basedBlind to novel paths, permitted moves
DSPMDiscover and classify data postureScanning + classificationPosture recommendationsNo real-time detection
UEBADetect anomalous user behaviorUser behavioral analyticsAlert-basedLimited to user-level signals
EDR/XDRDetect endpoint/extended threatsThreat intelligence + heuristicsProcess-levelOptimized for malware, not data movement; on the endpoint DDR can stand in for it

DDR watches data move and surfaces the anomalous pattern across channels, the runtime layer between DSPM discovery, DLP policy, and EDR threat detection. See the full feature comparison.

Coverage Is the Other Half of the Story

Vantage decides what you can see on one host. Coverage decides whether you can see the move at all, because exfiltration rarely stays in one place. A run that opens in the cloud often lands on an endpoint, or the reverse. A platform that watches one environment reads half a sequence and calls it normal, because half of a breach looks like a workday.

DDR / Data Security PlatformDomains Covered
HiltCloud workloads + user endpoints
CyberhavenEndpoint + SaaS
DTEX SystemsEndpoint
VaronisFile + Cloud + SaaS
Nightfall AISaaS + Email + AI tools
Microsoft PurviewMicrosoft 365 ecosystem

In Time to Act, or Just in Time to Document

A DDR platform either reaches the move while it is forming or reaches the analyst after the data is gone. The Sophos Active Adversary Report found exfiltration often completes within days of initial compromise, and automated scripts move large volumes in minutes. Tools built on alert-then-investigate land the alert well outside that window. Hilt reads the movement as it happens, so the case arrives while there is still a host to isolate.

Noise decides whether anyone reads the case at all. SANS reported 63% of SOC alerts are non-actionable and 67% of analysts say false positives hurt their ability to respond. Fire on isolated events and you bury the real run under a thousand harmless ones. The fix is to correlate the moves across environments, fold access, egress, and the identity behind each move into one assessment, and hand the analyst a case instead of another alert.

What the Sequence Looks Like

Here is the run from the top of this article, laid out the way DDR reads it:

TimeActorActionDDR Assessment
10:05svc-analyticsQuery /datasets/client-portfolios (50 records)Normal, consistent with recent baseline
10:22svc-analyticsQuery /datasets/client-portfolios (50 records)Normal
22:41svc-analyticsQuery /datasets/client-portfolios (large volume)Anomalous, far above baseline volume, off-hours
22:41svc-analyticsBulk export to staging bucket (external region)Exfiltration pattern, host isolated at the network

Read any single row and there is nothing to do. Valid credentials. A legitimate bucket. No broken content policy. DLP clears every step, correctly. The thing that changed is behavior: a volume spike, off-hours, to an external region, on data this account rarely touches at scale. Resolve the four rows to one identity, read them in order, and the workday becomes a case worth containing. Hilt isolated the host at the network on row four, before the export finished.

Where DDR Sits in the Stack

DDR sits across what you run. It reads the layer none of them read, the data in motion, and hands the rest of the stack better signal. On the endpoint it can also stand in for your sensor, and many clients retire their EDR once Hilt is in place:

  • DSPM + DDR: DSPM (Cyera, Securiti) classifies sensitive data at rest. DDR watches that data in motion and surfaces unauthorized movement as it forms.
  • DLP + DDR: DLP (Microsoft Purview, Zscaler) enforces known-good policies on known channels. DDR catches the permitted-but-anomalous move, novel paths, and shadow AI usage. IBM found shadow AI breaches cost $4.63 million on average, $670,000 more than standard breaches. DLP does not see data pasted into an AI assistant on a path it was never told to watch.
  • EDR or DDR on the endpoint: EDR (CrowdStrike Falcon, SentinelOne) detects process-level threats. DDR watches the data movement behind a process: what was accessed, where it was going, and whether the run of moves was anomalous. On the endpoint Hilt can stand in for your sensor, and many clients retire their EDR once it is in place. Keep an EDR alongside only if you also want the malware and intrusion layer, which Hilt does not cover.
  • SIEM + DDR: DDR feeds high-fidelity, case-level data signal into your SIEM (Splunk, Microsoft Sentinel), reducing the non-actionable alert rate that SANS documented at 63%.

The average breach runs $4.88 million (IBM, 2024). The cost lands in the gap between when the run forms and when someone can act on it. DDR exists to close that gap, so the move is caught in motion rather than read about in a letter you mail to your customers.

How to Evaluate DDR Security Platforms

Most of the category markets on the same words. Sort the platforms on what you can actually measure:

Evaluation CriteriaWhat to MeasureWhat Good Looks Like
Vantage pointWhere the platform watches fromAt the kernel, before obfuscation
Domain coverageCloud workloads + user endpointsBoth on one model
Time to first eventMinutes vs. weeksFast, low-friction onboarding
Response modelInline vs. off the pathOff the path, host-level isolation
Performance overheadCPU + RAM impactAbout 0.1% of a core, 4-8 MB
Privacy modelContent-required vs. metadata-firstMetadata only by default
Deployment frictionCode changes requiredNone

Map your blind spots first. Find the place a permitted-but-anomalous move would slip past your DLP, EDR, and CASB and surface to no one. That is the gap DDR fills.

Getting Started

Deploy where a move would cost the most: financial systems, IP repositories, customer databases, the AI and ML pipelines pulling from all three. Run in detection mode long enough to learn what normal movement looks like on your hosts, then turn on response once the baseline holds. Feed the cases into your SIEM and the playbooks into your SOAR. Track time to detect, time to respond, false-positive rate, and data at risk reduced. Raw alert volume measures noise, not progress. The FAQ covers deployment questions and the case studies show the rest.

If you want to see the sequence read in your own environment, single-tenant and metadata only, book a 30-minute technical call. We will walk a real move from kernel to case.

FAQ

What does DDR mean in cybersecurity? DDR stands for Data Detection and Response. It is a category of data security that continuously watches data movement across cloud workloads and user endpoints and responds when the pattern across moves becomes anomalous, surfacing the case and isolating the host at the network, rather than enforcing a static content rule.

How is DDR different from DLP? DLP enforces content-based policies on known data channels (email, USB, cloud storage). DDR watches data movement at runtime and surfaces an anomalous pattern across any channel, including the permitted-but-dangerous move that no content rule would catch. DLP is preventive and rule-based; DDR is behavioral and runtime, built for the move that is technically allowed.

Do I need DDR if I already have DLP and EDR? Yes. DLP misses the permitted move and novel paths. EDR is optimized for malware and process-level threats, not data movement. DDR fills the gap by watching how data actually flows and responding when that flow becomes anomalous, even when permissions are valid and no malware is present. On the endpoint, DDR can also stand in for your sensor, and many clients retire their EDR once Hilt is in place; keep an EDR alongside only if you want the malware and intrusion layer too.

What is the difference between DDR and DSPM? DSPM discovers and classifies sensitive data at rest; it tells you where your data lives and what exposure exists. DDR watches data in motion and responds to anomalous movement in real time. DSPM is posture; DDR is detection and response. They are complementary: DSPM informs DDR about what to watch, and DDR validates DSPM classifications with runtime evidence.

How does DDR respond without sitting inline? The strongest DDR model watches data movement off the path rather than standing inline between workloads and the network. Hilt watches at the kernel, metadata only by default, and when a move is dangerous it responds with host-level network isolation (quarantine) from the control plane. The collector never blocks, drops, or alters traffic in line; it contains the host at the network instead.