Image-Based Data Loss Prevention, Explained

The data that leaks isn't always text — it's a screenshot of a contract, a photo of a whiteboard. A 2020 Netskope grant covers detecting sensitive documents that arrive as images.

Early DLP had a blind spot any employee could exploit by accident: it read text, so a sensitive document pasted as a screenshot, or photographed and uploaded, sailed straight past the filters. As work moved to the cloud and to phones, image-borne leakage stopped being an edge case.

Netskope's US10867073B1, “Detecting organization image-borne sensitive documents and protecting against loss of the sensitive documents” (issued December 15, 2020; CPC G06F 21/6245 — protecting personal data, and G06N 20/00 — machine learning), describes recognizing that an image actually carries a sensitive organizational document and applying loss-prevention controls to it. Read it at US10867073B1.

Mechanically, the system has to look at an image and decide it is, say, a confidential contract or a filled-in form — a classification problem the CPC tag G06N 20/00 points straight at. Once the image is classified as sensitive, the same policy machinery that governs text can act on it: block the upload, quarantine it, alert.

Why this is a business story: Netskope built its valuation as a cloud-security pure-play on exactly this kind of cloud-channel coverage, and image-borne DLP is a recurring feature in the bake-offs against the network-DLP incumbents. The IP here is the classification step — turning an image into a policy decision — which is what lets a cloud-access security broker claim coverage the legacy text engines never had.

The grounded read: image-based DLP closes the screenshot loophole by classifying the picture, then enforcing the same data policy on it. Netskope's 2020 grant describes detecting the image-borne sensitive document as the precondition for protecting it.

How Image-Based Data Loss Prevention Works, Read Through a Netskope Patent