How it works

How Data Detection and Response works

Data Detection and Response transforms how enterprises protect their data with a unique technology called data lineage. Here’s how it works.


Collect all events for every piece of data

Cyberhaven records every event for every piece of data – every move, copy, edit, and share to fully understand how data moves throughout your company.

Three deployment modes that together give full visibility and control over data

We developed an architecture that achieves complete visibility of your data, including as it transits unmanaged cloud apps and unmanaged devices.

Cloud API connectors

Cyberhaven connects to your sanctioned applications like Office 365 and Google Workspace to get visibility into content created and shared natively in the cloud.

Modern, lightweight endpoint agent

No, seriously. Our agent is designed from scratch to utilize modern operating system APIs and securely perform processing in the cloud so it doesn’t slow down devices or crash them. We support Windows, macOS, and Linux.

Browser extension

Supports all major browsers and collects telemetry for web-based cloud applications not available from other sources.

A flight recorder for data

These are just a few examples of the events we record for every piece of data:

Export report from app

Upload file to cloud app

Copy/paste content 

Send via AirDrop

Attach file to email

Compress data in ZIP file

Convert file to other format

And more...


Trace data’s lineage to classify and track it

Cyberhaven Graph automatically builds a lineage for every piece of data and continuously updates it as new events happen to track data everywhere it goes.

We bring order to billions of events to calculate the lineage of every piece of data

As data moves throughout your company, from person to person and application to application, it fragments and gets combined with other data. We calculate the lineage for every piece of data starting with its origin through every step it takes.

Innovative graph technology

Data lineage isn’t possible with off-the-shelf graph databases. We developed a new kind of graph database technology that would make it possible to trace data across dozens or even hundreds of steps in its journey.

Data lineage reveals a lot about the data and its importance

We can infer a lot about a piece of data based on where it originated, how it was handled, and the people who added to it without ever looking at its content.

Learn more

Where it originated

Whether it’s the customer database in Snowflake, the source code repository in Github, or the product design board in Figma, specific types of data start their journey in specific places.

How it was handled

Data moves in recognizable ways, passing through the board meeting site in SharePoint, the client documents folder in Google Drive, or the employee offer letter account in DocuSign.

Who added to it

Different employees produce different work, from researchers who develop drug formulas, to designers working on new products, to accountants who compile financial results.

Content analysis adds to our understanding of the data

We extract text content present in the data and perform optical character recognition (OCR) on images to pull additional text content. Cyberhaven includes out-of-the-box content identifiers for common forms of PII, PCI, and PHI along with the ability to define your own patterns using regular expressions.

Staying ahead of the competition means guarding against insider threats. Cyberhaven gives us visibility into how data flows in our company and stops insider threats in real time.

Richard Rushing

Enforce your data security policies

Our product allows you to define what is risky for your organization, enforce actions to protect data, and educate your workforce in real time.

Define risk levels based on the type of data and the type of behavior

Cyberhaven data lineage makes it possible to define incredibly simple policies and get better results with fewer false positives than policies based on content analysis alone.

Enforce your data security policies and block exfiltration

Take action to protect data across all major exfiltration channels including web, sharing via corporate email and apps, personal email, personal apps, AirDrop, and USB devices.

Take real-time action to protect data and educate users on the right behavior

When data is at risk of being exfiltrated, instantly take action and surface a message to the user educating them on company policy and acceptable behavior. An educated employee base leads to 80% fewer incidents and reduced risk to data over time.

Block exfiltration of sensitive data

Educate users to improve behavior

Allow override with justification


Quickly investigate and understand user intent

Cyberhaven Incident Response provides a workflow to quickly investigate incidents with the full context of what happened to quickly understand user intent.

Cyberhaven provides analysts the complete data lineage showing how a piece of data moved throughout the organization and the events leading up to attempted exfiltration.

Analysts see the full history of a piece of data to understand the user’s intent

Everything else analysts need to quickly understand a potential incident

Forensic-level event collection without physical access to a device

Cyberhaven captures and displays events related to a user or a piece of data that until now has only been available with physical access to image a device.

Screen capture and forensic file capture

Optionally, you can capture screenshots of a user’s device in the 30 seconds before an incident to better understand what happened along with the file itself to review its contents.


Review Cyberhaven incidents in your SIEM/SOAR or any third-party tool

Cyberhaven has native integration to SIEMs such as Splunk and also exposes incidents through an API so you can pull Cyberhaven incidents into any third-party security tool for review using your existing incident response workflow.

Learn more
Workday logo mark
Google logo
Microsoft Azure logo
IBM Q Radar
Azure Active Directory logo
Exabeam logo mark
Microsoft Office logo
& more
Live demo

See our product in action

The best way to understand the magic of Cyberhaven is to see a live product demo.
Request a demo