Best Sensitive Data Discovery Tools

The rules around the treatment of Personally Identifiable Information (PII) are complicated and failure to protect PII can be devastating for the business both financially and in terms of reputation. As it is so important to protect PII from accidental disclosure or inappropriate use, this information requires an extra security process in addition to the access controls imposed on all company data stores. Knowing where the stores of PII are, is step one in controlling access, so sensitive data discovery tools are fundamental to the protection of PII.

Many business processes will require access to PII. For example, the sales department will need information about customer habits, the dispatch office will need address information and the financial office will be responsible for processing payments. This means that customer information can be spread over several storage locations. Distributed systems for global operations might have local data stores in each branch. So, there can be many places where PII is held.

Here is our list of the seven best sensitive data discovery tools:

  1. ManageEngine Endpoint DLP Plus EDITOR’S CHOICE A bundle of data protection services that include sensitive data discovery and categorization. The console offers temples to simplify data protection policy creation. Available for Windows Server.
  2. N-able Risk Intelligence This data breach vulnerability assessment tool includes PII data discovery along with other security tightening systems, such as a permissions analyzer. This is a cloud platform.
  3. ManageEngine DataSecurity Plus This package of data protection tools includes a Data Risk Assessment module that locates, protects, and tracks sensitive data. It is available for Windows Server.
  4. Spirion Sensitive Data Manager A tracker and manager for sensitive data that can locate sensitive data stores on the local network, remote sites, and on cloud systems. This a cloud-based service with on-site agents for Windows, macOS, and Linux.
  5. Thales CipherTrust Data Discovery and Classification This cloud platform launches searches for sensitive data on your local and remote sites and also on the cloud.
  6. Azure Information Protection This service from the well-known cloud platform tracks your sensitive data no matter where it is – it doesn’t have to be on an Azure server.
  7. Mentis iDiscover An AI-based tracker for sensitive data that categorizes data for GDPR, CCPA, and HIPAA requirements, among other standards. This is a cloud platform.

You can read more about each of these options in the following sections.

Management of sensitive data

There is a strong business case for centralizing data stores. However, that is a separate issue to the protection of sensitive data. If you can centralize data you can eliminate redundancy. You can also control access better because you only need to have one instance of supervisory software running.

Whether you intend to move sensitive data or leave it in its many current locations, you first need to identify it. To find sensitive data, you need to locate all data and categorize it. Even “sensitive data” is not one category – there are many types of sensitive data. So, a sensitive data discovery tool needs to be able to categorize data as well as locate it.

The best sensitive data discovery tools

A sensitive data discovery tool has a finite requirement. You would expect that the discovery process should be ongoing. Ordinarily, it can be expected that PII will always be stored in the same locations, so once several servers and folders have been identified, they will probably be the only places to continue to look. However, PII data needs to be tracked and sensitive data discovery tools can play a part in tracking the distribution – authorized or otherwise – of that data.

As the discovery of sensitive data is just one step in the process of protecting PII, the best tools for the job should be integrated into data management systems that perform a wide range of administration tasks, not just locating stores of sensitive data.

What should you look for in a sensitive data discovery tool? 

We reviewed the market for sensitive data discovery software and analyzed the options based on the following criteria:

  • A service that can search through multiple sites to locate stores of sensitive data
  • A service that will rescan all systems periodically
  • Nice to have integration with data security systems, such as backup and file integrity management
  • A classification process that can be adapted to specific data protection standards requirements
  • A reporting tool that can produce standards compliance documentation
  • A free trial or demo for a cost-free assessment
  • Value for money represented by worthwhile tools at a fair price

The best strategy to aim for when looking for sensitive data discovery tools is to get a system that forms part of a wider data security service. This will provide the best value for money and also reduce the number of interfaces that the system administrator needs to open to fully manage data.

1. ManageEngine Endpoint DLP Plus (FREE TRIAL)

ManageEngine Endpoint DLP Plus

ManageEngine Endpoint DLP Plus is a data protection system that includes sensitive data discovery. The package will also help you to formulate a data security policy that extends to user activity monitoring, device control, and data movement scrutiny. Endpoint DLP Plus installs on one device on your network and then reaches out to all other computers, centralizing controls.

The first step in managing sensitive data with this tool is to set up a security policy. This process is supported y a library of templates. After selecting a suitable match for your needs, you can adjust your chosen template to fine-tune the system’s data protection strategy. This dictates what constitutes ”sensitive” data and it can be tailored to a data protection standard.

The system will then scour all of the endpoints on your network and identify data stores containing matches for your chosen data protection definition. The system is able to spot combinations of fields that represent PII even if they are not collected in a formal storage format, such as a database or spreadsheet. This technique is called “fingerprinting.”

Once a store of sensitive data has been identified, all access to it is tracked. It is also possible to nominate trusted applications that regularly originate or access sensitive data. Data exports from these tools can be blocked. The system will also watch over USB devices and data movements in emails and out to cloud platforms.

ManageEngine Endpoint DLP Plus has a free version, which is limited to monitoring 25 endpoints. The full package is called Professional and it can be extended to cover multiple sites from one console. The software package installs on Windows Server and the tool is available for a 30-day free trial.


ManageEngine Endpoint DLP Plus is our top pick for a sensitive data discovery tool because the package can be easily tailored to specific data protection standards. The system discovers sensitive data and then categorizes it to allow the creation of fine-grained access controls. The system is supported by a library of policy templates that speed up the definition of a data security strategy. After you have your security requirements defined, the tool will track user activity, data access, and file movements to protect the sensitive data that your system holds.

Official Site:

OS: Windows Server

2. N-able Risk Intelligence

N-Able Risk Intelligence

N-able Risk Intelligence offers a good deal because it is more than just a sensitive data discovery tool. This service scans Windows and macOS devices connected to your network and identifies security weaknesses, such as out-of-date software. It also examines the security surrounding email systems.

The vulnerability scanner uses the Common Vulnerability Scoring System (CVSS) to identify the latest threats and attack strategies of hackers and then checks each device to close down the entry points those strategies exploit. This vulnerability sweep touches on all devices connected to your network.

The sensitive data discovery tool in the N-able Risk Intelligence package offers pre-formatted scans and also allows for customized scans. It searches for email addresses, license plate numbers, bank accounts, social security numbers, ACH data, and credit card numbers. The system produces a risk report for each type of PII that it discovers.

N-able offers a wider system administration service that includes security software. N-able Risk Intelligence can be integrated into an N-Able remote monitoring and management plan. This system is hosted as a SaaS system.

3. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is a software package that includes three modules. You can buy just one of the modules as a standalone service or all three in a package. Those modules are File Server Auditing, Data Leak Prevention, and Data Risk Assessment. The sensitive data discovery tool of this package is contained in the Data Risk Assessment module.

The sensitive data discovery tool seeks out all stores of PII and Protected Health Information (PHI) and then categorizes all instances in terms of vulnerability. As well as looking for sensitive data, this service looks for obsolete files that have not been accessed for a long time. Being aware of this type of data gives you the option of either archiving it or deleting it. The service also examines file permissions and access rights to devices and folders, presenting them to you for analysis and decision making.

The full package of DataSecurity Plus includes File Integrity Management (FIM), which tracks all changes to files, which also includes those that hold sensitive data. You don’t have to apply FIM to all files – you decide which directories should have this service enabled. The FIM is connected to an alert system so you will be notified whenever a protected file is changed or deletion is attempted.

The DataSecurity Plus system is also able to block USB devices or allow them but monitor which files are copied onto them, selectively blocking files that contained identified sensitive data. That graded control can also be applied to the email system – you can choose to block attachments or just block sensitive data files from being sent out by email.

ManageEngine DataSecurity Plus is a software package that installs on Windows Server. You can get it on a 30-day free trial to run it through its paces.

4. Spirion Sensitive Data Manager

Spirion Sensitive Data Manager

Spirion Sensitive Data Manager is a cloud platform that installs agents on the devices on your site and can also implement agentless monitoring of cloud platforms. This data discovery tool gives you a data management strategy. The service is geared around reducing the attack vulnerabilities of sensitive data storage. This system looks for intellectual property, as well as PII, PHI, and credit card information.

The processes in the Spirion Sensitive Data Manager will help you with compliance to GDPR, CCPA, HIPAA, and PCI DSS. The data discovery module of the Sensitive Data Manager is called AnyFind. It can find sensitive data on all of your infrastructure – on all sites and all platforms. You can see where all of the data is stored through the dashboard of the system, which is hosted on Spirion servers and can be accessed through any web browser. That information gives you options over whether you are going to consolidate your data storage in one place or implement a distributed system.

The next phase in sensitive data management is classification and that task is carried out by the Watcher module. As well as identifying sensitive data, this examines vulnerability levels and recommends tightening access rights to specific files. A module called Spyglass helps you apply security procedures to your sensitive data stores. This includes FIM and data loss protection processes.

The Spirion system offers value for money because it provides all of the services you will need to protect sensitive data and comply with data protection standards. Spirion offers a demo of the Sensitive Data Manager.

5. Thales CipherTrust Data Discovery and Classification

Thales CipherTrust Data Discovery and Classification

Thales CipherTrust Data Discovery and Classification is a cloud-based service that can search through all of your data stores on all of your sites plus on the cloud. This tool is part of a suite of data security services that is called the CipherTrust Data Security Platform.

The sensitive data discovery tool provides a service needed by businesses that follow GDPR, CCPA, LGPD, PCI DSS, and HIPAA. The system can analyze all types of data storage, not just file stores. It is also able to examine databases and other big data storage systems. Unstructured data is also a target for the search facility. The search utility can explore all of your sites plus cloud storage services for sensitive data.

The categorization processes in the Data Discovery and Classification module assess the vulnerability of each piece of data and its importance in terms of data protection standards. This gives you a report on which data stores require heavier protection and suggests methods to improve security.

Categorizing data in terms of data protection standards gives you a better grounding on which pieces of information can be shared with other organizations, in which format, and by what methods.

The console for the service is hosted in the cloud and accessed through any standard Web browser. The screens within the dashboard include data visualizations that make it easy to create presentations to communicate security issues to stakeholders. It is also possible to generate compliance reports from the system.

Other modules in the CyberTrust Data Security Platform offer encryption solutions to protect sensitive data at rest and in transit and data storage control mechanisms that reduce the number of people who can access sensitive data.

6. Azure Information Protection

Azure Information Protection

You probably know about the Azure platform and you might even use Azure servers for storage. However, you might not know that Azure offers a menu of services that can be applied to storage and processing virtual server account and are also available to businesses that don’t even use Azure servers.

One of those services is the Azure Information Protection system. This package can search for sensitive data on any of your sites or any of your cloud services. The system offers continuous monitoring for emails, document access, and data stores. So, once sensitive data has been located, it will be monitored.

You have to set up a policy for data protection before running a data search with this service. This enables you to specify the type of information that needs to be protected – a decision that will be dictated by the data protection standard that you are following. You can decide what level of control should be applied to sensitive data. For example, you can ban all transfers of the data or decide that only certain personnel should have access and the right to share the data – and who they can share it with.

Documents can be stamped and copies can be enumerated in the metadata to make disclosure tracking easier. It is possible to allow files to be viewed by others but not edited, downloaded, forwarded, or printed.

The Azure Information Protection service includes an encryption service that you can use to protect all sensitive data stores at rest and in transit. The system can be linked to Active Directory for access control and there is also a cloud-based version of Active Directory available within the Azure platform if you don’t already implement AD.

7. Mentis iDiscover

Mentis iDiscover

Mentis iDiscover can track down structured, unstructured, and BigData stores of sensitive data on-premises and on the cloud. This cloud-based service supports compliance with GDPR, CCPA, and HIPAA.

After tracking sensitive data, the service assesses the vulnerability of its location and analyzes file permissions. The system dashboard displays all stores of sensitive data so you get a visual record of storage. Sensitive data discovery can be set up as an incremental process, so it will notify you of any new instances that get saved. The system also scours log files and raises an alert if they contain sensitive data.a

This system scours databases and unstructured data as well as files in its search for sensitive data. It also analyzes the users that have access permissions on data. It recommends changes to access rights. The service also back-chains through to the applications that store data, offering you the opportunity to change settings and alter storage locations for sensitive data.

This system uses artificial intelligence and natural language processing to spot instances of sensitive data. It implements automated workflows to save you time and take care of sensitive data protection for you.

Mentis iDiscover built-in capabilities to interface with 35 data management systems, such as database management systems and cloud platforms. You can request a demo to assess the system for yourself.