tracylamv2, Author at Version 2 Limited

Can Slack admins read your DMs?

If you use Slack for work, chances are you’ve sent a message or two that you hoped only your teammate would get to see. It’s all right, we’ve all done it—expecting a bit of privacy in what feels like a one-on-one conversation. But is Slack privacy even a thing? Are your DMs just between you and the person you’re chatting with? Let’s find out.

Can your boss see your Slack messages?

It might not be what you want to hear, but yes—your manager could potentially read your private Slack messages. That said, it’s not as simple as them just opening up your chat history. Whether they can access your messages depends on the Slack plan your company is on, its Slack workspace settings, and the established internal privacy policies.

In other words, no one can just casually peek into your DMs. Your employer would either need your permission or have to go through a formal process—usually by submitting a request to Slack and providing a valid reason, like a legal or compliance investigation. So, they’d only be able to export messages from your private channels and DMs if Slack approved their request.

Should that ever happen, don’t bother editing or deleting your DMs—it won’t make any difference. Slack stores all the original versions of your messages on its servers. So, once you send something, it’s technically there for good.

Also worth noting: anything you post on public channels is automatically visible to everyone in the Slack workspace—no special permissions needed.

So, can Slack admins read user DMs?

As you can probably guess, the answer is still a “yes”—but with a few caveats.

Slack admins in your company are responsible for things like access permissions, legal compliance, and integrations. Basically, they’re the ones running the Slack show. This means that, in some situations, they can technically have access to your direct messages in Slack. But here’s the key part: they can’t do it by default. There are data privacy rules and Slack policies in place to prevent casual snooping. Access to private messages only happens under specific circumstances.

If your company uses Slack’s Enterprise Grid or Business+ plan, some admins—usually people working in IT, compliance, or HR—can be given the option to export data from Slack, including all private messages. It’s a feature mostly meant for large organizations that need to stay on top of compliance and legal requirements. But for this to happen, admins have to put in a request directly to Slack—and Slack won’t approve it unless they’ve got a really solid legal or compliance reason.

On Pro and Free plans, things are a lot more limited. Admins can only export messages from public channels. That said, in the case of a serious breach or legal investigation, even on these plans, a company can submit a formal request to Slack for access to private data. And if the situation is serious enough, Slack will likely grant it.

So, are your Slack messages private? Technically, yes—at least until something happens that prompts an investigation. If that day comes, Slack admins could gain access to your messages so they can be reviewed.

Types of data that can be exported from Slack

With all this talk about who can download what on which Slack plan, it’s totally fair if you’re feeling a bit dizzy and wondering what it means for the privacy of your messages. To help clear things up, check out the table below—it lays out exactly what kind of data admins can access, based on the company’s Slack plan.

	Free	Pro	Business+	Enterprise Grid
Exporting messages from public channels	Yes	Yes	Yes	yes
Exporting messages from public channels, private channels, and direct messages*			Yes	Yes
Exporting messages by conversation type or member				Yes
Exporting a detailed list of channels*			Yes	Yes
Export Slack data for a single user*				Yes

*Workspace owners and organization owners need to submit a request to enable these types of exports.

So if you’re still wondering, “Can Slack admins see private channels?”—the short answer is “technically, yes.” However, their access depends on which Slack plan the company is on, and whether Slack approves their request to check your private messages.

Is it similar with tools like Microsoft Teams?

Yes, very much so. Just like with Slack, your employer can get access to your messages on Microsoft Teams—provided they’re on the right subscription plan. The only difference (though it might feel like a big one) is that with MS Teams, admins do NOT need Microsoft’s approval to view private messages within the organization.

So, if your company is on the E3 or E5 Office 365 Enterprise plan, your admins can use features such as eDiscovery to search for and export data like:

One-on-one, group, and meeting chats
Private channel messages
Meeting chat logs
Recorded meetings and transcripts
Files that were shared as attachments

That said, it’s probably not like someone is sitting there reading your messages all day. These data monitoring tools are mainly in place for security, compliance, and legal reasons—for example, if there’s a data breach. In day-to-day operations, your messages are most likely just stored safely in the background.

But if you’re specifically asking: “Can Microsoft Teams be monitored by my boss?”, the answer is: “Yes, it sure can be.”

How to act responsibly on Slack

Since Slack is meant for work-related communication, it’s probably not the best place to overshare or drop sensitive info without a second thought. Here are a few handy tips to help you stay clear, professional, and safe while chatting with your team—without putting yourself (or anyone else) in a tough spot.

Be respectful—no matter who you’re chatting with

Everyone in your organization deserves to be treated with kindness and respect. As part of the team, you must always communicate in a professional manner—whether you are chatting in person or online. If someone’s giving you trouble, it’s best to talk to your supervisor about the situation, without letting your emotions take over and writing something on Slack that could negatively affect how others perceive you.

It’s perfectly normal for people to form friendships at the office—after all, many—if not most—of us spend more time with our coworkers than with our friends outside of work. That said, it doesn’t mean you should treat Slack like your personal messaging app and use it to have casual, buddy-buddy conversations with your teammates. Keep in mind you’re still at work, and some things are better saved for when you’re hanging out with the team outside of work hours.

What’s really important is that you use Slack for things like collaborating with your team on your daily tasks, scheduling meetings, and sharing updates on marketing campaigns. This is to say that you should never put sensitive data—like client information, company secrets (such as proprietary designs), passwords to business accounts, or credit card details—in a post or message on Slack. If you need to share something sensitive, like corporate credentials or credit card information, it’s better to use a tool like NordPass, which keeps everything encrypted. And if you’re unsure about what’s safe to share on Slack, it’s a good idea to check with your IT department for guidance.

Stay informed about Slack’s privacy settings

Remember that your employer could potentially access your private messages and channels at any time. Right now, your messages are usually only reviewed by admins if there’s a serious investigation, like checking if you’ve crossed any lines or if your actions contributed to a legal issue or data breach. But these rules could change, so it’s a good idea to stay on top of any updates to your organization’s Slack privacy policy in the future.

Bottom line

If your company uses Slack, your employer might be able to see your messages in private chats and channels—but it depends on your company’s Slack plan and whether Slack agrees that your boss has a good reason to see your DMs.

That said, it’s always a good idea to keep things professional in your Slack messages and avoid sharing sensitive information like customer data or corporate passwords. If you do need to share business credentials with your teammate, make sure to do it using a secure password manager like NordPass to keep everything safe and sound.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Chapter 2: End-to-End Security & Zero Trust

Unlocking the Full Potential of Zero Trust with Thinfinity Workspace

In Part 1, we examined why traditional security models are no longer sufficient for today’s hybrid and multi-cloud enterprises. We explored the critical shortcomings of legacy VPNs and firewalls, highlighted the rise of Zero Trust Architecture, and demonstrated how Thinfinity Workspace provides a secure, streamlined alternative for remote access and application delivery. The key message is clear: end-to-end security, built on continuous verification and granular control, is now an operational imperative.

But understanding the need for Zero Trust is only the beginning. In this section, we shift from principles to practice—unpacking the advanced features and concrete outcomes that make Thinfinity Workspace a standout solution for security-conscious organizations.

In Part 2, we’ll dive deeper into:

Next-generation authentication, including MFA and passwordless access
Seamless integration with enterprise identity platforms
Just-in-time privileged access and granular session controls
Automated user management and powerful auditing capabilities
Real business value: from compliance to operational efficiency

Whether you’re a CIO, CISO, IT manager, sysadmin, or business owner, Part 2 will show you exactly how Thinfinity Workspace turns Zero Trust theory into secure, practical results for your organization.

Thinfinity Workspace: A Zero Trust Platform for Secure Remote Access

Strong Authentication: MFA and Passwordless Login

Even the best network architecture fails if an attacker can easily steal or guess a user’s password. That’s why multi-factor authentication (MFA) and passwordless login options are critical components of Thinfinity Workspace’s end-to-end security. Right out of the box, Thinfinity supports a range of MFA methods to ensure that only legitimate users gain access. Administrators can integrate Time-based One-Time Password (TOTP) apps like Google Authenticator, Microsoft Authenticator, Duo Mobile, or Okta Verify, adding a second verification step that changes every login. This means even if a password is compromised, an attacker cannot login without the one-time code from the user’s device.

Thinfinity Workspace also integrates with enterprise Identity Providers (IdPs) via SAML 2.0 or OAuth2, including popular services like Microsoft Entra ID (Azure AD), Okta, Ping Identity, and Google Workspace. This allows companies to leverage single sign-on (SSO) and centralized identity management. Users can log in with their existing corporate credentials, and Thinfinity will honor group memberships or attributes from the IdP to determine access rights. This integration not only improves security (through centralized policy and maybe conditional access rules in the IdP), but also enhances user convenience – fewer passwords to remember and a seamless login experience.

In line with modern authentication trends, Thinfinity Workspace 8 introduced passwordless authentication via Passkeys. This feature supports FIDO2 security keys and biometrics (e.g. fingerprint or facial recognition) as login methods. Users can authenticate with a hardware key like YubiKey or with their device’s built-in biometric (Windows Hello) instead of a password, drastically reducing phishing risks. Under the hood, these methods use public-key cryptography and store credentials in secure hardware (such as the device’s TPM for Windows Hello). For organizations with high security requirements, Thinfinity even supports smart card authentication and PKI certificates for login – ensuring compliance with regulations that mandate certificate-based auth.

Another innovative capability is One-Time URL Authentication, which Thinfinity offers to streamline certain workflows. An admin or helpdesk agent can generate a time-limited, unique access link that a user can click to be automatically logged into a specific remote app or desktop. Each One-Time URL is valid for only one session and expires after use, preventing reuse or sharing. This is particularly useful for scenarios like support sessions or third-party vendor access: you can embed these one-click links in a portal or ticket, and the user gets in without needing a permanent username/password at all. It’s a controlled, ephemeral access method that enhances security by eliminating shared credentials and tightly limiting the access scope and duration.

By combining MFA, SSO integration, passwordless tech, and one-time links, Thinfinity Workspace addresses the identity side of security thoroughly. These measures significantly lower the risk of account compromise. According to industry studies, implementing MFA can block over 99% of automated attacks on accounts, and passwordless methods further neutralize phishing. Thinfinity’s approach ensures that identity is the new perimeter – only verified users can even begin to access the system.

Role-Based Access Control (RBAC) and Least-Privilege Governance

Once a user’s identity is verified, the next question is: what resources should they have access to? Thinfinity Workspace tackles this with robust Role-Based Access Control (RBAC) and granular permission management. Administrators can define roles (such as Regular Employee, Contractor, IT Administrator, etc.) and assign permissions to those roles regarding which desktops, applications, or data the role can access. Every user session is governed by these assigned roles, enforcing a least-privilege model. For example, a finance department user might only see accounting applications and not be allowed to launch engineering or HR systems. This containment dramatically limits the damage that can be done if an account is compromised – the attacker would only see a narrow slice of the environment.

Thinfinity makes RBAC easier to manage by integrating with external directory and identity systems. It supports mapping users and groups from Active Directory or SAML/OAuth2 IdPs (like Azure AD, Okta, etc.) to internal Thinfinity roles. This means you can tie Thinfinity’s access control to your existing organizational structure. If a user is part of the “Contractors” group in Okta, for instance, Thinfinity can automatically map them to a Contractor role which has restricted access. The platform even provides flexible rule-based mappings, where you can automatically assign roles based on user attributes (department, group membership, email domain, and so on).

A particularly powerful feature is Just-In-Time account provisioning and auto-deprovisioning. When Thinfinity is linked to an IdP, it can be configured such that if an authenticated user logs in and no local Thinfinity account exists yet, the system will auto-create an account on the fly and assign the appropriate role. This auto-provisioning means new employees or partners get access immediately based on their directory status, with no manual admin setup required. It also implies that if someone is removed from the corporate directory (e.g. upon leaving the company), they lose Thinfinity access too, maintaining a single source of truth. Thinfinity’s documentation highlights that this seamless onboarding/offboarding aligns with dynamic workforce needs and Zero Trust, by ensuring users only have access when they should, and get the right permissions at first login.

All these mappings and automatic role assignments feed into centralized policy management. Administrators can adjust a role’s permissions or the mapping rules in one place, and it instantly affects all users in that role. This makes it much simpler to enforce organizational changes (like a reorg or merger) without touching individual accounts.

The net effect is strong governance: every action through Thinfinity is tied back to an identity and a role, and no user can step outside their permitted boundaries. This greatly aids in implementing the principle of least privilege and separation of duties. If auditors ask “who can access Server X or sensitive App Y?”, Thinfinity’s RBAC makes it easy to answer and shows that only the appropriate role can, with all actions logged.

Understand Our RBAC Implementation →

Session Recording and Auditing for Accountability

For sensitive operations and compliance requirements, being able to monitor and review what happens during a remote session is essential. Thinfinity Workspace includes a secure session recording capability for remote desktop sessions. Administrators can enable full video recording of user sessions on published desktops or applications. Every mouse movement, screen update, and keystroke can be captured in the recording, creating a comprehensive audit trail of user activity. This is invaluable for forensic analysis in case of an incident, or simply for routine compliance auditing in industries like finance and healthcare.

Thinfinity allows granular control over which sessions get recorded. You might not need to record every user’s activity (and indeed, privacy considerations mean you should only record what’s necessary). With Thinfinity, you could choose to record sessions for specific high-privilege roles or groups – for example, record all sessions of contractors, or IT administrators, or any user accessing a particularly sensitive system. This role-based activation ensures you capture the most critical interactions without overwhelming storage or invading privacy for regular tasks. The recordings themselves can be stored securely and accessed by authorized personnel for review.

From a business standpoint, session recording serves multiple purposes. It helps with compliance – many standards (PCI DSS, ISO 27001, SOC 2, etc.) require monitoring of administrative access or critical transactions, and having video logs meets those controls. It also acts as a deterrent against misuse: users aware that their session is being recorded are less likely to attempt malicious or unauthorized actions. In the event something does go wrong, the recorded footage provides an exact replay of events, which can speed up incident response and root cause analysis.

Thinfinity’s session recording is part of its broader auditing and logging framework. In addition to video, the system logs user logins, resource launches, file transfers, etc. This ties into the concept of end-to-end security by ensuring visibility and accountability at the final stage of the chain – after a user has been authenticated and authorized, their actions are not invisible. Everything is trackable if needed. Such capabilities usually require separate tools in a traditional RDP or VPN setup, but Thinfinity builds it into the platform for a one-stop solution.

Discover Security & Monitoring Features →

Time-Based Access Controls and Privileged Access Management (RPAM)

A dynamic aspect of security that Thinfinity Workspace handles adeptly is time-based access control and Remote Privileged Access Management (RPAM). Not all users should have 24×7 access to resources, especially highly sensitive ones. Thinfinity lets administrators put very fine-grained schedules on when and for how long access is allowed. For example, you can define allowed access windows (say, weekdays 9am–6pm) for specific users, groups, or resources. If someone tries to connect outside their allowed hours, Thinfinity will block it. This is a simple but powerful mitigator of risk – even if an attacker obtained credentials, they cannot use them at an odd hour if policy disallows it. Thinfinity can even auto-terminate active sessions that run past the approved time window, preventing after-hours persistence.

For third-party vendors or support engineers, Thinfinity supports temporary access provisioning. You might only want to let an outside contractor onto a server during a scheduled maintenance window. With time-based rules, you can set that vendor’s account to be valid only during a specified period (e.g., access opens at 10:00 and closes at 14:00 on a certain day). After that, the access is automatically disabled. This significantly reduces the risk of forgetting to turn off a vendor account – a common oversight that can lead to unintended backdoors.

Thinfinity’s approach to Remote Privileged Access Management (RPAM) extends this concept specifically to privileged users (like admins). It enables Just-In-Time (JIT) privileged access, meaning administrators or high-privilege accounts do not have standing access by default; instead, they are granted elevated access only for the specific duration and task needed. For example, an IT admin might “check out” access to a production server for a 2-hour window to perform updates, after which that access automatically expires. This ties into a broader security best practice of eliminating permanent privileged accounts – you have zero standing privilege until it’s approved for a short time. Thinfinity facilitates this by allowing users to “book” access to sensitive resources for a pre-approved timeframe. Outside of that reservation, the system will not allow the connection, and once the window ends, access is deprovisioned immediately.

Crucially, Thinfinity includes approval workflows for such privileged access requests. An administrator’s request to access a critical server could be made to require a manager’s or security officer’s approval through the platform before it activates. This ensures oversight and that at least two people are aware of any highly privileged activity (a key component in mitigating insider threats).

Additionally, you can enforce per-resource access schedules. For instance, a particularly sensitive database server might only be made available via Thinfinity during business hours, regardless of who’s trying to access it. Thinfinity will enforce those resource-specific schedules automatically. It also supports a degree of self-service for users, where a user can request or schedule their own access within policy bounds, possibly getting automated approval if criteria are met. This reduces the administrative burden while still keeping tight control.

By implementing time-based restrictions and just-in-time access, Thinfinity Workspace ensures that even if credentials are stolen or misused, the window of opportunity for attackers is drastically narrowed. It also addresses compliance requirements found in standards like ISO 27001 or NIST guidelines, which recommend limiting the time frame of privileged access. Overall, these features add a temporal dimension to Zero Trust – not only do you verify who and what is accessing, but also when, making sure the timing aligns with expected patterns.

Learn more about the Resource Reservation module →

Browser-Based Session Security and Device Redirection Controls

Thinfinity Workspace is a browser-based solution, which means users interact with their remote desktops or applications through an HTML5 web interface. This approach has security benefits on its own (no heavy client to keep patched, no direct network connectivity from the endpoint to the server), but Thinfinity goes further by giving administrators detailed controls over the in-session behavior and device integration. Essentially, it allows companies to fine-tune the balance between security and user convenience within the remote session.

Granular Session Policies: Admins can enable or disable various features like clipboard, file transfer, printing, audio, and USB device redirection on a per-user or per-resource basis. For example, you might disable clipboard copy-paste and file transfers for a highly sensitive finance application, preventing users from easily exfiltrating data. Alternatively, you could allow file transfers but then restrict specific file types (e.g., block .exe or .bat files to prevent moving executables). Thinfinity even offers an Intermediate Virtual Disk (“ThinDisk”) that can be toggled on, which serves as a controlled buffer for file exchange between the remote session and the local device. Policies can dictate whether files placed in this virtual disk auto-download to the user’s machine or not. By adjusting these knobs, organizations can enforce data loss prevention policies—like “no downloads from system X”—while still allowing legitimate use (e.g., maybe allow download of only PDF reports but not raw data files).

Device Redirection: In many remote desktop scenarios, users want to print documents or play audio from the remote system on their local device. Thinfinity supports these needs with control. Printer redirection can be enabled, which allows the remote application to print to the user’s local printer seamlessly. If allowed, Thinfinity’s virtual printer ensures an easy print experience without actually transferring raw print spool files insecurely. Similarly, audio redirection can be enabled or disabled depending on the use case. For instance, in a call center application you might enable two-way audio, while in a sensitive environment you might mute all remote audio to avoid someone using the channel to send out data via text-to-speech or audio cues. Even USB device or peripheral redirection can be managed – Thinfinity can block or permit certain device types if needed (for example, you might block USB storage devices but allow smart card readers).

These browser-based session controls are crucial for compliance and productivity. They ensure that even once a user is connected to an application, the organization still has guardrails on what the user can do with the data. If regulations demand that no data leaves a secure enclave, Thinfinity can enforce that by disabling downloads or clipboard copying from that session. On the other hand, for day-to-day work, you might allow most features to give users a near-local experience. Thinfinity essentially provides the same kinds of controls that traditional enterprise virtual desktop solutions (like Citrix) offer, but through an easier web-based interface.

From a security standpoint, this means browser-based access does not equate to unrestrained access. Every channel (clipboard, disk, print, audio) is a potential data egress or ingress path that Thinfinity lets you manage. And because these policies can be set per user/group or per application, they can be aligned with Zero Trust principles (for example, stricter controls for higher risk scenarios). The end result is a remote session environment that is tailored to your security needs without completely hampering user productivity. In summary, Thinfinity Workspace’s device redirection and session controls give organizations confidence that remote users can’t easily violate data handling policies, whether inadvertently or maliciously.

Learn more about Device and Peripheral Integration →

Business Benefits: Compliance, Operational Efficiency, and Risk Reduction

Deploying a secure end-to-end solution like Thinfinity Workspace isn’t just about checking technical boxes – it also brings tangible business benefits. One major advantage is simplified compliance. Many regulations (GDPR, HIPAA, PCI DSS, etc.) require strict control of data access, strong authentication, audit logs, and data protection in transit. Thinfinity’s integrated security features help fulfill these requirements out of the box. For instance, enforcing MFA and passwordless login helps meet compliance for secure authentication, session recording provides audit trails for regulators, and TLS encryption with no legacy protocols helps satisfy standards like PCI DSS which forbid outdated encryption. As noted in Thinfinity’s guidance, organizations across industries – from finance to healthcare – can use the platform to ensure regulatory compliance while still enabling secure remote access. Having these capabilities built into a single solution means less reliance on multiple point products and easier evidence gathering during audits.

Another key benefit is operational efficiency and cost savings. Traditional VPNs and remote desktop setups come with significant overhead: maintaining VPN hardware/appliances, managing client software on every endpoint, dealing with support tickets for VPN issues, and manually provisioning user accounts or access rules across systems. Thinfinity’s ZTNA model removes the need for VPN appliances and uses cloud-native gateways, often reducing infrastructure costs and complexity. In fact, a comparison of ZTNA vs legacy VPN showed that Thinfinity’s approach lowers infrastructure costs, minimizes maintenance, and reduces the burden on IT. Because it’s clientless, IT staff don’t have to troubleshoot installation on every user’s device – access is through the browser. Features like automatic account provisioning and user self-service for access requests further save administrative time. One could onboard a new remote employee in minutes instead of days, as the Zero Trust access policies and SSO integration handle the heavy lifting. A real-world outcome observed is up to 50% reduction in onboarding time when moving to a modern ZTNA model for remote access.

Risk reduction is, of course, the ultimate goal of these security enhancements, and it carries business value by preventing costly breaches and downtime. By eliminating open ports and reducing the exposed network surface, Thinfinity dramatically lowers the risk of common attacks like RDP brute-force intrusion or malware spread through VPN. Granular RBAC and time-based access mean that even if an account is compromised, the blast radius is limited – attackers cannot roam freely. All these factors contribute to reducing the likelihood and impact of security incidents, which protects the company’s finances and reputation. As an added bonus, a well-implemented Zero Trust remote access solution can actually improve user productivity and satisfaction (fast, seamless access from anywhere) while keeping security tight. This alignment of security and usability is a strategic win for the business: IT isn’t perceived as a roadblock, and users have the freedom to work remotely on any device without endangering the company.

In summary, Thinfinity Workspace’s end-to-end security doesn’t just guard IT assets – it also helps the organization be more agile, cost-effective, and compliant. It reduces the need for multiple disjointed tools (VPN, separate MFA tool, separate session recorder, etc.) by combining functions, which in turn streamlines operations. Enterprises can securely enable remote work while actually lowering IT complexity and overhead. This synergy of security and efficiency is a key reason many organizations are now looking beyond traditional solutions and embracing Zero Trust platforms like Thinfinity.

Thinfinity vs. Traditional VPN/RDP Solutions

It’s useful to compare how Thinfinity Workspace stacks up against the older paradigms of remote access – namely traditional VPN combined with RDP (Remote Desktop Protocol) or other remote desktop tools. The differences are significant:

Dimension	Thinfinity Workspace (ZTNA, App Virtualization)	Traditional VPN + RDP Solutions	Key Takeaway
Access Model	Granular, Application-Level Access: Users are granted access only to specific apps or desktops for which they are authorized—nothing else.	Network Tunnel, Broad Access: Once connected, the device joins the entire corporate network, exposing all resources the user has network rights to.	VPNs expose the entire network to a single compromised device. Thinfinity grants access only to verified apps and users.
Zero Trust Posture	Continuous Zero Trust: Every session and action is authenticated and evaluated (user, device, time, role). No implicit trust is granted.	Implicit Trust on Connection: Access is granted simply by being “on the network,” and all traffic is assumed legitimate.	Thinfinity enforces “never trust, always verify.” VPNs assume trust after login.
Client Software Requirement	No Client Needed: 100% clientless browser access from any device. No installs, updates, or VPN key distribution.	Client Software Required: VPN and RDP clients must be installed and patched on every endpoint, increasing friction and IT workload.	Thinfinity lowers support costs and eliminates software distribution headaches.
Attack Surface	Reduced Surface: No inbound ports, RDP, or VPN appliances exposed; all connectivity is outbound. Uses HTTPS/WebSockets, obfuscates internal protocols.	High Surface: VPN gateways and RDP servers are frequent attack targets; open ports are exposed to the internet and susceptible to automated attacks.	Thinfinity removes obvious attack vectors. VPN/RDP are routinely exploited.
Integrated Security Features	Unified Security Stack: Built-in MFA, SSO, RBAC, session recording, device control, IP restrictions—all managed centrally for consistent policy enforcement.	Fragmented Security: Requires combining separate tools for MFA, PAM, monitoring, etc.; policies are siloed and hard to coordinate.	Thinfinity simplifies compliance and ensures all controls work together.
Performance & Scalability	Optimized for Cloud and Hybrid: Scales across cloud regions, supports load balancing, and uses modern protocols (WebSocket, compression) for efficient access.	Legacy Bottlenecks: VPNs can choke under load, force all traffic through a central point, and struggle to support distributed workforces.	Thinfinity ensures low-latency, high-performance access—reducing user frustration and shadow IT.
Monitoring & Visibility	Comprehensive Visibility: Centralized audit logs, real-time monitoring, session recording; see who accessed what and when.	Limited Monitoring: Requires additional tools for audit trails; once inside the network, activity may be invisible without extra agents.	Thinfinity accelerates detection and response; VPN/RDP visibility is often incomplete.
User Experience	Frictionless Access: Single sign-on, consistent experience via browser, supports BYOD securely.	Cumbersome Process: Multiple logins, inconsistent experiences across devices, risk of version mismatches.	Thinfinity provides modern, seamless access—no more juggling VPN/RDP clients.

In essence, Thinfinity Workspace can replace traditional VPNs for remote access, providing a more secure and more controlled solution. Legacy VPN/RDP was suitable for an earlier era of IT, but today’s environment demands the kind of fine-grained, identity-centric security that Thinfinity offers. Organizations adopting Thinfinity have found they can decommission legacy remote access infrastructure, reducing costs and closing security gaps. Perhaps most importantly, by limiting access and removing implicit trust, Thinfinity significantly lowers the risk of a catastrophic breach originating from a single compromised remote user – which is a key advantage over the old way of doing things.

Conclusion

The shift to hybrid work and multi-cloud IT has made end-to-end security a top priority. Thinfinity Workspace exemplifies how a modern platform can address this need by weaving together Zero Trust principles, strong authentication, fine-grained access control, and session security into one solution. We’ve seen how Thinfinity’s features – from ZTNA architecture (no open ports, outbound-only connections) to MFA and passwordless logins, from RBAC and just-in-time privileged access to session recording and device control – collectively provide a 360-degree security blanket over remote access operations. This not only protects against external threats and insider misuse, but also helps businesses meet compliance requirements and operate more efficiently.

In comparison to traditional VPN and RDP setups, Thinfinity Workspace offers a clear strategic upgrade: more security, more control, and often less complexity in the long run. It enables companies to embrace cloud VDI and remote work with confidence that security won’t be sacrificed. By implementing an end-to-end security approach using Thinfinity Workspace, organizations in the US, Europe, and beyond can support their modern workforce and cloud-first initiatives while significantly reducing risk and maintaining an upper hand against cyber threats. In today’s threat landscape, that comprehensive, Zero Trust-driven defense is not just an IT improvement – it’s a business imperative for success and resilience.

About Cybele Software Inc.
We help organizations extend the life and value of their software. Whether they are looking to improve and empower remote work or turn their business-critical legacy apps into modern SaaS, our software enables customers to focus on what’s most important: expanding and evolving their business.

Cybele 2025

What is an OTP bot? How it works, risks, and prevention

Summary: Learn how OTP bots steal one-time passwords, the growing risks for businesses, and practical steps to block attacks before they compromise your network.

One-Time Password (OTP) bots are automated scripts that trick users into delivering authentication codes to criminal actors.

The advent of inexpensive and readily available OTP bots has lowered the barrier for attackers to breach user accounts and access sensitive data. Unfortunately, many organizations still rely on SMS-based OTPs, which are vulnerable to social engineering and phishing attacks. Ironically, authentication tools designed to protect data may actually put it at risk.

This article will introduce the concepts behind OTP bots. We will explore types of bots and attack methods, discuss how OTP bots raise security risks, and suggest the next steps to secure your authentication portals.

What is an OTP bot?

A one-time password (OTP) is a single-use code commonly used in 2FA/MFA tools to enable user access. One-time passwords are unique and time-limited. This protects against credential theft attacks by requiring more than simple user name and password combinations.

An OTP bot is an automated script used by malicious actors to steal one-time passwords and compromise two-factor authentication (2FA) or multi-factor authentication (MFA) security. These bots use phishing techniques to deceive users into providing one-time passwords and enabling network access.

Attackers use several techniques to launch OTP bot attacks, including emails, voice phishing (vishing), and social engineering tactics. Attackers often use Telegram to share, sell, and coordinate the use of off-the-shelf OTP bot scripts.

How do OTP bots work?

OTP bot attacks blend automated bots and social engineering – an approach that is hard to detect. A typical OTP bot life cycle plays out something like this.

1. Preparation

The first step in an OTP bot attack establishes a connection between attackers and victims. Attackers seek to gain trust before convincing targets to provide their one-time passwords. In this phase of the attack, targets could encounter a few types of OTP bots.

Voice bots. OTP bots commonly use vishing techniques to simulate voice calls. In vishing attacks, criminals program bots with the phone numbers of targets. Bots call the victim’s phone number posing as a legitimate bank, a trusted vendor, or even a LinkedIn contact. As artificial intelligence and voice synthesis evolve, voice-based OTP bot attacks are becoming more effective and harder to track. With sufficient data, criminals can synthesize voices that closely resemble real-world contacts.
Phishing emails. Alternatively, attackers may send phishing emails to their victims. Bots use urgent language to convince the victim to provide their one-time credentials. Attackers use social engineering to research their targets’ professional duties and contacts. Bots leverage this research to write more persuasive messages. They also employ spoofing techniques to make the form of emails more convincing.
SMS OTP bots. Some attacks use fake SMS messages to convince their victims. These OTP bots send messages that mimic official alerts from legitimate companies. For instance, attackers might copy a text message from a security partner, requesting credentials for routine maintenance. Or they might pose as lenders seeking access to corporate bank accounts.
App-based OTP bots. Some OTP bots rely on fake authentication apps or web portals that closely imitate real ones. These aren’t real apps hacked by bots, but they’re convincing fakes built to steal one-time passwords.

2. Deception

The next stage in an OTP attack launches the password request process. The OTP bot triggers a password request on the service that criminals want to access. They generally use stolen credentials to ensure the target receives a one-time password request.

The authentication portal sends a one-time password to the victim’s account. At this point, attackers must act quickly. The OTP bot contacts the target and requests that they share the OTP. This could happen via phone calls, emails, or SMS messaging apps.

3. Infiltration

If the bot has developed sufficient trust and acted quickly enough, victims will share the one-time passcode, often without thinking of the consequences. Following OTP delivery, attackers gain unauthorized access and compromise the wider network. From there, it’s a short step to account takeovers and data breaches.

Remember: OTP bots are automated programs designed to act with minimal human input. Criminal collectives may use groups of bots to target an entire workforce. Advanced OTP bots can handle many stages of the attack automatically, significantly reducing the need for human intervention.

Common platforms and tools used in OTP bot attacks

While built as a legitimate messaging app, Telegram is frequently abused by attackers to host OTP bots, coordinate phishing campaigns, and share malware kits.

Telegram has been a popular base for attackers since at least 2021, when security experts uncovered the SMSRanger kit. This bot script impersonates PayPal and other payment apps. Entering a few scripting commands on Telegram allows criminals to direct bots to their targets. With scripts selling for under $50, OTP attacks are extremely cost-effective.

Other popular Telegram bots include SMS Buster, OTP Bot, Brainshot, and Apollo. These tools scan for SMS-based OTPs. Some of these tools are also integrated with CAPTCHA-solving filters or rely on social engineering to bypass CAPTCHA challenges.

Why OTP bots are a serious threat to businesses

OTP bots pose a threat to businesses because they target critical security infrastructure. Companies rely on 2FA/MFA to authenticate users before granting access. OTP bots bypass this measure, allowing threat actors to infiltrate network resources.

Another problem is that automated scripts drive down the cost of OTP attacks. Criminals can buy OTP bots and use Telegram’s API to manage attacks. Operating bots requires relatively little expertise and they can target many network users at the same time.

Bots also exploit human weaknesses. Skillful phishers create scripts that prompt targets to behave in ways they would not normally do. Manipulating human behavior allows criminals to bypass technical security measures.

Successful OTP bot attacks often have serious consequences, including account takeovers, enabling exfiltration of sensitive data, or secondary ransomware attacks. A single employee’s mistake can lead to crippling financial losses due to ransom payments, customer compensation, lost business, and regulatory fines.

Red flags and indicators of an OTP bot attack

Given the consequences listed above, companies need ways to detect criminal activity and cut OTP bot risks. Common red flags that signify OTP bot attacks include:

Surges in OTP request numbers. Spikes in password requests may indicate criminal activity as bots target multiple accounts. Bot activity is more likely if requests come from similar device profiles or IP addresses.
Rapid OTP requests. Users may also make repeated password requests in shorter timeframes than normal.
Repeated login failures strongly indicate the use of these techniques. OTP bots may use credential stuffing to start attacks and find legitimate login credentials.
Geolocation anomalies. Contacts may make calls, send SMS messages, or emails from unusual locations. Mis-matches between standard locations and sender locations should raise concerns.
Disposable phone or VoIP numbers. Vishers use temporary numbers to conceal their identities and work around verification processes.
Unusual changes in carrier networks. Employees may detect rapid changes in their mobile device carrier. This could indicate a SIM-swapping attack to enable OTP interception.
Abnormal timing. Sometimes, OTP bots operate more quickly (or slowly) than a legitimate site. Changes in the rhythm of interactions with authentication systems could indicate bot activity.

How to prevent OTP bot attacks and protect your business

One-time passwords require rock-solid protection against malicious actors. Many businesses assume their OTPs are secure and focus their energy on other security measures. However, complacency is not an option.

Companies need strategies to detect and neutralize automated OTP bots. Let’s discuss a few best practices to achieve these aims.

Don’t rely on SMS messages for multi-factor authentication

MFA is essential when strengthening account security. However, SMS-only MFA is becoming less secure. Criminals can easily intercept SMS-based OTPs. Parsing text messages for evidence of phishing is also more difficult than checking email headers or sender addresses.

Token-based authentication is a more reliable method. Even better, you can combine OTPs with biometric verification factors. Criminals struggle to copy biometrics (provided you store factors securely).

Implement account protection measures

Put in place security measures to block suspicious requests. For example, captcha filters block many OTP bots by requiring more than an OTP alone. Rate limiting blocks access after a certain number of requests, while short expiry times help cut the risk of OTP theft.

Security teams can also monitor access requests in detail to verify user identities. Device posture security measures check that a user’s device is legitimate. Monitoring tools can also track user behavior and detect unusual patterns that indicate ongoing attacks.

Implement robust password security policies

Security policies should require long, complex passwords and make secure password management tools mandatory. Users should also verify requests to share OTPs with external identities. Apply the principle of least privilege. All OTP requests are suspicious until proven otherwise.

Integrate OTP security into anti-phishing training

You probably already educate employees about phishing risks. Understanding temp OTP bot activity should be part of training exercises. Ensure staff understand how criminals use language to prompt unsafe behavior. Reinforce the need for verification and vigilance.

Tools that help defend against OTP bots

Today’s attackers use machine learning and automation to enhance OTP bots, making them harder to detect and more effective. Businesses should respond by updating their technical toolkit. The tools below enhance digital security and help block automated bots:

Behavioral analytics. These tools analyze user behavior to generate baseline data. They compare user signatures with real-time behavior patterns, helping detect anomalies and potentially prevent unauthorized account access.
Authentication apps. Apps like Google Authenticator and Authy store user account data and deliver secure OTPs for each login request. They do not rely on SMS messages, eliminating a critical vector for bot attacks.
IP allowlisting. Allowlisting tools keep registers of authorized IP addresses. This blocks access for attackers without the right digital address.
Device Posture Security (DPS). DPS tools go further than IP addresses, assessing the signatures of devices accessing the network. They keep logs of approved user devices and block access if device profiles don’t match.
Anti-fraud tools. These tools track network activity to detect evidence of fraud before a suspicious transaction occurs.
Adaptive authentication. Flexible tools apply step-up authentication in unsafe contexts. For example, employees may access central networks from public Wi-Fi services. Or they could request access to extremely sensitive information. In those circumstances, adaptive tools request additional login credentials like biometric factors or hardware tokens.
Dark Web monitoring. NordStellar’s platform monitors Dark Web forums, seeking mentions of companies. Meanwhile, data breach monitoring checks various types of exposed data, such as login credentials, email addresses, and personally identifiable information (PII). This way, security teams gain early insights into emerging OTP threats.

Should businesses still use OTP for authentication?

OTPs are not going away and companies need authentication systems to safeguard sensitive information. However, the spread of OTP bots is challenging the use of OTPs, especially those delivered via SMS.

One thing is certain: Companies using SMS-based authentication should consider alternatives. Criminals are highly skilled at using text messages to trick users and steal OTPs, making SMS passwords extremely vulnerable.

Other forms of authentication (tokens, authentication apps, and biometrics) are safe, provided companies use secure OTP delivery systems.

To strengthen your defense against OTP bot attacks:

Monitor access requests for unusual or high-risk activity.
Train employees to recognize social engineering and OTP phishing.
Use encryption to protect OTPs at rest and in transit.
Apply threat intelligence to detect OTP bot patterns early.

The key takeaway is that authentication remains essential for network security. However, if you let your guard down, OTP bots will bypass weak authentication processes.

Protect your business before OTP threats strike—connect with the NordStellar team today.

About NordStellar
NordStellar is a threat exposure management platform that enables enterprises to detect and respond to network threats before they escalate. As a platform and API provider, NordStellar can provide insight into threat actors’ activities and their handling of compromised data. Designed by Nord Security, the company renowned for its globally acclaimed digital privacy tool NordVPN.

2025 Nordstellar

The top 15 most infamous ransomware groups (2025 update)

Summary: Discover the most notorious ransomware groups. Learn about their operations and tactics, top targets, and proven defenses against ransomware threats.

Ransomware groups are responsible for some of the biggest cyber incidents in recent history. These cybercriminal groups target organizations of all sizes, from small companies to global corporations, to extort large amounts of money. This article explores the rise of ransomware organizations and their methods, provides a list of ransomware groups that are relevant today, and gives advice on how to protect your organization from falling victim to cyber extortion.

The rise of ransomware groups in recent years

Ransomware attacks are evolving at an alarming pace. What used to be isolated, small-scale incidents have now grown into highly organized, professional operations.

One major factor driving this surge is the way ransomware groups operate. Many active groups operate like businesses by offering ransomware-as-a-service (RaaS) to other criminal organizations.

These cybercriminals, who operate as ransomware-as-a-service groups, “rent” ransomware tools to other threat actors. Easy access to ransomware tools allows anyone, even individuals or groups with limited technical skills, to launch sophisticated attacks without needing to create malware themselves.

The numbers paint a clear picture. The Q1 2025 Global Cyber Attack Report by Check Point Software revealed that ransomware attacks jumped 126% compared to the same period in 2024, with 2,289 incidents reported worldwide. North America bore the brunt of these attacks, accounting for 62%, while Europe came in next at 21%.

Ransomware groups target industries that they know are most vulnerable. The report revealed that the consumer goods and services sector took the hardest hit, making up 13.2% of attacks globally, followed by business services (9.8%) and industrial manufacturing (9.1%).

There is a promising trend, though. Fewer victims are agreeing to pay the ransom. According to ransomware remediation firm Coveware, only 29% of victims paid the ransom in Q4 2023, compared to 46% in 2021 and 85% in 2019. This data shows that organizations are beginning to resist cyber extortion.

Still, refusing to pay doesn’t mean the problem goes away. Ransomware groups are launching more attacks than ever, and the financial damage keeps growing. Cybersecurity Ventures predicts that ransomware will cost victims around $275 billion annually by 2031.

So, while fewer victims are paying ransoms, ransomware attacks are growing more frequent and more sophisticated. This threat is not going away, and businesses of all sizes remain a target. To stay safe, organizations need to take action now.

Tactics and techniques used by top ransomware groups

The biggest ransomware groups are highly organized and use advanced tactics to breach networks, encrypt critical files, and extort money from businesses. Understanding how these threat actors operate is one of the most effective ways to defend against them.
By recognizing their methods, organizations can strengthen defenses, address vulnerabilities, and respond more effectively to potential threats. Below are some of the key tactics and techniques these ransomware groups use to maximize their impact and profits:

Phishing emails. Phishing remains one of the most common ransomware attack vectors. Ransomware groups often send fake emails designed to trick employees into opening malicious attachments or clicking on harmful links.
Exploitation of unpatched systems. Ransomware groups regularly target vulnerabilities in outdated security software or unpatched operating systems. This method allows attackers to gain initial access to networks and deploy ransomware with minimal effort.
Data exfiltration. Ransomware attacks now go beyond simple file encryption. Threat actors steal sensitive data from ransomware victims and threaten to publicly release it unless their demands are met. This tactic amplifies the pressure on organizations because data breaches often lead to legal consequences, as well as financial and reputational damage.
Double and triple extortion. Some of the most aggressive and prolific ransomware groups, such as LockBit and Cl0p, use double or triple extortion techniques. Multi-extortion tactics involve encrypting files, stealing sensitive victim data, and threatening financial penalties or public exposure.

Top 15 ransomware groups to know about in 2025

The following list highlights some of the most notorious ransomware groups you might hear or read about in 2025 and the upcoming years. While not all of them are still active, their operations and tactics continue to shape the ransomware threat landscape and how new ransomware groups operate.

1. LockBit

LockBit is one of the most aggressive ransomware groups in the world. This organization is responsible for more attacks than any other ransomware group, with over 1,700 attacks in the US since 2020, and has collected an estimated $91 million in ransom payments.

In 2023, it crippled Royal Mail, demanding a $80 million ransom. Later that year, it hit Taiwan Semiconductor Manufacturing Company (TSMC) with a $70 million ransom demand.

Although LockBit’s website was taken over by law enforcement authorities in early 2024, the group managed to rebuild and resume operations after the takedown. LockBit remains a serious global threat in 2025.

2. BlackCat/ALPHV

BlackCat, also known as ALPHV, is one of the most advanced and dangerous ransomware groups operating today. It doesn’t just encrypt data — it steals it first, which puts extra pressure on victims to meet the group’s demands.

The group’s latest ransomware strain, “Sphynx,” includes advanced features designed to evade detection and bypass security measures. BlackCat constantly evolves and targets high-value sectors, which makes it a serious and ongoing global threat that organizations cannot afford to ignore.

3. Cl0p

Cl0p, also written as Clop, is a highly sophisticated ransomware group that has been active since 2019. It primarily targets large organizations with revenues exceeding $5 million, including critical industries like healthcare and public health. Known for its double extortion tactics, Cl0p encrypts data and exfiltrates sensitive files, then threatens to release them on its dark web leak site if victims refuse to pay.

Although Ukrainian authorities arrested six suspected members of the Cl0p ransomware gang in 2021, as one of the most active ransomware groups, it still remains dangerous. The group relentlessly steals data and uses advanced tactics, which makes it a constant danger to organizations worldwide.

4. Conti

Conti is one of the most notorious ransomware gangs that operated between 2020 and 2022. Known for its aggressive double extortion tactics, the group reportedly extorted $180 million at its peak in 2021, making it one of the most profitable ransomware operations in history.

In 2022, Conti faced global backlash after publicly supporting Russia’s invasion of Ukraine. This controversial stance led many victims to refuse ransom payments. Shortly after, an insider leaked tens of thousands of internal chats and source code, exposing the group’s internal operations.

While Conti officially shut down in 2022, cybersecurity experts believe its members are still active and operate under different aliases.

5. Royal/BlackSuit

Royal ransomware is a highly dangerous threat that has targeted healthcare organizations, private companies, and local governments since it emerged in 2022. Initially operating under the name Zeon, Royal ransomware group is known for its personalized ransom demands, which range from $250,000 to over $2 million.

Security experts believe Royal is run by experienced hackers who split from other major ransomware gangs like Conti. The group employs advanced techniques to infiltrate networks and strongly focuses on double extortion tactics.

One of its most high-profile attacks occurred in May 2023, when it crippled the city of Dallas, Texas. This attack resulted in $8.5 million in mitigation costs and required thousands of hours of data recovery work. After June 2023, Royal ransomware evolved into what is now known as BlackSuit ransomware.

By late 2023, the group operating under its new name had extorted over $275 million from more than 350 victims worldwide. As of 2025, the BlackSuit variant continues the legacy of its predecessor.

6. REvil/Sodinokibi

REvil, also known as Sodinokibi, is one of the most infamous ransomware gangs in history. This Russian-linked group quickly gained notoriety for high-profile attacks on critical infrastructure and global corporations.

One of REvil’s most notable attacks targeted an Apple supplier. The hackers stole proprietary blueprints for new Apple devices and threatened to release them unless the supplier paid the ransom.

Although Russian authorities claimed to have dismantled the group in early 2022 and arrested several members, many experts believe remnants of REvil continue to operate under different aliases or contribute to other ransomware groups.

7. Hive

Hive ransomware, first found in June 2021, attacked industries like healthcare, finance, telecommunications, and governments. Major victims included CNA Insurance, Memorial Health System, the Bank of Zambia, and Costa Rica’s government.

In January 2023, the US Department of Justice, with help from Germany, the Netherlands, and Europol, shut down Hive’s operations. Investigators secretly infiltrated the group for months and blocked $130 million in ransom payments. Authorities seized Hive’s servers in California and Europe.

Despite this takedown, experts believe Hive’s hackers may have joined other ransomware groups or started working on a new ransomware strain. Unfortunately, law enforcement takedowns rarely put an end to these groups, just pause their operations.

8. Ragnar Locker

Ragnar Locker, one of the most active ransomware groups since 2019, was notorious for targeting critical infrastructure, including energy providers, governments, airlines, and hospitals. The group employed double extortion, demanding massive ransom payments for both decryption tools and the non-release of stolen data.

Ragnar Locker used the “Wall of Shame” leak site on the dark web to pressure victims, explicitly threatening to publish stolen data if they contacted police. In 2023, a global law enforcement operation dismantled Ragnar Locker’s infrastructure, and the group stopped operating under that name.

9. DarkSide/BlackMatter

DarkSide, first discovered in August 2020, gained global attention in May 2021 when it launched the Colonial Pipeline attack. This attack forced the shutdown of a 5,500-mile fuel pipeline that supplies 45% of the East Coast’s fuel, causing widespread fuel shortages, a state of emergency, and a ransom payment of over $4 million.

DarkSide used double extortion tactics, encrypting data while also stealing sensitive information to pressure victims. Following increased law enforcement pressure after the Colonial Pipeline attack, DarkSide briefly disappeared, and its members later resurfaced under the name BlackMatter.

Even though DarkSide/BlackMatter itself may no longer operate, its methods, tools, and tactics, such as double extortion, inspired other ransomware groups. It remains a key case study in the fight against ransomware.
10. Vice Society
Vice Society is a ransomware group that emerged in 2021. It quickly gained infamy for targeting schools, hospitals, and other vulnerable sectors. The group, believed to be Russian-speaking, targets underfunded organizations that often lack strong cybersecurity defenses.

Vice Society uses double extortion, encrypting data and threatening to leak sensitive files unless victims pay up. Unlike many ransomware gangs, it doesn’t run a RaaS model. Instead, it builds its own custom ransomware and uses powerful hacking tools like Cobalt Strike, Zeppelin, and Hello Kitty/FiveHands to carry out its attacks.

11. Medusa

Medusa is a highly active and dangerous ransomware-as-a-service (RaaS) group that has been operating since late 2021. Known for targeting industries like education, healthcare, legal services, insurance, and manufacturing, Medusa has impacted over 430 victims worldwide as of May 2025.

One of the most active ransomware groups uses aggressive tactics, including large-scale file encryption, data theft, and double extortion. The group encrypts data and threatens to publicly release stolen information if victims refuse to pay the ransom.

Medusa’s attacks have mostly affected organizations in the United States, the United Kingdom, and Canada. This ransomware group remains a significant global threat in 2025.

12. BianLian

BianLian is a rapidly evolving ransomware group that has been active since late 2021. It targets critical industries such as healthcare, manufacturing, and professional services across the United States and Europe.

The group initially used a double-extortion model, encrypting and stealing data. However, in 2023, it shifted tactics and abandoned encryption in favor of data theft and extortion.

BianLian has quickly become one of the top three most active ransomware groups, ranking alongside LockBit and BlackCat/ALPHV. Its leak site displays a growing list of victims, with the healthcare and manufacturing sectors being hit the hardest.

As of 2025, the group continues to expand operations by actively recruiting developers and affiliates to refine its methods, making it an ongoing threat to global cybersecurity.

13. 8Base

8Base is a ransomware group that first appeared in 2022 and significantly increased its activity in 2023. Known for targeting small to medium-sized businesses (SMBs) across industries like finance, manufacturing, IT, and healthcare, the group primarily operates in the United States, Brazil, and the United Kingdom.

8Base uses a combination of data encryption and “name-and-shame” tactics to pressure victims into paying ransoms. Despite its rapid rise in activity and a growing list of victims, 8Base remains relatively mysterious. Cybersecurity researchers have very limited information about this group’s identities or motivations.

14. RansomHouse

RansomHouse is a unique ransomware group that emerged in 2022. It focuses solely on data theft and extortion without encrypting files. Its “extortion-only” approach allows it to steal sensitive data and demand ransom payments in Bitcoin, all while claiming to act as a “force for good” by exposing weak security practices.

This strategy makes this group’s attacks harder to detect because skipping encryption triggers fewer alarms and can lead to longer dwell times inside victim networks.

RansomHouse primarily targets companies with poor security measures and markets itself as a mix of bug bounty hunters and penetration testers. After stealing data, it offers to provide a full report on exploited vulnerabilities and promises to delete the stolen information — if the ransom is paid, of course.

15. NoEscape

NoEscape, a ransomware group that emerged in May 2023, has quickly built a reputation for its aggressive multi-extortion tactics. It primarily targets industries like healthcare, manufacturing, and education, focusing on small and mid-sized businesses in North America and Europe, which often lack the resources to defend against attacks.

The group uses multi-layered extortion. It encrypts data, steals it, and threatens to leak it to maximize pressure on victims. NoEscape operates a TOR-based leak site to display stolen data and victim lists, solidifying its reputation as a fast-moving and ruthless threat.

While it avoids attacking entities in the Commonwealth of Independent States (CIS), its focus on critical industries makes it a significant danger to businesses worldwide.

How to protect your organization from ransomware groups

Ransomware groups target businesses of all sizes — no organization is safe. To defend against these malicious actors, organizations need to act now by employing strategic, proactive cybersecurity measures. Below are key steps your organization can take to reduce the risk of becoming a ransomware victim.

Train employees

Your employees are your first line of defense against ransomware. Threat actors rely on mistakes, using phishing emails and fake links to breach your critical systems.

Teach your team to recognize suspicious emails, unexpected attachments, and untrusted links. Regular training and phishing tests will help them stay alert and protect your organization from known or emerging ransomware groups.

Protect your data with backups and segmentation

Regularly back up critical data and store those backups securely offline, away from your main network. This approach ensures your data stays safe even if an attack happens. Failing to follow this step has left many organizations unable to recover from ransomware attacks and has amplified the impact of some of the biggest data breaches in recent years.

Network segmentation adds another layer of protection by separating sensitive data and systems from the rest of your network. Segmenting your network limits the ransomware’s reach and gives you more time to respond during an attack.

Strengthen endpoint security

Ransomware attacks often start on endpoints like laptops, desktops, or servers. To block these attacks early, use advanced endpoint protection tools that detect and stop ransomware as soon as an employee downloads a malicious file or clicks on a phishing link.

Stay ahead with threat intelligence feeds

Keep ransomware actors at bay by tracking real-time threat intelligence feeds. These tools alert you to new ransomware variants, active attacks, and exploitable vulnerabilities. Services like NordStellar deliver timely updates, which can help you spot risks early and strengthen your defenses.

Prepare with an incident response plan

Develop a clear, step-by-step strategy that outlines how to detect, contain, and respond to an attack. Test the plan regularly through simulated scenarios so employees and IT staff understand their roles and can act quickly in an emergency.

A well-prepared plan minimizes chaos, accelerates recovery, and provides a structured approach to handling ransomware. The faster your response, the less impact the attack will have on your organization.

Use advanced cybersecurity solutions

Invest in advanced cybersecurity tools that provide multi-layered protection. NordStellar threat exposure management platform provides solutions that allow companies to detect and respond to cyber threats early, breaking the cyber kill chain before an attack escalates.

NordStellar includes solutions like vulnerability management and dark web monitoring, which can give you insight into emerging ransomware tactics and help you identify if your data has been exposed. By partnering with NordStellar, your business is equipped with the latest technology to face evolving threats and stay one step ahead of cybercriminals.

Your data deserves the highest level of security. Contact the NordStellar team today to protect your organization against ransomware attacks.

FAQ

What is ransomware-as-a-service?

Ransomware-as-a-service (RaaS) is a business model where ransomware creators rent out their malware to other criminals for profit. RaaS is part of a larger trend called malware-as-a-service (MaaS), where hackers sell or rent malicious tools on the dark web. Unlike general malware, RaaS focuses solely on ransomware, which makes it simple for criminals to encrypt files and demand payment.

How does ransomware spread?

Ransomware spreads through phishing emails, infected software downloads, unpatched vulnerabilities, and malicious websites.

How do ransomware groups choose their targets?

Ransomware groups typically target organizations with valuable data and weak cybersecurity defenses. Ransomware groups are highly likely to target businesses that have paid ransoms in the past because they may assume these organizations are more likely to pay again.

Can ransomware come back after removal?

Yes, ransomware can return after removal if the underlying cause of the malware infection isn’t resolved.

Nordstellar 2025

Getting OpenTelemetry Data Into Graylog

OpenTelemetry is emerging as the common framework for collecting observability data, and for good reason. It’s vendor-neutral, open source, and designed to collect traces, metrics, and logs in a consistent way. But while most of the buzz is around tracing and metrics, let’s not forget: logs are still the backbone of investigation and response.

That’s why Graylog now supports native collection of OpenTelemetry data over gRPC. If you’re already using OpenTelemetry in your stack—or you’re just curious how to consolidate structured telemetry logs with the rest of your event data—this new input makes things easier.

Let’s walk through what this feature does, why it matters, and how to get it working in your environment.

Why OpenTelemetry and Graylog Makes Sense

OpenTelemetry isn’t a single protocol—it’s a toolkit. The OpenTelemetry Protocol (OTLP) supports multiple transport formats, but gRPC is the go-to for real-time, high-throughput use cases.

By adding a gRPC input for OTLP logs, Graylog becomes a central observability engine, capable of handling not just syslog and Beats traffic, but also telemetry streams from cloud-native apps, Kubernetes clusters, and distributed services.

This unlocks:

Structured, correlated log data enriched with trace context
Faster detection and root cause analysis using familiar Graylog tools
One less hop between your services and your SIEM or logging platform

What the gRPC Input Actually Does

The new input type allows Graylog to ingest OTLP-formatted logs over gRPC, a lightweight and efficient transport layer ideal for distributed systems.

Specifically, the input:

Listens for incoming telemetry using the OTLP log signal
Accepts data in protobuf format over gRPC (not HTTP)
Maps and parses log fields into Graylog’s First-Level Field Mapping
Supports TLS encryption, authentication, and service-level tagging

At this time, the input is optimized for log data, but future iterations could support metrics or trace signals as well.

First Level Field Mapping

OpenTelemetry Field	Graylog Field
trace_id	otel_trace_id
span_id	otel_span_id
flags	otel_trace_flags
severity_text	otel_severity_text
severity_number	otel_severity_number
time_unix_nano	otel_time_unix_nano
observed_time_unix_nano	otel_observed_time_unix_nano

At this time, the input is optimized for log data, but future iterations could support metrics or trace signals as well.

Resource and Attributes Mapping

Resource Attributes: Prefixed with otel_resource_attributes_ and converted to Graylog fields.

Resource Schema URL: Mapped to otel_resource_schema_url.

Log Attributes: Prefixed with otel_attributes_.

Log Schema URL: Mapped to otel_schema_url.

Instrumentation Scope:

otel_scope_name

otel_scope_version

otel_scope_attributes_*

Who Supports OTLP/gRPC?

If you’re working in the cloud (and let’s be honest, who isn’t?), it’s helpful to know which providers offer support for OpenTelemetry—especially if you’re planning to send logs over gRPC. The good news: all major clouds support OpenTelemetry in some form, and most offer native or collector-based support for OTLP over gRPC.

Here’s a quick common list of cloud support:

Cloud	OTEL Support	OTLP/gRPC Support	Common Integration
AWS	✅	✅	CloudWatch, X-Ray
Azure	✅	✅	Azure Monitor
GCP	✅	✅	Cloud Logging, Trace
IBM	✅	✅	Instana
Oracle	✅	⚠️ (via Collector)	OCI Logging

How To Set It Up in Graylog

Getting started is pretty straightforward.

Go to System > Inputs, and choose OpenTelemetry (gRPC).
Configure the Title, IP Bind Address, port (default is 4317), TLS certs (if needed), and optional service name.
Start the input.

On the collector side, configure your OpenTelemetry Collector to send logs via gRPC. Make sure your pipeline includes a logs exporter using the OTLP target, and you’re good to go. You can find full setup instructions in the Graylog documentation.

What You Can Do Once It’s Flowing

Once OpenTelemetry logs are hitting your Graylog instance, you can:

Create dashboards that combine infrastructure and app-level data
Use streams to isolate logs by service or environment
Enrich logs with Graylog Information Model Schema
Automate responses using alerts and pipelines

You can even correlate log events with traces—bringing observability and threat detection closer together. (Because let’s be honest: context is everything when you’re chasing down an incident.)

Common Pitfalls to Watch For

Getting gRPC right takes a little finesse. Here are a few gotchas:

Port issues: gRPC often uses 4317, but firewall rules or existing services can interfere.
TLS misconfigs: Certificates must match your endpoint and client trust setup.
Collector mismatches: The OpenTelemetry Collector config must match Graylog’s gRPC endpoint and expected signal type.

If you’re stuck, the input diagnostics tool in Graylog’s web UI can usually point you in the right direction.

From Buzzword to Better Logs

OpenTelemetry is no longer just a forward-looking framework, it’s fast becoming table stakes. And now, with native gRPC support in Graylog, it’s easier than ever to collect telemetry logs without duct-taping another tool into your stack.

If you’re ready to see how structured telemetry logs can strengthen your visibility, give the new OpenTelemetry (gRPC) input a try. It just might become your new favorite way to get logs into Graylog.

About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.

Graylog 2025

The French Tennis Federation chooses Keepit for independent backup of Microsoft data

Keepit protects critical Microsoft 365 and Microsoft Entra ID data of 2,515 users, to add Power BI in the near future

Paris, France – June 10, 2025 – Keepit, a global provider of a comprehensive cloud backup and recovery platform, today announced that it has been selected by the French Tennis Federation (FFT) to independently back up its Microsoft 365, Microsoft Entra ID and Power BI data.

Keen to strengthen the resilience of its digital environments, the French Tennis Federation chose a sovereign backup solution, independent of major global cloud providers. It chose Keepit, a Danish company that controls its entire hosting chain by operating its own cloud and data centers, across Europe, and in the UK, Canada, Australia and the US. Keepit’s architecture, which guarantees uninterrupted access to data even in the event of third-party provider failure, fully met the FFT’s requirements of security, independence and business continuity.

“Until three years ago, we had no backup solution for our cloud environments. My objective was clear: to identify a European service provider guaranteeing maximum independence”, says Franck Labat, Technical Director at FFT. “Beyond this initial requirement, Keepit was able to meet additional needs that we hadn’t anticipated: centralized, traceable archiving of PST files, unified management of all our data via a single platform, and more recently, seamless integration of our directory as part of our complete migration to Entra ID.”

The French Tennis Federation, headquartered at Roland-Garros stadium, organizes, coordinates and promotes tennis for over 8,000 clubs throughout France. The FFT’s operations also involve the management of a large number of seasonal employees as part of its event-driven activities, generating significant data flows to be processed and restored. To ensure consistent monitoring, it is essential to be able to recover data from people who have left, sometimes after short assignments, in order to pass it on to their managers. This need also led the FFT to choose Keepit: beyond backup, the solution enables targeted copying and restoration according to the needs of the teams. Keepit facilitates the management of these processes, while guaranteeing data security.

The collaboration began in 2022, alongside SCC France, a trusted partner of the FFT for over 15 years, with the initial aim of safeguarding Microsoft 365 environments. Since then, the partnership has gradually expanded to include Power BI and Microsoft Entra ID. FFT now plans to systematically integrate any new Microsoft solution it adopts into the Keepit ecosystem, ensuring continuity and consistency in the protection of its digital assets.

“We are particularly proud to have led this project alongside our partner SCC, to offer the FFT an independent cloud backup and recovery platform that is simple to deploy and administer,” says Cyril VanAgt, Vice President Channel EMEA at Keepit. “We remain fully committed to supporting the next steps in the evolution of its cloud and Microsoft environments.”

About the French Tennis Federation
The French Tennis Federation (French: Fédération française de tennis, FFT) is the governing body for tennis in the Hexagone and DROM-COM. It was founded in 1920, and is tasked with the organization, co-ordination and promotion of the sport. It is recognized by the International Tennis Federation and by the French Minister for Sports. Its headquarters are at the Roland-Garros stadium in France.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

Keepit 2025

Keepit continues momentum with 2025 TrustRadius Top Rated Award

Keepit has been recognized as a leader among SaaS Backup, Data Loss Prevention, Disaster Recovery, and Enterprise Backup categories.

Copenhagen, Denmark – June 10, 2025 – Keepit, a global leader in SaaS data backup and recovery, today announced that it has been recognized as TrustRadius Top Rated in four categories: SaaS Backup, Data Loss Prevention, Disaster Recovery, and Enterprise Backup. This recognition comes directly from customers, underscoring Keepit’s commitment to providing an intelligent and secure backup and recovery platform. “Earning a Top Rated award on TrustRadius is a reflection of how well a product is meeting the needs of its customers,” says Allyson Havener, CMO, TrustRadius. “Keepit’s recognition is based entirely on customer feedback—real users who value the platform’s reliability, performance, and support.” Since 2016, the TrustRadius Top Rated Awards have become the B2B’s industry standard for unbiased recognition of excellent technology products. Based entirely on customer feedback, they have never been influenced by analyst opinion or status as a TrustRadius customer. Here is a detailed criteria breakdown of the methodology and scoring that TrustRadius uses to determine Top Rated winners. Keepit provides independent backup to over 18,000 customers worldwide Keepit backup and recovery solutions are currently available for eight workloads, such as Microsoft 365, Microsoft Entra ID, Google Workspace and Salesforce. The company will expand its offering in 2025 to include applications such as Jira, Bamboo, Okta and Confluence. Keepit’s unique, intelligent, and cloud-native platform enables customers to safely secure their SaaS applications, ensuring full control of data regardless of unforeseen events such as outages, malicious attacks, or human error. “SaaS backup has become an increasingly crucial part of risk management and business continuity planning. We are thrilled that our customers rely on Keepit to safeguard critical data and value their continued feedback and support. Accolades such as the Top Rated Award mean a lot to us as a company and further validate that our solutions meet our customers’ needs,” says Michele Hayes, CMO at Keepit. Hear from verified users on how much they value Keepit: Keepit reviews on Trustradius.

2025 Keepit

runZero Named to Rising in Cyber 2025 List of Top Cybersecurity Startups

Selected by CISOs and leading investors, the list recognizes the 30 startups shaping the future of security.

Austin, Texas — June 4, 2025 — runZero, the leader in total attack surface management, today announced its inclusion in Rising in Cyber 2025, an independent list launched by Notable Capital to spotlight the 30 most promising cybersecurity startups shaping the future of security.

Unlike traditional rankings, Rising in Cyber 2025 honorees were selected through a multi-stage process grounded in real-world validation. Leading cybersecurity venture firms submitted nominations, and nearly 150 Chief Information Security Officers (CISOs) and senior security executives voted on the final list, highlighting the companies solving the most urgent challenges facing today’s security teams.

runZero was selected for its innovative approach to exposure management and attack surface discovery, helping security teams navigate today’s complex threat landscape. Unlike traditional vulnerability management solutions, runZero delivers complete and accurate visibility into every asset and exposure across internal, external, IT, OT, IoT, mobile, and cloud environments, including uncovering unknown and unmanageable devices and broad classes of exposures that evade other tools.

The company joins a cohort that has collectively raised over $7.8 billion, according to Pitchbook as of May 2025, and is defining the next era of cybersecurity across key areas like identity, application security, agentic AI, and security operations.

“The demand for cybersecurity innovation has never been greater. As the underlying technologies evolve and agentic AI reshapes everything from threat detection to team workflows, we’re witnessing a shift from reactive defense to proactive, intelligence-driven operations,” said Oren Yunger, Managing Partner at Notable Capital. “What makes this list special is that it reflects real-world validation — honorees were chosen by CISOs who face these challenges every day. Congratulations to this year’s Rising in Cyber companies for building the solutions that modern security leaders truly want and need.”

In celebration, honorees will be recognized today at the New York Stock Exchange (NYSE) alongside top security leaders and investors.

“We’re honored to be recognized as a Rising in Cyber 2025 company. runZero is challenging the status quo with a novel approach to exposure management that can finally provide defenders with the attack surface visibility and comprehensive risk detection required to protect complex, dynamic environments,” said Julie Albright, Chief Operating Officer for runZero. “As a disruptor in our space, it’s great to be acknowledged by CISOs who are in the trenches every day and who have struggled with outdated approaches to vulnerability management that are fundamentally broken. This recognition is a testament to the innovative approach we’ve taken and the meaningful impact we are making for teams responsible for securing their organizations against an increasingly challenging threat landscape.”

A new approach to exposure management

Leveraging innovative technology and proprietary discovery techniques, runZero provides organizations with the most complete and accurate visibility across their total attack surface, including unknown and unmanageable assets. On average, runZero enterprise customers report finding 25% more assets than they were previously aware of, with some environments yielding 10x more assets than security teams expected, radically expanding their view of their attack surfaces and the exposures within. These previously unknown assets are often those at the most risk.

Starting with a foundation of comprehensive visibility enables runZero to provide full-spectrum exposure detection across internal and external attack surfaces. Advanced fingerprinting methodologies build detailed, accurate profiles of each asset in the environment using a library of almost 1,000 attributes. This unmatched depth of data enables the platform to identify much broader classes of exposures going well beyond CVEs to identify risks that evade traditional vulnerability and external attack surface management solutions. runZero recently released new risk findings and dashboards, providing a novel paradigm for organizing, addressing, and tracking exposures over time.

To learn more about Rising in Cyber 2025, visit https://www.risingincyber.com/.

About Rising in Cyber

Rising in Cyber is an annual list recognizing the most innovative startups in cybersecurity as determined by nearly 150 leading CISOs and cybersecurity executives. Nomination criteria included private, venture-backed companies with a primary product focus on cybersecurity and the U.S. as a primary market. For more information about the honorees, participating investors, and methodology, visit www.risingincyber.com.

About Notable Capital

Notable Capital is a global venture capital firm based in the U.S. focused on early-to-growth-stage companies in cloud infrastructure and business and consumer applications. The firm invests primarily in the U.S., Israel, Europe, and Latin America. Notable Capital portfolio companies include Affirm, Airbnb, Anthropic, Brightwheel, Drata, Fal.ai, Handshake, HashiCorp, Ibotta, Monte Carlo, Neon, Orca Security, Quince, Slack, Stori, Vercel, and more.

Notable Capital is a longtime investor in the global cybersecurity sector. Its investments include Bitsight, Descope, Drata, Gem Security (Acquired by Wiz), HashiCorp ($HCP, Acquired by IBM), Nozomi Networks, Orca Security, Torq, Tonic.io, and Vdoo (Acq by JFrog), and more. More information can be found at www.notablecap.com and @notablecap.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero 2025

Portnox and CrowdStrike Integration Fortifies Customer Cybersecurity Posture with Enhanced Risk-Based Access Control

AUSTIN, TX – June 4, 2025 — Portnox, a leading provider of cloud-native, zero trust access control solutions, announced a new integration with CrowdStrike, a leader in endpoint protection and zero trust security. This strategic partnership enhances Portnox’s cloud-native Network Access Control (NAC) solution by incorporating CrowdStrike’s trusted device telemetry and Zero Trust Assessment (ZTA) scores, enabling organizations to enforce access policies based on real-time risk intelligence.

In today’s complex threat landscape, endpoint visibility and risk-based access control are cornerstones of effective cybersecurity. The integration between Portnox and CrowdStrike addresses this critical need by bridging the gap between endpoint intelligence and network enforcement.

“In an era where cybersecurity threats are constantly evolving, dynamic, real-time access control is paramount,” said Denny LeCompte, CEO of Portnox. “Our integration with CrowdStrike delivers on this need by empowering organizations to make informed, automated access decisions based on the most current device posture. This partnership significantly fortifies our customers’ security posture, enabling them to confidently embrace Zero Trust principles and adapt to an ever-changing risk landscape.”

CrowdStrike’s industry-leading Falcon® platform, an AI-powered, cloud-delivered solution, provides comprehensive protection for endpoints, workloads, and identities. Its real-time detection and response capabilities, threat intelligence, and behavior-based protection are instrumental in preventing breaches.

A key component of CrowdStrike’s offering is the Zero Trust Assessment (ZTA) score, an intelligent metric that dynamically evaluates a device’s risk posture based on telemetry inputs such as device health, vulnerabilities, threat detections, user behavior, and CrowdStrike agent status. These scores, ranging from 0 to 100, allow security teams to make informed decisions about access privileges and device remediation.

The Portnox cloud-native NAC platform empowers organizations to implement granular, risk-aware access controls without relying on on-prem hardware or complex configurations. With this new integration, Portnox can now:

Validate CrowdStrike Management: Automatically verify whether a device is managed by the CrowdStrike Falcon agent before granting network access.
Leverage ZTA Scores: Incorporate ZTA scores into policy decisions, allowing full access only to low-risk devices or enforcing guest VLANs or limited access for high-risk endpoints.
Strengthen Zero Trust Architectures: Utilize contextual, real-time risk signals from CrowdStrike to reinforce least-privilege access models across corporate and BYOD environments.
Automate Response: Define automated NAC policies that adapt to changes in device posture as reported by CrowdStrike, helping to contain threats before they escalate.

This integration is particularly impactful for hybrid workforces, BYOD programs, and any organization committed to implementing Zero Trust principles. It ensures that only trusted, compliant, and secure devices can connect to corporate networks, providing a continuous, adaptive security solution in the face of increasingly sophisticated attacks.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Portnox 2025

What is Data Loss Prevention (DLP)? An introduction to DLP security

Summary: DLP solutions protect sensitive data from leaks, loss, and misuse. With the right DLP strategy, you can prevent breaches and boost compliance.

Today, data is every organization’s most prized resource, and keeping it secure is more important than ever. Data Loss Prevention (DLP) security helps businesses prevent sensitive data from falling into the wrong hands. It detects and stops data breaches, leaks, or unauthorized transfers before they happen.

Whether it’s a misdirected email, an insider threat, or a ransomware attack, data loss can cripple operations and damage trust. Data Loss Prevention solutions help protect sensitive data and support compliance with HIPAA, GDPR, and other data protection regulations.

This article explores why DLP matters for your organization’s long-term resilience and compliance.

Key takeaways

DLP prevents sensitive data from falling into the wrong hands. Whether an accidental email or a targeted cyber-attack, DLP detects and blocks unauthorized data access or transfers before damage is done.
It helps you comply with data privacy laws. DLP supports GDPR, HIPAA, PCI DSS, and other regulations by enforcing consistent data handling policies and maintaining detailed activity logs.
Data loss is a major cause of common threats, such as phishing, ransomware, and human error. DLP solutions reduce these risks.
DLP protects key types of data your business relies on. From financial records and intellectual property to personally identifiable information (PII) and health data, DLP helps classify and secure what matters most.

What is data loss prevention (DLP)?

Data Loss Prevention (DLP) is a set of tools and strategies that help businesses keep critical information safe. It stops sensitive data from being shared, sent, or accessed by the wrong users, whether by accident or on purpose. It also helps organizations avoid serious consequences like financial loss, reputational damage, and legal trouble.

DLP helps keep data private and available while supporting compliance with strict data regulations, like HIPAA or GDPR. For example, if a team member attempted to copy confidential client data to a USB drive or share it through a personal messaging app, DLP tools can block the action automatically to prevent unauthorized data transfers.

Key Data Loss Prevention measures include encryption, which secures data for approved users only, and access controls, which define who can view or edit sensitive files. Backups and recovery tools help restore data if something goes wrong, while data masking hides confidential information when full access isn’t needed.

Difference between data loss and data leakage

Data loss and data leakage may sound similar, but they pose different threats. Data loss happens when information is accidentally deleted, corrupted, or made inaccessible, for example, in a ransomware attack, hardware malfunctions, or a system crash. The key thing here is that the data is permanently gone.

In contrast, data leakage occurs when sensitive data is exposed or stolen. It can happen when the data is sent outside the organization without authorization, often through misdirected emails or insider misuse. Data leakage means it’s still out there, but in the wrong hands.

Data loss and leakage require different prevention and response strategies. DLP solutions are designed to ensure data security in both cases.

Common causes of data loss incidents

Data loss can be caused by many things, from simple human mistakes to cyber-attacks. Some causes are more common than others, and each one requires a different approach to prevention. Data threats are here to stay, and knowing what can go wrong is the first step to keeping your critical information safe.

Insider threats

Insider threats come from people inside the organization, like employees or contractors, who have access to sensitive data. According to Verizon’s Data Breach Report, insider threats are responsible for nearly one in five data breaches.

Sometimes, insider threats are accidental, like sending an email to the wrong person. Other times, they’re intentional, like a disgruntled employee stealing or leaking information.

User error

User mistakes happen and are one of the top reasons companies lose data. Accidentally deleting files, sending information to unauthorized users, or mishandling sensitive records can quickly lead to serious issues. According to the World Economic Forum, over 80% of cyber incidents are linked to human error.

While double-checking work and limiting file access can help, these manual steps aren’t foolproof. To truly reduce the risk, businesses should turn to automated security tools that apply consistent rules across the board.

Cyber-attacks

The goal of most cyber-attackers is to steal, damage, or block access to sensitive data. Bad actors use phishing, malware, and ransomware to break into systems and compromise data security:

Ransomware: Locks or deletes data and demands payment. In 2024, ransomware made up 20% of cyber incidents.
Phishing: 2025 saw an 84% increase in phishing emails that try to steal personal or login information each week. These attacks can target anyone and often lead to data exposure.
Malware: Malware still remains one of the top methods threat actors use. Spyware, backdoors, and crypto miners also steal or corrupt data silently.

Misconfigured cloud storage

In 2024, over 80% of data breaches involved data stored in the cloud, with misconfigurations being a primary contributor. Additionally, IBM’s Cost of a Data Breach Report indicates that cloud misconfigurations account for 15% of initial attack vectors in security breaches, ranking as the third most common entry point for attackers.

When cloud settings are improperly configured, such as leaving storage buckets publicly accessible or failing to enforce encryption, sensitive data becomes vulnerable to unauthorized access. These missteps can result in significant financial and reputational damage for organizations.

Shadow IT

Using unauthorized apps, devices, or services increases the risk of data loss. When employees bypass IT oversight, sensitive data can end up in unsecured locations, making it harder to monitor and protect.

Recent studies highlight the impact of shadow IT. The average cost of a breach involving shadow data reached $5.27 million, 16.2% higher than breaches that didn’t involve it.

Types of sensitive data DLP protects

With many organizations experiencing data loss in the past year, investing in DLP is no longer optional. It’s a must for protecting sensitive information and staying compliant.

Here’s what DLP helps safeguard:

Personally Identifiable Information (PII): Names, Social Security numbers, credit card details, emails, and phone numbers. DLP helps meet regulations like GDPR and CCPA.
Intellectual Property (IP): Trade secrets, product designs, source code, and proprietary algorithms. DLP blocks unauthorized access and data theft.
Protected Health Information (PHI): Patient records, medical histories, lab results, and billing data. Essential for HIPAA compliance in healthcare.
Financial data: Account numbers, transactions, reports, and investment details. DLP protects this data and supports regulatory requirements.

By applying DLP across devices, networks, and cloud services, companies can detect, monitor, and prevent leaks before they cause damage.

Why is DLP security important for data security?

Data Loss Prevention plays a key role in keeping sensitive information safe. It helps protect intellectual property and critical data from being exposed, stolen, or misused and supports compliance with standard data protection regulations.

Protecting intellectual property and sensitive data

DLP helps protect your most valuable assets—such as product designs, source code, and customer records—from unauthorized access. Whether it’s accidental sharing or intentional theft, DLP tools prevent sensitive data from leaving your network. This protects your competitive edge and builds customer trust.

Reducing data breaches and insider threats

Many data breaches start from within, whether through human error or malicious intent. DLP reduces this risk by monitoring user actions, blocking risky behavior, and flagging unusual activity. It’s a key layer of defense against both internal and external threats.

DLP also supports a Zero Trust approach, where no user or device is automatically trusted. This ensures that access to data is constantly verified and monitored.

Supporting regulatory compliance and audit readiness

With strict data privacy laws like GDPR, HIPAA, and CCPA, businesses must prove they’re protecting sensitive data. DLP helps meet these requirements by enforcing consistent policies and keeping detailed logs. That means fewer compliance gaps and smoother audits.

How DLP works

DLP solutions help ensure data security and create a strong defense against data leaks, misuse, and accidental loss. The best practices for Data Loss Prevention include a three-step approach.

Step 1: Identify and classify data

The first step is identifying your most valuable and sensitive data that attackers could target. DLP tools help identify sensitive data across cloud apps, email, and devices. Once you know where your data is, you can classify it based on its type, source, or content.

For example, a finance team might classify spreadsheets with revenue forecasts as confidential, while HR would tag employee records containing names and contact details as personally identifiable information (PII). A product team could label source code or design files as internal use only. Classifying data helps track its use and apply the right protection measures.

Step 2: Monitoring data movement and access

Understanding how data is used and spotting behaviors that put it at risk is essential. Data is often most vulnerable on endpoints, especially when shared via email attachments or copied to external drives.

DLP solutions track data in motion, at rest, and in use to uncover suspicious activity, like transferring valuable files to unauthorized users or locations. By monitoring access patterns and user behavior, organizations gain clear visibility into data security risks and can act before issues escalate.

Step 3: Blocking unauthorized data transfers

Once threats are detected, data loss prevention tools take action. If someone tries to email confidential data outside the company, upload it to personal cloud storage, or print sensitive documents, DLP solutions step in.

Types of DLP solutions

Different types of data loss prevention solutions are designed to address specific data security risks across networks, devices, and cloud environments. Choosing the right mix helps protect your sensitive data.

Network DLP

Network DLP tools monitor all traffic flowing in and out of your organization. They inspect data packets for sensitive content and block unauthorized transfers in real time.

To boost data security, features like Network Access Control (NAC) help ensure that unauthorized users and devices are kept off your business network. Also, Identity and Access Management (IAM) adds another layer of security by verifying that every user accessing the network is properly authorized.

Together, these solutions create a robust defense for your business network, reducing the risk of data loss.

Endpoint DLP

Endpoint DLP protects data where it’s most vulnerable—on user devices like laptops, phones, and desktops. It prevents risky actions like copying files to USB drives, printing, or uploading data to personal storage.

For even stronger protection, solutions like NordLayer’s upcoming new-gen Enterprise Browser help limit what can be viewed, downloaded, or shared between the browser and the device. As a result, it reduces the risk of data leaks from both internal and external threats.

Paired with Device Posture Security, which checks if a device meets your company’s security standards before granting access, you get a reliable line of defense at the endpoint level.

Cloud DLP

Cloud DLP protects data stored in and moving through cloud platforms. It monitors activity in cloud apps, collaboration tools, and storage services and applies security policies to ensure safe usage.

With NordLayer’s Cloud Firewall, you can enforce access rules, detect anomalies, and secure traffic between users and cloud resources.

By combining these three DLP types, you can create a layered approach that fits your business needs, protects critical data, and supports compliance with evolving regulations.

Key components of DLP solutions

The best DLP tools combine innovative technology and clear policies to protect critical data across every environment—cloud, endpoint, and network. Here are the essential features to look for:

Data discovery and classification. Identifies and tags sensitive data such as PII, financial records, and intellectual property. It helps prioritize protection efforts and supports compliance requirements.
Policy enforcement. A set of customizable rules that control who can access data and what actions they can take. When sensitive data is mishandled, the system can block it, encrypt it, or alert your team.
Real-time monitoring and alerts. Continuous tracking of data activity across your systems. Suspicious behavior—like unusual file transfers or unauthorized access attempts—triggers alerts for rapid response.
Data encryption. Encryption protects data at rest and in motion. DLP can enforce policies that automatically secure data based on its sensitivity and destination.
Securing data in motion. DLP scans network traffic to detect and stop sensitive data from leaving your organization in violation of policy.
Securing endpoints. DLP solutions on user devices control data transfers between people, teams, and external parties. They can block unauthorized actions in real time and give users immediate feedback.
Securing data at rest. Access controls, encryption, and retention policies protect stored data in file servers, databases, or archives from accidental or intentional leaks.
Securing data in use. DLP monitors how users interact with data—copying, editing, printing—and flags or blocks risky actions on the spot.

Data loss prevention policy essentials

One of the most important elements of any data loss prevention strategy is a clear, well-defined DLP policy. It acts as your organization’s rulebook for handling and protecting your data.

A DLP policy outlines what data needs protection, how to manage it safely, and who’s responsible for keeping it secure. It ensures everyone follows the same standards and understands their role in data protection.

Here are eight reasons why every modern organization should have one in place:

Protect your data. Set clear rules to prevent unauthorized access, sharing, or loss.
Stay compliant. Align with GDPR, HIPAA, and PCI DSS, and avoid costly penalties.
Promote accountability. Make employees aware of their role in data protection.
Boost incident response. Detect and contain threats quickly with clear response steps.
Safeguard intellectual property. Keep trade secrets, code, and ideas secure.
Manage third-party risks. Ensure vendors follow your data protection standards.
Mitigate insider threats. Monitor and flag risky user behavior internally.
Build customer trust. Show you’re serious about privacy and protecting user data.

A DLP policy isn’t just a formality—it’s a key step toward building a secure, compliant, and resilient business.

How NordLayer can help your business with data loss prevention

Your data is one of your most valuable assets, and it’s constantly at risk. A simple human mistake, a phishing email, or a misconfigured cloud setting can lead to massive data loss, reputational damage, and legal trouble.

That’s where Data Loss Prevention (DLP) comes in. It helps you keep sensitive information from the wrong hands and comply with strict data privacy laws like GDPR, HIPAA, and PCI DSS.

At NordLayer, we make DLP effective with features like:

🔐 Network Access Control (NAC): Keeps unauthorized users and devices off your network.
👤 Identity & Access Management (IAM): Helps ensure only the right users can access critical data.
☁️ Cloud Firewall: Secures cloud traffic, enforces rules, and reduces insider threats.
🔒 Advanced AES 256-bit and ChaCha20 encryption: Helps protect your data in transit.

We’re also building the next generation of endpoint protection. NordLayer’s Enterprise Browser (coming soon) will give IT admins centralized control over how employees use the web, something consumer browsers can’t do. It’s a game-changer for companies operating in BYOD environments. Want early access? Join the waiting list to stay in the loop.

Have questions or need a tailored solution? Contact our sales team to learn how NordLayer can support your specific data protection goals.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

Nord Security NordLayer 2025