DSPM module#

The DSPM page lists every sensitive-data finding across your buckets, databases, volumes, and snapshots.

Columns#

Match count vs estimated total#

DSPM samples large resources rather than reading them whole. Each finding has:

• Matches: number of items in the sample that hit the pattern.
• Sample size: how many items were sampled.
• Total rows: how many items exist in the resource.
• Estimated total: extrapolated count if the sample is representative.

If a database has 250,000 rows and we sampled 5,000, of which 8,923 sampled phone numbers matched, the estimated total is ~446,000. The detail panel shows the math; the column shows the conservative match count.

Filters#

• Severity, Status.
• Data category: PII, PCI, PHI, Internal.
• File type: .csv, .json, .yml, .tsv, .sql, etc.
• Resource, narrow to one bucket or database.

Detail panel#

For DSPM the panel shows:

• A redacted sample of the matched content (e.g. 4242-****-****-1234 for a credit card pattern). The full value is never stored.
• Validator status, did the matched value pass Luhn (credit cards), checksum (IBAN), or format check (SSN, email)?
• The graph context: this resource's HAS_PII / HAS_PCI edge, plus any toxic combinations the resource sits on.

Tips#

• Public + PII = drop everything. Filter severity=CRITICAL and group by resource. Anything on a public bucket with DSPM hits is a same-day fix.
• Old buckets are the worst offenders. Run a Group by resource and look for bucket names starting with legacy-, old-, migration-. They are almost always the ones nobody owns.
• Database sample sizes matter. A 1,000-row sample on a 50M-row table has wide confidence intervals. The detail panel shows the math.

What's next#

• DSPM concept
• Secrets module, sibling detector for credentials
• Toxic combinations, why DSPM matters most