Protecting data in transit alone does not address the risk of sensitive files that already reside on endpoint devices. Personal data, financial records, and intellectual property can accumulate on laptops and desktops over time, creating compliance gaps for regulations such as GDPR, HIPAA, and PCI-DSS. Data-at-rest scanning closes this gap by giving you full visibility into what sensitive data exists on your managed endpoints and enabling you to take action.

You can now scan managed endpoint devices for sensitive data at rest to identify improperly stored or unsecured information that puts your organization at risk of data breaches and regulatory noncompliance. Data-at-rest scanning for Endpoint DLP uses a local detection engine on the Prisma Access Agent to discover sensitive files across Windows and macOS devices without relying on centralized cloud infrastructure for every scan.

You configure data-at-rest Endpoint DLP policy rules to define which data profiles, file types, folder paths, and users the scan targets. The local detection engine on each Prisma Access Agent performs the scan directly on the device using regex-based and OCR-based pattern matching, which minimizes latency and maintains protection even when the endpoint is offline. You control resource consumption by setting CPU usage limits for scans, and the agent automatically checks battery levels before scanning to avoid disrupting end-user productivity. When the scan identifies sensitive data, Endpoint DLP generates an incident that your security team can investigate and remediate through the centralized incident management workflow in Strata Cloud Manager.