Data Security Posture Management was a niche category when Gartner named it three years ago. This month’s Forrester Wave ranks fourteen vendors across Leaders, Strong Performers and Challengers tiers. The category has done something rare for a cloud security segment: gone from emerging to table-stakes without a major consolidation event.
Why DSPM won
Classic DLP assumes a perimeter: endpoints, email gateways, CASBs. DSPM starts from the opposite assumption — your data is in dozens of cloud stores you didn’t inventory, copied into data lakes you didn’t govern, and referenced by pipelines you don’t fully own. The primary job of the tool is discovery and classification at rest and in motion, not blocking. The second job — risk scoring against regulatory and contractual frameworks — only becomes meaningful once the first is solved.
The pivot
Legacy DLP names (Forcepoint, Symantec’s DLP line now under Broadcom, Digital Guardian) are repositioning. The cleanest pivots have happened where the vendor already had a cloud scanning backend; the roughest where the core architecture assumes agent-on-endpoint. Two of the eight 2022 DLP leaders did not make the 2026 DSPM Wave at all.
Practical notes
Practitioners considering DSPM for the first time should budget for the discovery phase to surface an awkward truth: you almost certainly do not know where your regulated data actually is. The deployment is low-risk (read-mostly, API-first). The internal conversation that follows is where the real work starts.