You have Microsoft Purview or Google Workspace DLP running because it came with the license. An auditor asks if you have data loss prevention software. You say yes. Then you try to figure out what happens when an employee uploads a customer list to a random web form, and you realize the honest answer is “nothing.”
This post compares what free, bundled DLP actually covers, corrects three myths that keep teams on the wrong tier, and lists the four capabilities that separate a checkbox deployment from real protection.
What Does Free DLP Cover Compared to Real DLP?
Free DLP covers the files that already live inside the vendor’s ecosystem. Real DLP covers the paths data actually leaves through. The difference matters most on web uploads, GenAI, and anything outside Microsoft 365 or Google Workspace.
| Capability | Free / Bundled DLP | Real DLP |
|---|---|---|
| Classify Office and Workspace files at rest | Yes | Yes |
| Block sharing on sanctioned cloud apps | Partial, vendor-only | Yes, across apps |
| Inspect web uploads to arbitrary sites | No | Yes |
| Cover ChatGPT, Claude, and other GenAI tools | No | Yes |
| Monitor external shares on Google Drive and OneDrive | Limited to one ecosystem | Both, continuously |
| Classify unstructured IP (roadmaps, contracts, code) | Regex only | Context-aware |
| Shadow IT and shadow AI discovery | No | Yes |
| One-click remediation of exposed files | Manual | Built into alerts |
| Cross-platform endpoint agent (Mac + Windows) | Windows-biased | Feature parity |
| Deployment time | Hours | Days to weeks |
| True cost | Bundled, but limited scope | Per-device, clear scope |
The table looks tidy. The real lesson is that free DLP is a feature of your productivity suite. Real DLP is a product that treats exfiltration, not just filing.
What Are the Biggest Myths About Free DLP?
Three myths keep teams on bundled tooling longer than they should be. Each one costs you the same thing: visibility into the web upload path.
Myth: “If Purview or Workspace DLP is on, we are covered.”
They cover documents inside their own walls. A user copy-pasting a customer list into a web form, a contractor’s browser session, a Dropbox account created with a personal email — none of that is in scope. The moment the data leaves the sanctioned suite, the bundled tool stops seeing it.
Myth: “Regex is good enough for classification.”
Regex finds nine-digit numbers and card-shaped strings. It does not find your pricing strategy, your unreleased product doc, or a signed MSA. Those are the files that actually hurt when they leak, and they share no pattern a regex can match. Real protection uses context-aware classification that reads the file like a person would.
Myth: “Web uploads are an EDR problem.”
Your EDR watches processes and network connections. It does not read the document being uploaded, and it does not know whether the destination is a sanctioned file-share or a scraping site. A dlp gateway sits in the right place — between the browser and the destination — and inspects the content itself before it leaves the device.
What Does Real Data Loss Prevention Software Actually Do?
Real DLP covers four capabilities that bundled tools either skip or fake. Miss any of them and you are paying for theater.
Web Upload Inspection
The agent intercepts HTTP and HTTPS uploads from the browser and inspects the content before it leaves. It does not matter whether the destination is sanctioned, unsanctioned, or a site you have never heard of — content is classified, policy is applied, action is taken. This is the single biggest gap in bundled tools.
Continuous External Share Monitoring Across Clouds
The tool watches Google Drive and OneDrive at the same time, not just whichever one matches your productivity suite. Sharing state changes over time, so one-time scans miss most of the risk. Continuous monitoring catches the file that was private in March and “anyone with the link” by August.
Shadow IT and Shadow AI Discovery
The agent sees what web apps and GenAI tools your users actually visit, even the ones IT does not know about. You cannot write policy for apps you cannot see. A strong ai endpoint security layer gives you a list, usage counts, and a one-click block per app.
Context-Aware Classification
Classification reads the file and decides what it is. A contract looks like a contract. A product roadmap looks like a roadmap. Credit card numbers still get caught, but so do the unstructured documents that matter most and that regex will never flag.
Frequently Asked Questions
Is Microsoft DLP free?
Microsoft includes basic DLP in Microsoft 365 E3 and expands it in E5, so it is bundled rather than truly free. Coverage is strongest inside the Microsoft ecosystem — Exchange, SharePoint, OneDrive, Teams — and weakest on web uploads, non-Microsoft clouds, and GenAI tools. It is a starting point, not a complete program.
Does Google have DLP?
Yes. Google Workspace includes DLP for Drive, Gmail, and Chat on Business Standard and above, with stronger controls on Enterprise tiers. It covers content inside Workspace well and does not cover endpoint uploads, non-Google SaaS, or browser activity. A platform like dope.security layers on top to cover the paths Google cannot see.
Is free data loss prevention software enough for compliance?
For narrow use cases inside Microsoft or Google, free DLP can satisfy specific control requirements. For SOC 2, HIPAA, or PCI programs that require coverage of all exfiltration channels, bundled tools almost always leave gaps your auditor will find. Plan for a paid layer the moment compliance is in scope.
The Cost of Staying on Bundled
Bundled DLP is cheap because it is narrow. Every day you stay on it, the blind spots — web uploads, GenAI pastes, non-suite clouds — grow in proportion to how much your team uses the web. The leak you eventually report will almost certainly happen through a path your free tool was never designed to see. Map your real exfiltration paths, compare them against what is actually covered today, and make the gap visible before it turns into an incident.