R&D Division at a Leading Document Technology CompanyStopping Code Leakage That Rule-Based DLP Can't Catch
When a 350-person R&D division at a major document technology company discovered engineers uploading source code and pre-release designs to personal cloud accounts, their existing DLP tools showed nothing. PrivateDLP 's AI screen auditing changed that — with natural-language violation rules and screenshot evidence.
Executive Summary
A 350-person R&D division at one of the world's leading document technology companies develops the core technologies behind their flagship products — millions of lines of source code, proprietary rendering algorithms, and pre-release product hardware designs. When an engineer was caught uploading code to a personal GitHub repository through an unknown cloud service, the division director realized their traditional DLP had been blind the entire time.
Traditional DLP tools were configured to block uploads to a handful of known cloud services. But engineers are resourceful — they found a newly launched cloud IDE service that wasn't in any blacklist. The division self-funded the deployment of PrivateDLP across all ~350 Windows engineering workstations. The deciding factor: its AI could actually see what was on screen and understand when source code was being transferred outside the organization, not just match patterns against a database of known URLs.
Client Profile
The client is the R&D division of a leading document technology company, developing proprietary document management software, hardware reference designs, and pre-release product specifications. The division has approximately 350 engineers and designers who work with highly confidential source code and design files daily. This deployment was self-funded by the division rather than a company-wide purchase, covering all Windows R&D workstations within the division.
Client Type
Leading Document Technology Company · R&D Division
Deployment Scale
~350 Windows R&D workstations, division self-funded
User Base
~350 engineers, designers, and researchers
The Challenges
A 350-engineer R&D division realizing that USB locks and URL blocklists don't stop a technically skilled engineer with a cloud IDE
Engineers Can Route Around Rule-Based DLP in Minutes
Source code is the core competitive asset of a document technology company. The R&D division had DLP rules configured for a fixed list of known cloud services and file transfer websites. But engineers are technically sophisticated — one discovered a newly launched cloud IDE service and was using it to push code to a personal repository. It wasn't on any blocklist. It wasn't in any database. The DLP logged nothing.
USB Controls Alone Can't Stop Cloud-Based Exfiltration
The division had USB write restrictions in place, which blocked the obvious data theft route. But blocking USB doesn't stop an engineer from uploading code directly from their IDE to an external cloud service. The division head realized they were only blocking the least sophisticated exfiltration method.
GitHub and Personal Repositories Are Part of Developer Workflow
Unlike an accounting firm where personal cloud storage has no legitimate use, an R&D division's engineers legitimately use GitHub, GitLab, and corporate code repositories daily. Any solution had to understand the difference between a legitimate corporate GitHub push and an upload to a personal account or an unknown external service — context that rigid URL-based rules simply cannot distinguish.
The Solution: PrivateDLP
The R&D division director evaluated three products before choosing PrivateDLP . The deciding factor wasn't the price or the endpoint control features — it was that the AI could understand what's actually on screen, not just match a URL against a list
AI That Understands Code on Screen
Instead of maintaining a URL database, the division director wrote simple rules in plain English: "alert when code from an IDE is being pushed to an unknown external service" or "alert when design files from CAD software are uploaded to a non-corporate cloud." The AI analyzes what's actually displayed on the engineer's screen.
Screenshot Evidence When Code Leaves
When the AI detects a violation, it captures the screen at that moment and notifies the director. The Pro version stores these screenshots to the division's corporate S3 bucket — giving them actual evidence of code exfiltration, not just a timestamp log that says "something happened."
Deployment Details: ~350 Pro licenses deployed to all Windows engineering workstations in the division. The division already had USB write controls and website blocklists in place from a previous tool — PrivateDLP supplemented these with AI-powered screen auditing while maintaining the existing policy layers.
What the R&D Division Deployed
AI screen auditing on top of existing endpoint controls — built a layered defense where each layer catches what the others can't
Natural Language Rules — 'Alert When Code Goes to an Unknown External Service'
The feature that differentiated PrivateDLP from everything else the division evaluated. Rather than writing regex patterns or maintaining a database of cloud service URLs, the director wrote rules in plain English that described the actual behavior he cared about. The AI understands these rules and detects violations by analyzing what's on the engineer's screen.
- Rule examples: 'alert when code from Visual Studio or IntelliJ is being pushed to a non-corporate cloud service' or 'alert when hardware design files from the CAD application are uploaded to a personal account'
- The AI understands developer workflows — it knows the difference between a corporate GitHub push and an upload to a personal repository on an unknown service
- Rules can be scoped by time of day, user group, or project, so the same AI auditing engine works differently for different teams
- No regex, no URL database updates, no waiting for new cloud services to be added to a blocklist
Screenshot Evidence of Code Leaving — Stored to Corporate S3
When the AI detects that an engineer has violated a rule, it captures a screenshot at that exact moment and notifies the division director. For a document technology company, this isn't about productivity metrics — it's about having actual evidence when proprietary code walks out the door.
- Screenshot captured at the exact moment of violation, showing the actual code or design file on screen
- Pro version stores alert screenshots to the division's own S3 bucket — no proprietary data leaves the organization's infrastructure
- Evidence is organized by engineer, timestamp, and rule violated — making it immediately usable for internal investigations
- This closes the gap that rule-based DLP can't: knowing when code was actually uploaded, not just that some network traffic occurred
USB Controls + App Blacklists + Firewall — The Foundation Beneath AI
Before deploying PrivateDLP , the division already had USB write restrictions and basic website blocklists from a previous tool. The Pro deployment kept these existing policies while adding AI auditing on top — building a layered defense where AI catches what rules can't, and rules block what doesn't need AI to detect.
- USB write controls: prevents copying code files to unapproved USB drives, with whitelisting for company-issued encrypted drives
- Application blacklist: blocks non-approved code sync tools and unknown cloud IDEs from running, complementing AI detection
- Website blacklist: blocks known non-work sites and known exfiltration channels during work hours
- Firewall rules: controls which programs can access the network, adding a network-layer control beneath application-level restrictions
AI Model Flexibility — Data Stays Within the Division
For an R&D division, the source code being analyzed by the AI is the company's most sensitive intellectual property. The division needed confidence that the AI analysis wouldn't expose their code to unauthorized parties.
- The division configured the AI model to match their security and compliance requirements
- Screen analysis results and code content are handled according to the division's chosen AI model configuration
- The web console manages all policies, AI rules, and endpoint controls from a single pane of glass
- Flexible policy configuration by team, project, or time period — so the engineering team's AI rules differ from the hardware design team's
Business Results & Impact
From blind spots in code exfiltration to real investigation evidence — what the R&D division gained after deploying PrivateDLP
| Metric / Objective | Before Deployment | After Deployment |
|---|---|---|
Code Exfiltration Detection | Traditional DLP blocked a known list of cloud services — engineers bypassed it with an unknown cloud IDE | AI detects when code is actually on screen and being uploaded to any external service, known or unknown |
Investigation Evidence | Network logs showing outbound traffic — impossible to prove what file was actually uploaded | Screenshot at the moment of violation, stored to corporate S3, showing exactly what code was on screen |
Developer Workflow Discrimination | Binary rule: block all cloud services or block none — couldn't distinguish corporate GitHub from personal repos | AI understands context: legitimate corporate GitHub push vs. code uploaded to a personal account or unknown service |
Time to Full Coverage | Previous tool required weeks of URL database curation before achieving baseline coverage | ~350 engineering workstations fully covered in 5 weeks — AI works from day one with no URL database |
"Our engineers are smart — if you give them a blocklist, they'll find a way around it. What I needed wasn't a bigger blocklist. I needed a system that could actually see what was on the engineer's screen and understand when our code was leaving the building. PrivateDLP does that. When someone pushes code to a personal repository, I get the screenshot."
— R&D Division Director
For a document technology company, source code is not just intellectual property — it's the product itself. Unlike financial data that follows predictable patterns, code exfiltration doesn't announce itself through file name conventions or traffic to known servers. It happens through legitimate-looking uploads to legitimate-looking services, from legitimate-looking developer tools.
Traditional DLP is built for a world where threats look like threats. Engineers live in a world where everything looks like work. PrivateDLP 's AI auditing bridges this gap — analyzing what's actually on screen, understanding developer workflows, and capturing screenshot evidence when rules break. The R&D division deployed ~350 licenses across their engineering workstations in 5 weeks, giving their director the visibility into code exfiltration that no URL database could ever provide.