How do I test my DLP policies online?

ITSecTools lets you upload or generate test files (PDF, DOCX, XLSX, CSV) containing PII, PCI, or PHI data and attempt to transfer them over HTTP/HTTPS/FTP. If your DLP solution blocks the transfer, your policies are working correctly.

What is a DLP regex builder and why do I need one?

A DLP regex builder helps you create regular expression patterns that match sensitive data like credit card numbers, medical record numbers, or employee IDs. ITSecTools generates vendor-optimized regex for 10 DLP engines including Forcepoint, Symantec, Palo Alto, Zscaler, and Netskope — each with different syntax requirements.

Which DLP vendors are supported for regex generation?

ITSecTools supports Forcepoint DLP, Forcepoint DSPM, Symantec DLP (Broadcom), Palo Alto Networks, Zscaler, Netskope, Trellix DLP, Fortinet, Microsoft Purview, and Proofpoint. Each vendor uses a different regex engine (PCRE, RE2, Java, etc.), and the tool translates patterns accordingly.

How do I test if my DLP can inspect base64 encoded data or nested archives?

Use the Evasive Payload Download to create Base64-encoded data, renamed file extensions (e.g., .docx renamed to .jpg), password-protected ZIP archives, or nested archive files. If your DLP blocks these, it has strong evasion detection capabilities.

Can I check document classification labels and sensitivity markings with this tool?

Yes. The Label & Classification Check deep-scans uploaded DOCX and XLSX files by parsing their ZIP archive structure to extract Microsoft Information Protection (MIP) classification labels from docProps/custom.xml. For PDFs, it reads classification properties directly from the metadata dictionary. If no explicit label is found, it performs content-level DLP pattern matching for PII (SSN), PCI (credit card numbers), and keyword-based classification. Results are color-coded by sensitivity level with MD5 and SHA-256 hashes for verification.

Can ITSecTools detect Endpoint DLP agents blocking uploads?

Yes. ITSecTools is the only free DLP testing tool that can detect and report when an Endpoint DLP agent (such as Forcepoint or Symantec) blocks a file upload at the browser level — even in inline/proxy mode. When an endpoint agent intercepts the upload, ITSecTools displays: "BLOCKED: Upload intercepted by Endpoint DLP agent before data reached the browser." This clearly distinguishes endpoint-level blocks from network/proxy DLP blocks, helping security teams validate both layers independently.

Why does my DLP block CSV/XLSX downloads but not DOCX/PDF?

CSV files are plain text and XLSX files have XML-based content — both are easily parseable by DLP engines. DOCX files are OOXML ZIP archives requiring decompression and XML parsing, while PDF files store text inside compressed content stream objects. Many network-based proxy DLP solutions lack deep file parsing for these complex formats. If your DLP misses DOCX/PDF, check your DLP policy for file type inspection depth settings or consider using Endpoint DLP agents which typically handle these formats better.

What is Nested JSON Exfiltration testing and why does it matter for DLP?

Nested JSON Exfiltration tests whether your DLP can detect sensitive data (PII, PCI, PHI) buried inside deeply nested JSON structures at configurable depths (2, 4, or 6 levels). AI agents (MCP), REST APIs, and GraphQL mutations all transmit data in nested JSON. Many DLP engines only scan flat text — this test reveals whether they can parse structured payloads to find sensitive data hidden multiple levels deep.

Can I generate a DLP validation report?

Yes. After running your tests, click "Generate Report" to download a branded PDF with a score gauge, protocol coverage matrix, data category breakdown, identified gaps, and actionable recommendations. The report is generated client-side — no data leaves your browser.

Is ITSecTools free to use?

Yes, ITSecTools is completely free. All testing occurs locally in your browser or via stateless API functions. No data is stored, collected, or transmitted to external servers.

Home/DLP Validator

DLP Verification

Follow the steps below to test your DLP policy — start with step ① if you need test files, or jump to step ④ to test directly. Download a PDF report at step ⑥ to share gaps with your stakeholders.
ℹ️ While conducting the test, the report generation option will appear automatically — the Generate & Share Report step is not directly clickable and will activate once test results are available.

①Download Test Files→②Evasive Payload Download→③Label & Classification Check (optional)→④Data Leakage Simulator→⑤Advanced DLP Tests→⑥Generate & Share Report→⑦DLP Regex Builder

HTTP

HTTP Upload

Unencrypted web transfer (Port 80)

Drop file or click to upload

HTTPS

HTTPS Upload

Encrypted web transfer (Port 443)

Drop file or click to upload

FTP

FTP Upload

File Transfer Protocol (Port 21)

Drop file or click to upload

HTTP/S POST Simulation

Attempt to transmit data via an HTTP POST request to test egress filtering.

Protocol:HTTP (Port 80)HTTPS (Port 443)

Learn more about this tool

Free DLP Testing & Regex Builder Tool

ITSecTools provides a comprehensive Data Loss Prevention (DLP) testing suite that goes beyond simple file upload tests. Generate dynamic documents containing PII, PCI, or PHI data on the fly — preventing static hash fingerprinting that bypasses basic DLP solutions. Test multi-protocol transfers over HTTP, HTTPS, and FTP, inspect file metadata and classification labels, and simulate advanced evasion techniques including Base64 encoding, renamed file extensions, password-protected archives, and nested ZIP files.

Label & Classification Check

A unique capability not found in other free DLP testing tools. Upload any document and the engine deep-scans it to detect sensitivity labels and classification markings using multiple detection methods:

DOCX/XLSX Label Extraction — Parses the ZIP archive structure to read Microsoft Information Protection (MIP) classification labels from docProps/custom.xml (e.g., Confidential, Internal, Public, Top Secret).
PDF Metadata Scanning — Extracts Classification and Label properties directly from PDF metadata dictionaries using raw binary parsing.
Content-Level DLP Matching — When no explicit label exists, scans file content for PII patterns (SSN), PCI data (credit card numbers), and keyword-based classification markers.
File Integrity Hashing — Computes MD5 and SHA-256 hashes for verification and threat intelligence lookups.
Color-Coded Results — Sensitivity levels are visually coded: Red (Confidential/Secret), Blue (Internal), Green (Public) with classification tags.

Evasive Payload Download

Test whether your DLP solution can detect sensitive data hidden behind common evasion techniques used by insiders and attackers. The Evasive Payload Download creates real DLP test payloads for exfiltration simulation — not simulated traffic — that challenge your DLP engine's inspection capabilities:

Renamed File Extensions (True File Typing) — Generates valid DOCX documents containing sensitive data but saved with fake extensions like .jpg or .png. Tests whether your DLP inspects file magic numbers (file signatures) rather than trusting the extension.
Base64 Encoder/Decoder — Obfuscates any sensitive text (SSN, credit cards, passwords) into Base64 format. Tests if your DLP can natively decode and inspect Base64-encoded content in transit.
Password-Protected Archives (AES-256) — Generates encrypted ZIP files containing sensitive documents. Tests your DLP's fail-close vs. fail-open policy — does it block encrypted archives it cannot inspect, or does it let them through?
Nested Archives (Depth Limit Testing) — Wraps sensitive data inside multiple layers of ZIP compression (ZIP-in-ZIP-in-ZIP). Tests your DLP's maximum archive extraction depth — most solutions stop at 2-3 levels, leaving deeper payloads uninspected.

Vendor-Optimized Regex Builder

Build regex patterns optimized for your specific DLP vendor. Unlike generic regex tools, ITSecTools understands the differences between PCRE, RE2, Java, and cloud-native regex engines. Simply enter a compliance test data string, and the tool auto-detects its structure, letting you customize 27 match types and generate vendor-ready patterns with plain English explanations.

Supported DLP Vendors

Forcepoint DLPForcepoint DSPMSymantec DLP (Broadcom)Palo Alto NetworksZscalerNetskopeTrellix DLPFortinetMicrosoft PurviewProofpoint

What Makes This DLP Tool Different?

Dynamic payload generation — files are created on the fly, preventing signature/hash-based bypasses.
Vendor-specific regex creator and translator — patterns are translated for each vendor's regex engine, not generic one-size-fits-all.
Failure diagnostics — when a regex doesn't match, the tool pinpoints exactly which token failed and where.
Evasion testing — Base64 encoding, renamed extensions, encrypted archives, and nested ZIP depth testing.
Label & Classification Check — upload any document and the engine deep-scans it to detect sensitivity labels and classification markings.
Completely free — no sign-up, no installation, no agents required.

Related Guides

How to Test Your DLP Policy — Free Tool Guide
Your DLP Passes Every Test but Misses Real Exfiltration
Your DLP Regex Works in Testing but Breaks in Production
DLP Testing Tools Compared — DLPTest.com vs ITSecTools