Skip to content

Sensitive Data Discovery

Find sensitive data before an attacker or an auditor does.

PII PCI PHI Credentials Financial Remediation
5
Data types detected
4
Risk levels
6
Remediation actions
Policy-based
Scheduling

Sensitive Data Discovery scans your managed devices for files containing PII, payment card data, protected health information, stored credentials, and financial records. Pattern-based detection assigns a risk score and confidence level to every finding, and built-in remediation workflows let you encrypt, quarantine, or securely delete offending files from a single dashboard.

Five Data Classification Types

Every scan can target five categories of sensitive content: personally identifiable information such as government IDs and contact details, payment card data including card numbers and CVVs, protected health information like medical records and insurance IDs, stored credentials such as API keys and private keys, and financial records including bank and routing numbers. Each finding is tagged with the matching detection pattern and a match count.

Risk Scoring and Confidence

Findings are ranked across four risk levels (low, medium, high, and critical) based on match count, file location, and detection confidence. A plaintext credential or unprotected card data surfaces as critical and demands immediate action, while a low-confidence match in a non-sensitive location is flagged for review rather than alarm, so teams can triage by real exposure.

Policy-Based and On-Demand Scans

Scan policies define detection classes, file scope, and schedule per organization, running manually, on a fixed interval, or on a cron expression with configurable include and exclude paths, file types, size limits, and worker counts. Scans can also be triggered on demand for up to 200 specific devices at once, and idempotency keys prevent duplicate submissions within a 24-hour window.

Automated Remediation

Six remediation actions cover the full response lifecycle. Destructive actions (encrypt in place, quarantine, and secure delete) queue commands to the device agent and require explicit confirmation, while non-destructive actions let you accept the risk, mark a false positive, or manually flag a finding remediated. A dry-run mode previews exactly which files would be affected before anything changes.

Compliance Reporting and Dashboard

A centralized dashboard aggregates total findings, open and critical-open counts, recent remediations, and average finding age, with breakdowns by data type and risk level across your fleet. Findings can be queried and filtered by status, risk, data type, device, or scan, and remediation events are published to the event bus for integration with alerting and compliance tracking systems.

Built for MSP Scale

All sensitive data is scoped per organization and tied to device identities, so multi-tenant MSPs see exactly which clients carry the most exposure. Findings are deduplicated across repeated scans and track first-seen and last-seen timestamps, giving you a durable, audit-ready record of sensitive data across every endpoint you manage.

Deploy for Free Start Cloud Beta ← All Features

Ready to see Sensitive Data Discovery in action?

Book a 20-minute demo to see how Sensitive Data Discovery works in your environment, or compare plans and self-host today.

Book a Demo(opens in new tab) See Pricing Or self-host free →(opens in new tab)

Ready to try Breeze?

Self-host the open-source agent or join the managed cloud beta. No credit card required.

Start Cloud Beta Deploy for Free(opens in new tab)

Related features

All features →

Device Management

Know what is running, what is drifting, and what needs action.

Remote Access

Connect to endpoints securely from a single web interface.

First in RMM

AI Assistant

AI that can act safely across your fleet.

Patch Management

Run patching as a controlled lifecycle, not a one-off task.

Coming from another RMM? See how Breeze compares on price, features, and openness.

Compare Breeze
Book a Demo(opens in new tab) See Pricing