What's new in Forcepoint DSPM 4.0

This section lists the new features and enhancements for the Forcepoint DSPM solution included in the current release.

Release Summary

DSPM 4.0 ships several features across two themes: a comprehensive classification stack updates to include Forcepoint DLP Classifiers and a set of independent capabilities spanning infrastructure resilience, enterprise secrets management, a new data-source connector, and platform identity consolidation.

Customers get faster classification by default, can connect DLP classifiers to drive outcomes, and can trace every classification verdict back to the specific rule that produced it.

Additionally, there are independent features that extend DSPM into Databricks environments, bring enterprise credential vaulting through CyberArk, and consolidate Cloud DSPM identity onto the Forcepoint Platform IdP - which in turn enables role-based access control for the first time in Cloud DSPM.

The Classification Stack

Five features that work together to make DSPM classification faster, more transparent, and easier to explain to customers and auditors.

  1. Classifier Improvements

    What it does:

    DSPM 4.0 provides an improved out-of-the-box classification pipeline with a new lightweight service built on a proven DLP engine. Classification pipeline is fully parallelizable, runs with low CPU and memory overhead, and is observable as a dedicated microservice. The result is dramatically faster classification from day one, without requiring data-science-led tailoring.

    The existing AI Mesh path remains available for those who desire it. Customers can choose to upgrade to the new classification system by discussing with their Forcepoint customer service representative.

    The feature is enabled through the cluster configuration in Rancher (product code for On-Premises and add-on for SaaS). If not enabled, then the existing flow with AI Mesh and Detectors stays active.

  2. DLP Classification Flow

    What it does:

    The DLP Classification Flow connects customer-configured DLP policies directly to the per-file classification engine. When a scan runs, DSPM evaluates each file against the selected DLP policies using the optimized multi-threaded classifier. Pattern matching can override classification model outcomes when a pattern hit occurs, giving customers fine-grained control over how specific content types are classified. Content and path detectors continue to surface findings but no longer drive the top-level classification label.

    Customer benefits:
    • Customers can select the DLP policies that matter to their business and see classification outcomes driven by those policies, not by an opaque model.
    • Every classification outcome traces back to specific DLP rules and policies, giving customers a clear audit trail.
    • Pattern-match overrides allow security teams to ensure that high-priority content types are never misclassified, regardless of model confidence.
    • Eliminates the most common support escalation category: unexplained classification verdicts.

    Customers who have not enabled DLP classification feature will continue to see AI Mesh-driven outcomes unchanged.

  3. New UX to Explain Classification Outcomes

    What it does:

    DSPM 4.0 introduces the Classification Model page, a redesigned surface that shows customers exactly why each file received its classification label. A Sankey-style visualization maps DLP policies / Detectors to classification outcomes, replacing the previous AI Mesh page with a transparent, traceable view. Terminology is aligned with the DLP policies, Detectors and Taxonomy pages, so customers work within a single vocabulary across the product.

    Customer benefits:
    • Customers can trace any classification outcome back to the specific DLP rule or pattern that produced it, turning a black box into an auditable process.
    • Support and security teams can resolve classification disputes in minutes rather than escalating to the support team.
    • Unified vocabulary across the Classification Model page and Detectors / DLP policies pages removes confusion between overlapping terms.
  4. Onboarding Flow Redesign

    What it does:

    The redesigned onboarding flow is built to seamlessly configure the connector and observe classification results in a few minutes.

    Customer benefits:
    • Classification can be configured as part of the initial scan setup - no separate workflow, no hunting for the right menu.
    • The Quick Start guide is updated for 4.0, giving new customers a clear path from sign-in to their first classification results.
    • Eliminates the highest-frequency complaint from new customer onboarding feedback.
    Note: Existing tenants are not affected by the onboarding flow changes - the redesign applies to new tenant provisioning only. Existing users will see the updated dashboard auto-refresh behavior when they log in after the upgrade.

Additional Features

Three capabilities that independently extend DSPM's reach, resilience, and enterprise integration story.

  1. Scan Pipeline Hardening

    What it does:

    DSPM 4.0 includes a comprehensive scan pipeline hardening initiative targeting the root causes of the most common customer-reported scan reliability issues. Changes include right-sized memory and CPU defaults across all pipeline services, corrected timeout alignment between the scan orchestrator and downstream services, OCR and Content Extractor performance profiling, and proactive alerting for cataloging and classification throughput drops.

    Customer benefits:

    • Memory limit increases are no longer required in the common cases.
    • Proactive throughput alerts give operations teams early warning of classification or cataloging drops.

    All hardening changes are applied automatically with the 4.0 upgrade - no additional configuration is required.

  2. CyberArk Password Manager Integration

    What it does:

    DSPM 4.0 introduces native integration with CyberArk's Credential Provider (CP) for just-in-time secret retrieval. Instead of storing credentials directly in DSPM, administrators reference a CyberArk AppID, Safe, and Object. DSPM retrieves the credential at scan time and never persists it. Secret rotation in CyberArk is fully transparent to DSPM - when a credential is rotated, the next scan automatically picks up the updated value without any reconfiguration.

    Customer benefits:
    • DSPM never stores connector credentials, eliminating a significant audit and compliance risk for security-conscious enterprise customers.
    • Customer security teams retain full ownership of all secrets in their existing CyberArk vault, with no credential duplication.
    • CyberArk's audit log captures every credential access by DSPM - which connector, which reference, and when providing a complete access trail.
    • Secret rotation is seamless: credentials can be rotated in CyberArk at any time without updating DSPM configuration.
    • The Test Connection feature validates credential references with a masked preview before committing to a full scan configuration.
    • Warm credential retrieval targets under 100ms at the 95th percentile; cold retrieval targets under 700ms.

    CyberArk integration is opt-in. Existing connectors continue to use their current credential storage unless an administrator explicitly migrates them to CyberArk references. Migration requires a CyberArk CP deployment accessible from the DSPM host - the exact deployment topology (server-local vs sidecar) is being finalized before GA. Customers can choose to upgrade to the new classification system by discussing with their Forcepoint customer service representative.

    For detailed information, refer to the CyberArk Password Manager Integration section.

  3. Databricks Unstructured Connector

    What it does:

    DSPM 4.0 adds connectors for Databricks - a Unity Catalog connector covering catalogs, schemas, volumes, and files; and a Workspace connector covering notebooks, repositories, clusters, jobs, and SQL warehouses. File content within Databricks Volumes is scanned for sensitive data; Notebooks are scanned for sensitive content in source code. Authentication uses Personal Access Tokens (PAT) over TLS 1.2+. The connectors are validated against DSPM's Scan Progress, Enterprise Scan, Access Governance, Analytics, Incidents, and Live Events surfaces.

    Customer benefits:
    • Security and compliance teams gain visibility into sensitive data residing in Databricks - a high-priority enterprise data source for ML and analytics workloads.
    • Sensitive content in Databricks Volumes, previously invisible to DSPM, is now discoverable and classifiable.
    • Move-Selected-File remediation works between Databricks and other DSPM-connected repositories.
    • Metadata extraction covers all Databricks object types, enabling access governance reporting alongside data sensitivity findings.

    The Databricks connectors are new additions in 4.0 and are available to all tenants after upgrading. Administrators configure connections using a Databricks PAT and workspace URL. No changes are made to existing connectors or scan configurations during the upgrade.

    For detailed information, refer to the Setting up Unity Catalog Datasource Connector and Setting up Workspace Datasource Connector sections.