Home
Breach is inevitable.
Data theft isn't.
When perimeter security fails, ZORB prevents business-critical application data theft.
DLP protects email and web data.
So what's protecting your application data?
Data Loss Prevention is great for protecting email and web data.
But your business-critical data doesn't live in email anymore. It lives in your desktop applications — spreadsheets, documents, CRM systems, HR platforms, finance applications.
Application data flows are invisible to traditional security tools.
When attackers breach your perimeter, they're after the application data that DLP misses.
Without confidence that application data is protected during incidents, businesses shut down everything — customer-facing services, operations, revenue streams.
Panic shutdowns destroy more business value than a breach ever could
Modern cybersecurity must be built to assume breach. When attacks happen, not if, they show the same pattern: breach detected, immediate shutdown, weeks or months offline.
Without confidence about what data is at risk, shutdown is your only option. Customer-facing services stop. Operations halt. Revenue stops. Data exfiltration continues unchecked.
Two days offline? Recoverable. Two weeks? Customers start looking elsewhere. Two months? Your competitors have taken your market share.
Strategic incident response requires confidence about which systems need to be stopped, versus which can safely continue.
ZORB gives you that operational resilience confidence.
6 weeks
Average downtime after panic shutdown
40%
Revenue loss during prolonged incidents
Zero
Data theft with ZORB protection
See what's at risk.
Before you commit.
Our Proof-Of-Value assessment will show you all data flows from your applications — Word, Excel, CRM systems, desktop apps.
Not theoretical threats, but real evidence of the application data protection gap in your organisation.
You'll see which applications are transmitting data to vendor-specific destination IP addresses — and which aren't going direct to vendors at all.
Professional services, financial services, healthcare or government, see where your regulated data is really going.
With this knowledge, it's over to you: no obligation, either fill the gap or accept the risk.
10 devices. 10 days. Zero risk.
How application data protection works
By default, ZORB applies deny-all to outbound data flows.
Each outbound data flow is validated, in real time, against our 3-point verification check:
Trusted Source
Is the application known, trusted and authorised?
Destination Validation
Is data going to legitimate vendor infrastructure?
Transmission Security
Is the comms method appropriate and secure?
Only flows that pass all three validations are transmitted.
We don't allow any data to leave your devices unless we trust it completely.
Software applications query DNS to know where to send data. DLP, EDR, and EPP trust DNS, even when DNS poisoning has redirected applications to attacker-controlled IPs.
ZORB validates destination IP addresses directly against known vendor infrastructure, independently of DNS. If we see your DNS redirecting data to a non-vendor IP, the transmission is blocked.
Works with your existing security stack
ZORB doesn't replace DLP, EDR, or EPP. We complement them, to fill the gap they miss.
DLP protects email and web data. EDR defends devices from malware. But they leave a security hole: application data protection.
ZORB brings defence-in-depth by adding application data protection to your stack - Word, Excel, CRM systems, finance applications.
No rip-and-replace. No upheaval. Just one missing piece that completes your operational resilience.
POV Assessment
See What Data Is At Risk During Incidents
Real evidence of which applications transmit your sensitive data.
FREE Proof-Of-Value assessment
10 DEVICES, 10 DAYS
See the application data protection gap your current security misses.
This isn't a generic demo.
You see YOUR actual data flows in YOUR own environment.
Real evidence - not marketing claims.
WHAT YOU'LL DISCOVER
Complete visibility of your real data flows:
✓ Which applications are transmitting business-critical data
✓ Actual destinations - not just what DNS reports
✓ Third-party connections operating without approval
✓ Applications bypassing your current security monitoring
✓ Application data protection Gap analysis - what DLP misses in desktop applications
✓ Board-ready evidence for compliance and incident planning
Why this matters:
Most assessments discover applications transmitting data to unapproved destinations - completely invisible to traditional security that only validates DNS responses.
Your assessment maps where YOUR business-critical data actually goes.
On average, we find 80% of application updates don’t actually go directly to vendors
How it works
Simple process. Zero disruption.
Day1
Setup
Install our software on 10 critical Windows PCs. Completely invisible to users with zero performance impact.
Day 1-10
Watch in Real-Time
Every outbound data flow appears in your secure portal. See which applications send data and where it actually goes.
Day 10+
Full Analysis
We walk through your findings: applications transmitting data, destinations your security can't validate, and recommendations.
What we DON'T access:
We monitor WHERE data goes and WHICH applications send it. We never see the actual content of your business information.
Frequently asked questions
Will this disrupt our operations?No. The software runs silently in the background with zero impact on performance or user experience. No shutdowns, no DLP changes, no system access required.
What if we don't want to proceed after the assessment?
No obligation. The findings are yours to keep. Many organisations use the evidence to brief their existing security vendors about gaps.
What if I want to monitor more than 10 devices for longer than 10 days?
That's fine. Simply contact us directly at info@zorbsecurity.com, and we can extend your assessment to fit.
Will this help me if my business is in a heavily regulated sector?
Professional services, financial services, healthcare and government organisations need this more than others. You'll get to see exactly where your regulated data is really going to.
Technical GAP page
The Application Data Theft Gap
Your security stack misses business-critical data
Business-critical data lives outside of email and web monitoring
Financial models in Excel transmitted to cloud storage Client contracts in Word syncing to unauthorised endpoints CRM data (Salesforce, Dynamics) flowing via application APIs HR systems transmitting payroll and personnel records Design files (CAD, engineering software) uploading intellectual property Custom internal applications with zero monitoring visibility
Your current stack has a blind spot
Every tool in your stack monitors different layers independently—none correlate which application process is sending data to which destination IP address.
DLP
Monitors email content and web gateway uploads. Operates entirely outside desktop application data flows—no visibility when Salesforce syncs CRM data, Excel saves to OneDrive, or custom applications transmit to vendor APIs.
EDR/EPP
Protects devices from malware execution. Once an endpoint is compromised, EDR focuses on threat detection—not preventing data transmission from authorised applications being abused.
Network Firewall
Monitors IP traffic (OSI Layer 3), but can't identify which application is transmitting. When Word uploads to Microsoft infrastructure, the firewall sees "traffic to Microsoft IP". It permits it — unable to detect if the application is being abused.
Application Firewall
Inspects protocol compliance, but doesn't correlate source application (OSI Layer 7) to destination. Attacker exfiltration via HTTPS looks identical to legitimate application traffic.
Without correlating application Process ID to vendor-related destination IP address, you can't distinguish legitimate application behaviour from data theft during an active breach.
If your perimeter is compromised, application data walks out undetected.
Prevent application data theft with Process-to-Destination correlation
Your current security stack operates in silos. ZORB bridges this gap by operating simultaneously at OSI Layer 3 (network) and Layer 7 (application)—linking application process ID directly to destination IP address.
This correlation answers the question your current stack cannot: "Which application just transmitted data, and where did it actually go?"
Every outbound transmission must pass ZORB's 3-Point validation check:
Step 1: Source Application Verification
Is this specific application process authorised to transmit data? Validated against curated safelist of approved business applications.
Step 2: Destination Infrastructure Correlation
(The Critical Differentiator)
We verify the destination IP address belongs to the legitimate vendor's infrastructure using Autonomous System Number (ASN) validation—actual network ownership, not DNS responses that can be poisoned.
Step 3: Transmission Method Control
Communication method validated against security policy: approved ports, protocols, VPN requirements, geographic restrictions.
If any validation fails—wrong application, wrong destination, wrong method—transmission blocked INSTANTLY before it leaves the device.
Why this matters
Data theft can be eliminate when
Microsoft Word can only send data to Microsoft-owned IP ranges Salesforce can only transmit to Salesforce infrastructure. Excel blocked from uploading to attacker-controlled cloud storage. DNS-independent validation means even compromised vendor software cannot transmit data to unauthorised infrastructure.
Operational Advantage
✓ Real-time prevention without user intervention — data never leaves the device if validation fails.
✓ When incidents occur, you immediately know which application attempted what transmission to where, without forensic investigation.
✓ Strategic incident response, based on facts, not assumptions.
✓ Supply-chain attack immunity — even if DNS is compromised or a legitimate application is used maliciously, we detect the destination infrastructure mismatch and block transmission.
ZORB complements your existing endpoint protection and DLP.Filling the application data gap without replacing current security investments.
Understand the risk in your environment
Technical claims mean nothing without evidence from your own infrastructure.
Forensic visibility of applications transmitting data outside your awareness Destination IP addresses and infrastructure ownership validation Unauthorised cloud storage connections from desktop applications Application update requests routed through ISPs instead of direct to vendors Communication methods violating security policy
Most organisations discover 15-30% of application traffic going to unauthorised destinations. Not malicious—just unmonitored.
But during a breach, this unmonitored application traffic could be the path to data theft.
Blog
ZORB's Blog
Operational Resilience Through Data Theft Prevention
Application Data Theft Prevention
About
About ZORB
Preventing application data theft during an attack
Why ZORB exists
Most organisations discover the application data protection gap only after a breach—when it's too late. We built ZORB to give IT Directors and security teams the data protection confidence they need to make strategic operational decisions during incidents, not fear-based ones.
ZORB Security is a Cambridge-based cybersecurity company that fills the critical gap traditional DLP solutions miss: business-critical application data protection.
The problem we solve
When attackers breach your perimeter (and they will), traditional DLP protects email and web data but completely misses the 80% of business-critical information in desktop applications—Word, Excel, CRM, HR, and finance systems. This unprotected data walks out undetected, forcing panic shutdowns and extended recovery times.
ZORB's intelligent 3-point validation system software prevents theft of business-critical application data, enabling strategic incident response instead of panic shutdowns. Every piece of data leaving your devices is validated against trusted applications, legitimate vendor infrastructure, and approved communication methods. If any validation fails, transmission is blocked instantly.
We complement rather than compete with your existing security stack. ZORB works alongside your endpoint protection, DLP, and SIEM investments—filling the critical gap they all miss.
No rip-and-replace. No complex deployment.
Founded on research & experience
ZORB was founded by Dr Mark Graham in Cambridge, where he completed his PhD in cybersecurity and still has ties to the university.
With 40+ years of industry experience and teaching information security, cryptography, penetration testing, and networking, Mark built ZORB from academic research into malware detection and real-world understanding of how organisations actually respond to security incidents.
Mark regularly speaks at cybersecurity conferences and industry events, sharing insights on operational resilience and post-breach response strategies.
European, African & Middle Eastern Distribution
Partnered with Cyberwin for channel sales and support
NCSC for Startups Alumni
Recognised by the UK's National Cyber Security Centre
Cambridge Innovation
Based in one of Europe's leading technology clusters
See what's at risk
Try our free proof-of-value assessment: 10 devices, 10 days, real evidence of unauthorised data flows leaving your environment.
Contact Us
Contact ZORB
Got questions about your data protection gap?
Want to see what's at risk?
The fastest way to understand your application data protection gap is to see it in your own environment.
10 devices, 10 days, your data
Press enquiries:
press@zorbsecurity.com
Partner/Distributor enquiries:
partners@zorbsecurity.com
Everything else:
info@zorbsecurity.com
Cambridge, UK
Company registered in England: 10992329
Cookie Policy
Last Updated: March 2026
This Cookie Policy explains how ZORB Security Limited (“ZORB”, “we”, “our”) uses cookies and similar technologies on our website at https://zorbsecurity.com.
1. What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They help websites remember your preferences and understand how you use the site.
2. What Cookies We Use
Strictly necessary cookies
These cookies are essential for the website to function. They cannot be disabled. They include session management and security tokens set by WordPress.
Analytics cookies (consent required)
We use Google Analytics 4 to understand how visitors use our website. GA4 sets the following cookies:
- _ga — distinguishes unique users. Duration: 2 years.
- _ga_HKJ8VPK65Y — tracks session state. Duration: 2 years.
These cookies are only set with your consent. Data is processed by Google LLC (US-based) under the EU-US Data Privacy Framework.
Session recording and heatmaps — planned (consent required)
We intend to implement Microsoft Clarity to record anonymised sessions and generate heatmaps to help us improve our website. When activated, Clarity will be opt-in only. We will update this policy before it is enabled.
3. What We Don’t Use
To be clear about what is not in use on this website:
- We do not use Google reCAPTCHA. Our contact forms use CF7 Honeypot, an invisible spam filter that requires no user interaction and sets no cookies.
- We do not use Cloudflare CDN. Any reference to Cloudflare in an earlier version of our cookie banner was an error and has been corrected.
- We do not use advertising or retargeting cookies.
4. Non-Cookie Tracking
We use Apollo.io, a B2B visitor intelligence tool that operates at server level — it does not use cookies. It identifies the company organisation associated with your IP address using publicly available business data. It does not identify you personally. You can find out more and opt out at https://www.apollo.io/privacy-policy.
5. Your Cookie Choices
When you first visit our website you will be shown a cookie banner where you can accept or decline non-essential cookies. You can change your preferences at any time by clicking “Cookie Settings” in the website footer.
You can also manage cookies through your browser settings. Most browsers allow you to refuse cookies and delete existing ones — please consult your browser’s help menu for instructions.
Disabling analytics cookies will not affect your ability to use this website.
6. Legal Basis
Under the Privacy and Electronic Communications Regulations 2003 (PECR), strictly necessary cookies do not require consent. All other cookies on this site require your prior informed consent before being set.
Under the Data (Use and Access) Act 2025, the Government has indicated that certain analytics cookies may in future be exempt from consent requirements. We will update our practices if and when such exemptions come into effect.
7. Changes to This Policy
We review this Cookie Policy periodically. Material changes will be notified by updating the date above and, where appropriate, by displaying a notice on our website.
8. Contact Us
ZORB Security Limited, 124 City Road, London, EC1V 2NX ICO registration: ZB567741
ICO complaints: https://ico.org.uk/concerns/
Privacy Policy
Last Updated: March 2026 | ICO Registration: ZB567741
ZORB Security Limited (“ZORB”, “we”, “our”, “us”) is a cybersecurity software company incorporated in England and Wales. We develop and operate DataShield, an endpoint security product for businesses.
This Privacy Policy covers two distinct contexts: (1) visitors to our website; and (2) customers and their employees who use our DataShield product. Different sections apply to different groups.
Registered address: 124 City Road, London, EC1V 2NX
Compliance: compliance@zorbsecurity.com
Data Protection Officer: dpo@zorbsecurity.com
1. What Information We Collect
Website visitors
When you visit our website we may collect: your IP address, browser type, pages visited, and interaction data. If you fill in a form we collect your name, job title, company, email address, and phone number.
We also use Apollo.io, a B2B visitor intelligence tool that identifies the company organisation associated with your IP address using publicly available business data. It does not identify you personally.
DataShield customers and their employees
The DataShield endpoint agent captures metadata about outbound data flows from devices it is installed on. This includes: timestamps, device name, logged-in username, application names, source and destination IP addresses, and port information. DataShield does not read the content of files, emails, or messages — no packet content is ever captured.
If you are an employee of a ZORB customer organisation, your employer is the data controller for this data. ZORB processes it only to provide the DataShield service on your employer’s behalf. Data subject rights requests should be directed to your employer in the first instance.
2. Why We Use It
- To respond to enquiries and provide our services
- To manage customer accounts and deliver the DataShield service
- To send relevant business communications (you can opt out at any time)
- To improve our website
- To detect and prevent fraud and security threats
- To comply with our legal obligations
3. Legal Basis for Processing
We rely on the following legal bases under UK GDPR: performance of contract; legitimate interests (including B2B marketing, service delivery, and security); consent (where specifically requested); and legal obligation.
4. Who We Share Data With
We work with carefully selected service providers:
- Google Analytics 4 / Google Tag Manager — website analytics and tag management (Google LLC, US-based, EU-US Data Privacy Framework)
- Apollo.io — B2B visitor intelligence (US-based, Standard Contractual Clauses)
- Akismet — spam filtering for contact forms (Automattic Inc., US-based)
- Google Fonts — font delivery (may transmit your IP to Google servers)
- AWS and Hetzner — cloud hosting for DataShield (UK/EEA regions only)
- Microsoft Clarity — session recording and heatmaps (planned, opt-in only — we will update this policy when activated)
We do not sell your personal data.
5. International Transfers
Some service providers are based in the United States. We use appropriate safeguards including the EU-US Data Privacy Framework and Standard Contractual Clauses. DataShield customer data is hosted in the UK/EEA only and does not leave those regions.
6. Cookies
For full details of the cookies we use and your choices, please see our Cookie Policy.
7. How Long We Keep Data
- Active customer relationships: duration of relationship plus up to 7 years
- Business prospects: up to 3 years from last meaningful contact
- Website analytics: up to 14 months
- DataShield event data: 30 days after contract ends (or as agreed in your Data Processing Agreement)
- Job applicants: up to 12 months after recruitment concludes
8. Your Rights
Under UK GDPR you have the right to: access your data; correct it; delete it in certain circumstances; restrict how we use it; receive it in a portable format; object to processing based on legitimate interests (including direct marketing); and withdraw consent at any time.
To exercise any of these rights, contact us at compliance@zorbsecurity.com. We will respond within one calendar month.
If you are not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/.
9. Security
As a cybersecurity company we implement robust security measures including encryption in transit and at rest, customer data isolation, access controls, and regular security assessments. In the event of a personal data breach we will notify affected parties and the ICO as required by law.
10. Changes to This Policy
We review this policy periodically. Material changes will be notified via our website and by updating the date above.
11. Contact Us
ZORB Security Limited, 124 City Road, London, EC1V 2NX ICO registration: ZB567741
