Questions we often get asked

Even better than a trial, we will give you 10 FREE licenses to get you started.

So you can test our outbound data blocking functionality and data theft elimination software in your own environment.

Sign up for your 10 FREE licenses here

We would be delighted to provide enough licenses for your pilot.

Contact us at or call +44 1223 603029.

Please DON’T sign up for multiple free licenses in the hope of additional free licenses. Yes you will receive more licenses, but you won’t have a good UX as you won’t be able to correlate or manage all of your devices across the different licenses. We want to accommodate your pilot, so contact us instead.

ZORB stops every outbound data flow before it leaves the device. The integrity of each data flow is then checked against a “safe list” of trusted applications, trusted destinations the application should send the data to, and trusted application transmission channels. If the data flow meets these criteria, then the data is deemed as trusted and is allowed to be transmitted. “Deny until proven trusted” is a powerful security stance.

The safe list is your organisation’s list of trusted, allowed data sources. This list is configurable to any level of granularity to meet business requirements. Each data source on this list is assigned 1) the application it comes from, 2) the permitted destination domains or IP addresses, and 3) the expected transmission ports or protocols.

Defining this on a firewall would require a lot of rulesets and continual maintenance. ZORB’s safe list requires a minimum amount of set up and does not require technical knowledge. We do most of the setup work for you by providing a pre-built safe list which has a standard set of safe applications already configured. You just need to add your business specific applications to the list via ZORB’s online portal.

More details on how ZORB’s technologies works can be found here.

No! Think of ZORB as a reverse antivirus.

Antivirus checks incoming data against a list of known malicious signatures and quarantines anything it thinks is potentially dangerous. This prevents malware from entering your systems.

ZORB checks outbound data against a list of trusted criteria and blocks everything, only permitting data that meets the trust criteria. This prevents data from being maliciously exfiltrated from your systems.

More information on why blocking outbound data is important can be found here.

Most Microsoft devices run Window’s Defender Firewall. Typically, this used to protect against incoming threats.

By default, unless a rule is configured otherwise, a firewall blocks all incoming data and allows all outgoing traffic. When an application is installed, an incoming data rule is automatically applied to the firewall (and is not automatically removed upon uninstall). Application-specific outbound rules must be manually applied.

This is certainly possible in Defender Firewall. But would require large amounts of work to set this up and to maintain as business applications change. Neither is Defender Firewall very configurable. Malware can easily bypass a firewall by masquerading as a safe application.

Many data breaches occur due to a firewall misconfiguration. One slight miscalculation in a ruleset can leave a business wide open to attack.

More information about what can and cannot be done using Windows Defender firewall is available here.

Application traffic data is more exposed to threats than ever before, because more and more data is leaving the trusted business infrastructure to go over the public internet to cloud applications, data centres or mobile/hybrid workers.

ZORB protects sensitive data from theft on mobile worker’s devices in just the same way as on office-based devices – only allowing trusted data to be transmitted.

Remote workers should connect to the HQ or cloud applications via VPN. But this does not guarantee all data goes through the VPN. For added security, ZORB can be configured so that all outbound data is forced through the VPN, otherwise it does not get sent.

ZORB does not collect or store any user application data from the user’s device. ZORB simply interrogates the integrity of the data flow before it leaves the device to determine whether to block or allow the data to be transmitted.

Some data is collected for reporting purposes, but does not include any user-related data. When ZORB detects traffic that should not leave a device, first ZORB immediately blocks it. Then ZORB sends an alert about this exfiltration attempt. The standard configuration is for this alert to be sent to ZORB’s online portal, where it is stored for your review. This data is not used for anything other than for your reporting purposes.

However, if absolute confidentiality is required, ZORB can send the alert to your own SIEM or helpdesk instead.

Contact us to find out more on or call +44 1223 603029.

ZORB works on data flow, not data content, which means that ZORB does not care if data is encrypted or not.

Regardless, it is basic security hygiene that you ensure all outbound data is encrypted when passing over a public network such as wifi or the Internet. But take note, encryption does not stop data theft – encryption only makes data unreadable.

ZORB provides one administrator license to our online portal. (Additional licenses are available upon request.)

The online portal serves two functions, 1) it is the administration centre for all of your devices running ZORB and where you administer the safe lists, and 2) it is the reporting centre.

The reports provide a snapshot of data theft threat posture across your entire device estate, and each block attempt is geolocated and cross-referenced with VirusTotal to aid threat hunting and safe list optimisation.

Alternatively, reporting data can be sent to your business helpdesk or SIEM. The online portal is still required for safe list administration.


Network traffic is an invaluable threat hunting tool and ZORB can send a copy of all incoming and outgoing data from a device, to your SIEM.

However, this volume of duplicate traffic could put additional pressure on your internal network. Whilst we can send a copy of the entire packet, it might be better to only send certain fields from each packet to your SIEM. We can work with you to determine the most effective and efficient way to do this.

Contact us to find out more on or call +44 1223 603029.

Unfortunately, today, ZORB runs on Windows only. Our roadmap does include roleout to other platforms if demand is shown.

Why not let us know your other use case requirements, or sign up as a tester here

ZORB does not protect against data leakage

ZORB protects against data theft – the deliberate, intentional theft of sensitive data by hackers, malware or disgruntled employees.

A data leak as the accidental disclosure of sensitive information by human error, such as a user accidentally emailing Personally Identifiable Information to the wrong address. Mitigation of this involves inspecting the content of emails, web forums, social posts for sensitive data.

Data theft and data leakage each requires a different protection strategy, which is covered in more detail here.

ZORB does not protect against physical data theft

Physical data theft includes such things as

  • printing classified data and removing it from the building
  • copying sensitive data to external drives, such as USB stick

This is not on our roadmap because there are many good tools that already prevent this type of data theft.

Still got questions?

Contact us

NEW PDF Download!

Your 5 simple steps to eradicating data theft