Skip to content

DLP detectors

The DLP layer scans request bodies and response bodies for sensitive data. The detector ships with seventeen built-in kinds. You can’t add custom regex detectors from configuration on the opensource build (that’s a Rust-source change), but every built-in is enabled by default.

KindSeverity (default)What it matches
EmailMediumStandard email shape (local-part@domain.tld)
PhoneNumberMediumE.164 + common regional formats
SsnUsHighUS SSN (NNN-NN-NNNN, with checks for invalid area numbers)
CreditCardHighVisa / Mastercard / Amex / Discover (Luhn-validated)
IpAddressLowIPv4 + IPv6 literals
AwsAccessKeyIdHighAKIA… / ASIA… 20-char prefixes
AwsSecretAccessKeyCritical40-char base64-ish following an AWS-key heuristic
GithubTokenHighghp_…, gho_…, ghs_…, ghr_… 40-char tokens
SlackTokenHighxox[baprs]-… Slack token format
OpenAiKeyHighsk-… 48-char OpenAI API key
AnthropicKeyHighsk-ant-… Anthropic API key
GoogleApiKeyHighAIza… 39-char Google API key
JwtTokenMediumThree base64-url segments separated by .
BearerTokenMediumGeneric Bearer <opaque> in headers / bodies
PrivateKeyPemCritical-----BEGIN [RSA | EC | OPENSSH] PRIVATE KEY----- blocks
GenericHighEntropyMediumHigh-entropy strings (Shannon-entropy threshold) — catches “looks like a secret”

You don’t configure each detector individually. You set an action per severity:

Terminal window
# in .env
AGENTUM_DLP_ACTION_HIGH=block
AGENTUM_DLP_ACTION_CRITICAL=block

The four possible actions:

  • observe — log the hit, don’t block, don’t redact.
  • warn — log the hit, emit an alert, but let the call through.
  • redact — substitute the matched substring with a tag ([EMAIL], [SSN], [OPENAI_KEY], etc.) before the request leaves or the response arrives.
  • block — drop the request entirely; agent gets 403.

Defaults that ship in the example .env:

SeverityDefault action
Lowobserve
Mediumwarn
Highblock
Criticalblock
SurfaceDLP runs?
HTTPS-CONNECT gateway (proxy path)Yes — prompts, tool args, tool results, response bodies (streaming + non-streaming)
MCP gatewayYes — tool-call args + tool results
REST API direct calls (SDK path)No — the SDK delegates allow/deny to the central policy engine without local body inspection
{
"event_id": "...",
"event_type": "tool_call",
"outcome": "blocked",
"agent_id": "...",
"tool": "send_email",
"data_classes": ["OpenAiKey", "Email"],
"detail": {
"findings": [
{ "kind": "OpenAiKey", "severity": "High", "tag": "OPENAI_KEY", "redacted": false },
{ "kind": "Email", "severity": "Medium", "tag": "EMAIL", "redacted": true }
],
"outcome_reason": "dlp_block_high_severity"
}
}

The audit row records:

  • Which kinds fired (data_classes).
  • Per-finding severity and whether redaction was applied.
  • Why the outcome was what it was (outcome_reason).

Useful for auditor questions like “how many requests in the last 30 days had a PrivateKeyPem hit?” — that’s a single agentum audit query away.

The opensource build doesn’t expose a UI for per-detector severity overrides yet — the mapping in the table above is what ships. If you need to raise Email to High (e.g. you’re in a GDPR-strict environment), the cleanest path is a new migration that updates the classifications table; the application reads it at startup and applies the overrides.