Safetica content detection of sensitive data

Safetica 9.1 brings a more flexible configuration of sensitive data detection, which allows more accurate results and a lower rate of false-positive matches.

With the new content detection configuration you can:

  • create detection rules with custom AND/OR conditions
  • set various detection thresholds for different detection rules
  • import custom dictionaries of keywords

Detection rules

A detection rule is a set of conditions which, when they are met, evaluate the data as sensitive.

Detection example


The example configuration could be used to detect financial documents.

Detection rule #1 is matched when a credit card number AND the word "card" are found in a document within a range of 1,800 characters. Detection rule #2 is matched when the word "invoice" is found. Detection rule #3 is matched when the word "order" if found at least 5 times.

If detection rule #1 OR detection rule #2 OR detection rule #3 are matched anywhere in the file, the document will be evaluated as sensitive.

AND/OR conditions

If you specify several conditions within 1 detection rule, all of these must be matched. In other words, the relationship between conditions within 1 detection rule is "AND". For the example above, detection rule #1 is matched when both a credit card number AND the word "card" are found.


If you specify more detection rules within 1 data category, at least 1 of these must be matched. The relationship between several detection rules is "OR". For the example above, any of the three conditions must be matched to detect the configured data category.


Detection range

The detection range is in place in order to increase the accuracy of results and lower the number of false positive matches.

Detection range in practice means that "AND" rules must be matched within a range of 1,800 characters - roughly the amount of text which fits a single A4 page. This range is applied on a plain text version of files and does not consider actual document pages.

Detection threshold

The threshold setting specifies the number of occurrences of the detection rule which must be reached to evaluate the data as sensitive.

Setting the threshold to "1" will detect every occurrence of the detection rule - this is suitable for covering all files which contain at least a single occurrence of sensitive content. Setting the threshold to "100" will only detect data where the detection rule is found 100x times in a single file. This offers flexibility in such way that a threshold at "1" may generate more false positive results but detects every file which fulfills the condition. Threshold at "100", on the other hand, eliminates false positives and only detects files which contain a large amount of sensitive data.

The default threshold value is set to "5" to lower the number of false positive matches.

Backward compatibility

After updating to version 9.1, existing sensitive content configurations will be converted to the new system. Previously, sensitive data detection only used OR conditions, therefore, in order to maintain this logic, existing configurations will be converted into individual detection rules.

Sensitive content configuration
Safetica 9.0 or older credit card numbers OR "card" OR "invoice" OR "order"
Safetica 9.1+ Detection rule #1: credit card numbers
Detection rule #2: "card"
Detection rule #3: "invoice"

The new detection rules are backward compatible with clients of older version to a certain degree:

  • older endpoint clients will only recognize detection rules with a single condition
  • older endpoint clients will apply the highest set value of threshold, in case various threshold settings are used for individual detection rules

For example:

Detection rule #1 credit card numbers AND "card" 1
Detection rule #2 "invoice" 1
Detection rule #3 "order" 5

On older endpoint clients, detection rule #1 is ignored because it includes multiple conditions. Detection rules #2 and #3 are both applied with threshold at 5, since it is the highest set value. Consequently, this is the applied configuration:

"invoice" OR "order" 5

Custom dictionaries

Safetica 9.3+ supports importing custom keyword dictionaries. These can contain a list of customer names or identifiers, project names, technical terms or other keywords which often signify sensitive content (common words and phrases in contracts, personal CVs, etc.)

In order to preserve endpoint performance, certain limitations are imposed on using custom dictionaries:

  • custom dictionaries can be imported as .TXT files encoded as UTF-8 with BOM
  • the imported dictionaries can contain a combined total of up to 500,000 keywords
  • up to 50 individual dictionaries can be imported
  • dictionaries only support plain text keywords, regular expressions can be specified in a separate configuration section in the Safetica Management Console
  • keywords are delimited by line breaks, i.e. 1 line of the dictionary file = 1 keyword