Data Watch

Know where your site sends data — and when that changes

Data Watch monitors every destination your site sends data to and alerts you the moment a new one appears. If something starts exfiltrating data to a destination you didn't authorise, you'll know.

Why It Matters

Attackers don't just inject code. They need to get data out.

Catching a new script on your site matters. But for attacks like Magecart, the injection is only the first step. The real damage happens when stolen data gets sent to a server the attacker controls. The script that steals a card number is useless until that number reaches a destination the attacker owns.

Payment Data

Card skimming

A compromised third-party dependency starts sending form data to a drop server. The script itself may not be new — it was already on your page. What changed is where it sends data.

Session Tokens

Post-authentication exfiltration

A script quietly redirects XHRs to an unfamiliar endpoint, siphoning session tokens from authenticated users. The session is valid. The destination isn't.

Form Inputs

Unauthorised data destinations

A payment page begins exfiltrating card details to a week-old domain. The form looks normal to the user. The data is going somewhere you never authorised.

What Data Watch Does

Continuous data egress monitoring with instant alerting

Data Watch maintains a live inventory of every destination your site sends data to and monitors it continuously. When a new one appears, you know about it.

Destination Tracking

Every endpoint your site sends data to, catalogued automatically

Data Watch maintains a live inventory of every endpoint your site sends data to — XHRs, form submissions, and other outbound connections. Each destination is logged with when it first appeared, when it was last seen, and how frequently your site communicates with it. No manual cataloguing. No spreadsheets.

New Destination Alerts

Alerted the moment your site sends data somewhere new

The moment your site sends data to a destination Data Watch hasn't seen before, you're notified by email, webhook, or both. You set the alert threshold — notify on the first new destination, or wait until several accumulate. Either way, you see the change before it becomes a pattern.

Per-Site Granularity

Watch each part of your site independently

www.example.com and checkout.example.com are monitored separately. You choose which parts of your site to watch and receive alerts for each independently. High-sensitivity pages like payment flows can be monitored with tighter thresholds than the rest of the site.

Exclusions

Silence the noise, keep the signal

Known-noisy endpoints — ad trackers with rotating paths, A/B testing infrastructure, CDN assets with build hashes — can be excluded per watcher so they don't trigger false alerts. Up to 50 exclusions per watcher, each matched by URL prefix.

How It Works

Works with your existing CSP. Or without one.

If you already have a CSP deployed — in enforce or report-only mode — Data Watch starts analysing your reports immediately. Add a site to monitor, and every inbound CSP report for that site is checked for new data egress destinations.

No full CSP yet? You can still use Data Watch. A minimal report-only header is enough to start tracking where your site sends data without blocking anything:

Minimal setup — no existing CSP
Content-Security-Policy-Report-Only:
  default-src * 'unsafe-inline' 'unsafe-eval';
  connect-src 'self'; form-action 'self';
  report-uri https://your-subdomain.report-uri.com/r/d/csp/reportOnly

This generates reports for any data sent to destinations outside your own domain. No enforcement, no risk to site functionality, and Data Watch begins monitoring immediately. As you identify expected endpoints, add them to the policy to reduce report volume — the monitoring stays just as effective.

No full CSP required to get started

Works with an enforced or report-only policy

No enforcement, no risk to your site's functionality

Monitoring begins from your very first report

Data comes from real browser sessions, not a crawler

What This Covers

A live inventory of where your data goes

Data Watch monitors where data goes after it leaves the page. It doesn't inspect the contents of that data, and it doesn't block outbound connections. What it does is make unauthorised data flows visible — immediately — so you can act before data reaches a destination it shouldn't.

Data Watch does Doesn't replace
Track every data egress destination across your site DLP tools for internal data classification
Alert on new or unexpected outbound connections Network-level traffic inspection
Log destination history with timestamps and frequency SIEM event correlation
Support PCI DSS 11.6.1 behavioural monitoring Full PCI DSS compliance (see PCI DSS Compliance →)

Data Watch maps to Requirement 11.6.1 — the behavioural exfiltration monitoring PCI DSS 4.0.1 asks for. The full compliance story lives on the PCI DSS Compliance page.

Get Started

See where your data goes before an attacker decides for you

Data Watch is included on Business plans and higher. No full CSP required to get started.

30-day free trial  ·  No full CSP required  ·  Alerts on every new destination

Related Capabilities

Data Watch catches the exfiltration. These catch the rest.

Data Watch tells you where your data goes and when a new destination appears. These capabilities build on the same browser-native data to complete the picture.

Capability What it adds
Script Watch Monitors what code is on your site. Script Watch catches the injection; Data Watch catches the exfiltration.
Threat Intelligence Enriches Data Watch destinations with threat context — flagging when data flows to a domain that's a known IoC, recently registered, or low-reputation.
Policy Watch Monitors your deployed CSP for changes. If your policy is modified to allow a new data destination, Policy Watch flags the change.

Together, these form the client-side security visibility layer that sits between your CSP policy and your incident response process.