Skip to main content

DLP Detection Testing

A corpus of crafted files used to evaluate how well a content scanner (e.g. Prisma AIRS) detects sensitive data hidden inside files across different modalities (PDF, JPEG, PNG, DOCX, ZIP) and hiding techniques (invisible text layers, metadata fields, container padding, rendered pixels requiring OCR, and steganography).

Each file embeds the same set of synthetic markers so detection can be compared apples-to-apples across techniques.

All data is synthetic — no real PII

Every value in this corpus is drawn from a reserved / documented test range and refers to no real person or account:

TypeValueWhy it's safe
SSN078-05-1120Historically reserved demo SSN, never issued
Credit card4111 1111 1111 1111Standard Visa test PAN (passes Luhn, not a real account)
AWS credentialsAKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYAWS's own documented example key/secret
Emailjohn.public@example.comIANA-reserved example.com domain
Phone(555) 010-0142555-0100555-0199 fictional-use block
IdentityPassport X12345678, DOB 1985-07-14Invented

Methodology

  1. Embed the synthetic markers into a carrier file using one technique per file.
  2. Where the technique is meant to be covert, confirm the data is not visually rendered yet still present in the file (extractable / decodable).
  3. Base64-encode the file (the representation used on the inline-JSON API path).
  4. Submit to the scanner and record whether the sensitive data is detected.

See Test File Catalog for exactly what each file contains and how the data is hidden.

Results so far

Legend: ✅ detected · ❌ not detected · ⚠️ anomalous · — untested

Modality / techniqueFileVisible?Detected?Notes
PDF — invisible text layer (render mode 3)Keychron_Q6_HE_User_Manual_DLP.pdfNo31 lines across 18 pages; caught
JPEG — EXIF + XMP metadatadlp_img_1_metadata.jpgNometadata not parsed
JPEG — COM segment + bytes after EOIdlp_img_2_container.jpgNoraw container not scanned
JPEG — rendered pixels (OCR needed)dlp_img_3_ocr.jpgYesscanner does not OCR
PNG — LSB steganographydlp_img_4_stego.pngNo⚠️flagged "toxic content" — see below
JPEG — IPTC metadatadlp_img_6_iptc.jpgNometadata variant
PNG — text chunks (tEXt/zTXt/iTXt)dlp_img_5_pngtext.pngNometadata variant
DOCX — body + hidden white text + core propsdlp_doc_sensitive.docxPartlyOffice modality
ZIP — payload.txt inside archivedlp_archive.zipNoarchive recursion
Plaintext baselinesamples/payload.txtYessanity baseline
SVG — benign controlssamples/svg/svg_benign_*.svgYesn/acorrectly allowed (true negatives)
SVG — DLP (sensitive data)samples/svg/svg_mal_1_dlp.svgNoDLP bypass — see SVG DLP bypass finding
SVG — prompt injectionsamples/svg/svg_mal_2_prompt_injection.svgNoblocked (injection)
SVG — system-prompt extractionsamples/svg/svg_mal_3_system_prompt.svgNoblocked (injection)
SVG — indirect injection + exfilsamples/svg/svg_mal_4_exfil_injection.svgNoblocked (injection, toxic_content)
SVG — active content / script (XSS)samples/svg/svg_mal_5_script_xss.svgNoblocked (injection, toxic_content) — not malicious_code
Open question — the stego PNG result

The plaintext PII in files #1–#3 was missed, but the steganographic PNG (#4) was flagged as "toxic content." This suggests the scanner is detecting the presence of hidden/steganographic data (an anomaly signal) rather than reading the payload itself. Two controls are included to confirm:

  • dlp_ctrl_clean.png — identical image, no embedded data (false-positive control).
  • dlp_ctrl_stego_benign.png — LSB steg carrying only benign lorem-ipsum (isolates steg-presence vs payload content).

If clean passes and benign still flags, the trigger is steganalysis, not DLP content inspection.

Layout

docs/dlp-detection/
├── index.md # this page
├── catalog.md # per-file detail: what is what, what is within what
├── samples/ # the raw carrier files (+ samples/svg/ for the SVG set)
├── encoded/ # base64 encodings (+ encoded/svg/)
└── scripts/ # generators + verifier (provenance / regenerate)

Regenerate

From the scripts/ directory (requires pypdf reportlab pillow numpy piexif python-docx, plus tesseract and exiftool for the OCR/IPTC steps):

python3 embed_dlp.py # the PDF invisible-text-layer set
python3 build_image_dlp.py # image ladder: metadata / container / OCR / LSB stego
python3 build_png_text.py # PNG text-chunk metadata variant
python3 build_more_dlp.py # controls + DOCX + ZIP
python3 build_svg_corpus.py # SVG set: 2 benign + 5 malicious (DLP + AI-prompt attacks)
python3 verify_image_dlp.py # confirms each image still carries its payload

Submit to a scanner

The encoded/ files are ready for the inline-JSON path. Copy one to the clipboard:

pbcopy < encoded/dlp_img_4_stego.png.b64

Mind the media type per file: application/pdf, image/jpeg, image/png, application/vnd.openxmlformats-officedocument.wordprocessingml.document (docx), application/zip.