Detect Sensitive Data Exposure

Coming soon to github Q4 22

What happens after an attacker logs in with stolen credentials? LeakSignal allows security teams to take control and set limits on sensitive data access.

Deploy LeakSignal

Real time, In-line, sensitive data redaction

LeakSignal provides new visibility on sensitive data. This includes any data type such as CPNI, PII, cardholder data, PHI, along with responses that contain the signs of vulnerabilities.

In moments you have a dashboard showing all routes exposing sensitive data and all tokens accessing sensitive data. Go ahead and redact some data in real time - feel the power!

Native to Kubernetes

LeakSignal installs as a WASM module in Envoy. No Helm charts, Operators or CRD.

A few lines of config

LeakSignal deploys to Istio with a few lines of config, and can be included in any Envoy or nginx setup.

Monitor & Mitigate

Redact data or block responses in real time.


Those all help harden the various configuration, dependencies and code that might allow an attacker access to something in the cloud – security peeps call this the “posture.” Sadly, even with great posture, attackers still get in. LeakSignal watches the data going out on the web and API channels.

HTTP = Vulnerable

Gartner says web-based APIs are the #1 vector for attack.

WAF < Enough

If WAFs worked, you wouldn't read about breaches on major sites.

Free $ Beer

We didn't raise $200M, we wrote open source code that leverages modern architecture.

Install in minutes

You got this. Get your API Key and have a dashboard up in seconds with the below configs:

FROM envoyproxy/envoy-dev:0b1c5aca39b8c2320501ce4b94fe34f2ad5808aa
RUN curl -O
RUN sed -i 's/api_key_placeholder/YOUR-API-KEY/g' envoy.yaml
RUN sed -i 's/deployment_name_placeholder/
COPY ./envoy.yaml /etc/envoy.yaml
RUN chmod go+r /etc/envoy.yaml
CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml"]
istioctl install --set profile=preview
# Apply the following leaksignal.yaml to deploy the filter
curl | \
sed -i 's/api_key_placeholder/YOUR-API-KEY/g' | \
sed -i 's/deployment_name_placeholder/
YOUR-DEPLOYMENT-NAME/g' | kubectl apply -f -
#restart all the pods
kubectl delete --all pod

Envoy is the underlying data management plane in most service mesh offerings and already widely deployed across enterprise environments such as Lyft, Walmart, Netflix, T. Rowe Price, US Bank and many others.


The most popular service mesh. Founded by Google, IBM and Lyft in 2017. Istio set the standard for what a service mesh should be: traffic management, policy enforcement, and observability, powered by sidecars next to workloads.

Azure OSM

OSM runs an Envoy-based control plane on Kubernetes. OSM works by injecting an Envoy proxy as a sidecar container with each instance of your application.

Or click here to explore a sample application dashboard

start free trial

It is completely free and takes 10 seconds.