TTechclick ⚡ XP 0% All lessons
Netskope · CASB · Inline + API Data ProtectionInteractive · L1 / L2 / L3

Netskope CASB — Inline + API Data Protection & Shadow IT

Your staff are using cloud apps you never approved, and copying company data into personal accounts that look identical to the corporate ones. This lesson shows how Netskope CASB finds those apps, scores their risk, tells your corporate Google Drive from someone’s personal one, and then stops the leak two ways — live (inline) and after the fact (API).

📅 2026-06-05 · ⏱ 12 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Netskope CASB explained: Shadow IT discovery, Cloud Confidence Index (CCI/CCL) risk scoring, sanctioned vs unsanctioned, app instances (corporate vs personal), and when to use inline forward-proxy control versus out-of-band API Data Protection.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Shadow IT & CCI

Discover unsanctioned apps and score their risk 1–100.

 2

App instances

Tell your corporate SaaS from a personal one of the same app.

 3

Inline vs API

Stop a leak live, or clean up what is already inside.

 4

Build the policy

Block personal-instance uploads, keep corporate working.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A “sanctioned” app is one that…

Answered in Shadow IT & CCI.

2. Which protection mode could block a file the instant a user uploads it?

Answered in Inline vs API.

3. What does an app “instance” identify?

Answered in App instances.

Most engineers think…

Most engineers assume that once they mark an app “Sanctioned”, Netskope can do everything to it — including API DLP scans of files already inside it.

Wrong, and it’s the classic interview trap. Sanctioned (approved by policy) and Managed (your org owns the tenant and can OAuth its API) are two independent axes. API Data Protection needs a managed app — an admin OAuth grant into the tenant. A sanctioned-but-unmanaged app (say a team’s own Trello they got approved) can only be covered inline. Tagging it Sanctioned does not give Netskope a key to its API.

① Shadow IT, the CCI score, and what “sanctioned” really means

Walk into any Indian IT shop and ask “how many cloud apps do your staff use?” The honest answer is “far more than we approved.” A team signs up for a free file-share to send a client a large video; someone uses a personal Notion for meeting notes; a developer pushes a snippet to a personal GitHub. None of it went through IT. That sprawl is Shadow IT, and the first job of CASB is simply to see it.

Netskope discovers apps two ways. From inline traffic it sees apps live as users touch them; from imported firewall/proxy logs it discovers apps even before steering is fully rolled out. Every discovered app is matched against the Cloud Confidence Index (CCI) — a database of 85,000+ cloud apps (plus hundreds of GenAI tools) each scored from 1 to 100 across 50-plus enterprise-readiness attributes adapted from the Cloud Security Alliance.

That 1–100 number rolls up into a Cloud Confidence Level (CCL) band. Think of it like a restaurant hygiene rating posted before you eat there: Excellent (90–100), High (75–89), Medium (60–74), Low (50–59), Poor (below 50). An L1 analyst uses the band to triage — a Poor app handling client PII gets escalated; an Excellent one used by a few people might just get sanctioned.

👉 So far: Shadow IT is the cloud apps you never approved; CASB discovers them from inline traffic and logs, then CCI scores each 1–100 into a CCL band. Next: the picture of discover → score → tag → enforce.
Figure 1 — The CASB loop: see, score, tag, then control two ways
CASB does two jobs at once: see every cloud app, then control it inline or by API Left: user traffic generates logs that CASB discovery turns into a Cloud Confidence Index score, which an admin tags Sanctioned or Unsanctioned. Right: enforcement splits into two lanes — inline forward proxy that acts in real time on live traffic, and API connectors that scan data already at rest inside managed SaaS. Discover & score → tag → then enforce two ways SEE — discovery + risk user traffic logs CCI score 1–10085,000+ apps catalogued Sanctioned Unsanctioned admin app tag CONTROL — two enforcement modes Inline CASBforward proxy · real timeacts on LIVE trafficblock the upload now API Data ProtectionOAuth connector · out-of-bandscans data AT RESTquarantine what is already there live SaaS request(upload / download / share) files already in OneDrive/Box(shared last week) unsanctionedsanctioned / inspectedpolicy / scan pointkey ideaallowed
Left half is visibility (logs → CCI score → admin tags it Sanctioned/Unsanctioned). Right half is the two enforcement modes — inline acts on live traffic, API scans data at rest.

Now the word that trips up every newcomer. Sanctioned just means “approved by your organisation’s policy” — it is an admin tag you apply in the catalog. It is not the same as Managed, which means your org owns the tenant and can grant Netskope OAuth access to its API. The two are independent axes: you can have a sanctioned-but-unmanaged app (a team’s approved-but-self-signed-up Trello) and even an unsanctioned-but-managed corner case. Mixing these up is the single most common CASB confusion.

Four CASB words to never mix up

Tap each — these four decide which control you can actually apply.

🕵️
Shadow IT
tap to flip

Cloud apps used without IT approval. CASB discovery surfaces them so you can decide: sanction, coach, or block.

Sanctioned
tap to flip

An admin tag meaning “approved by policy”. Says nothing about whether you own the tenant or can reach its API.

🔑
Managed
tap to flip

You own the tenant and can OAuth its API. This — not Sanctioned — is what API Data Protection requires.

📊
CCI / CCL
tap to flip

A 1–100 risk score and its band (Excellent→Poor). Triage tool: high risk + sensitive data = escalate first.

Quick check · Q1 of 10

Aditya marks a team’s self-signed-up Trello as “Sanctioned”, then tries to enable API DLP to scan cards already in it. It won’t turn on. Why?

Correct: c. Sanctioned is just an approval tag. API Data Protection needs a managed app — an OAuth grant into a tenant the org controls. A team’s own Trello isn’t managed, so it can only be covered inline. This is the classic Sanctioned-vs-Managed trap.

Pause & Predict

Predict: a CCI score of 62 — which CCL band does it fall into, and what does that tell an L1 analyst at a glance? Type your guess.

Answer: Score 62 is in the Medium band (60–74). It signals “proceed with caution” — not auto-trusted like Excellent/High, not an instant red flag like Poor. The analyst checks what data it handles before deciding to sanction, coach, or restrict.

② App instances — your corporate Drive vs someone’s personal one

Here is the problem a plain web filter cannot solve. Priya at ICICI is told: “let staff use our corporate Google Drive, but stop them copying client data into their personal Google Drive.” Both are drive.google.com. Block the domain and you kill the business; allow it and the leak is wide open. You need to tell the two tenants apart.

Netskope does this with an app instance. Think of “Google Drive” as a bank brand; your corporate Drive and an employee’s personal Drive are two branches (instances) of that brand. Each instance has an Instance ID. Once you tag the corporate instance Sanctioned and personal as Unsanctioned, your policy can target just the personal one.

Figure 2 — Why instance tagging makes or breaks the policy
Inline catches a live leak only if the instance was tagged — untagged means it slips A step flow: Sneha uploads a PII file to personal OneDrive. The Netskope client steers it inline to the forward proxy, which identifies app and instance. If the corporate instance is tagged Sanctioned and personal is Untagged, the policy that targets personal instance blocks it; if no instance tag exists, the upload is allowed because the destination never matched. A live upload, inline — and what the instance tag decides Sneha 10.50.7.22uploads PII.xlsx Inline forward proxySSL-decrypt + identify app app = OneDriveinstance = ? (look up tag) CASE A — instance tagged corp instance = Sanctionedpersonal = Unsanctioned policy matches personal → BLOCKuser-coach page shown CASE B — instance NOT tagged instance = Untaggedno tag to match personal-instance rule never firesupload ALLOWED — silent leak key ideaNo instance tag =your "block personal"rule matches nothing. unsanctionedsanctioned / inspectedpolicy / scan pointkey ideaallowed
Case A: instances are tagged, so the “block personal” rule matches and blocks. Case B: nobody tagged the instance, so traffic is Untagged, the rule matches nothing, and the upload silently succeeds.

There are two ways to tag an instance, and both need an Inline CASB licence. Method 1 (from a discovered app): go to Skope IT → Applications, pick the app Netskope has already seen in traffic, and choose New App Instance. Method 2 (define it up front): go to Policies → Profiles → App Instance → New Custom App Instance → New App Instance and fill in the fields manually. Either way you set the Instance ID, Instance Name, and Tag, then Save.

🖥️ This is where you define an instance up front — Netskope tenant → Policies → Profiles → App Instance → New Custom App Instance. The Instance ID is the tenant identifier; the Instance Tag is what your policy will match on. (Recreated for clarity — your tenant matches this.)
tenant.in.goskope.com · Policies → Profiles → App Instance
1
Application
Google Drive
2
Instance ID
icicicorp.com (corporate tenant)
Instance Name
ICICI-Corp-GDrive
3
Instance Tag
Sanctioned
Save

One catch to remember for the exam and the lab: the App Instance Tag is only selectable as a policy destination when the destination is Any Web Traffic, a Category, or a Cloud App — and it needs the Inline CASB licence. Also, some traffic has no real tenant (a public share link, an unauthenticated request, a service account): Netskope gives these a placeholder Instance ID, so don’t write a per-tenant rule expecting a real corporate ID there.

Priya at ICICI Securities faces this

Priya wrote a policy: app = Google Drive, instance = personal → Block upload. In testing, staff still upload client files to their personal Drive and nothing is blocked. Skope IT → Events → Application Events shows the test uploads with Instance = Untagged.

Likely cause

She never created an App Instance Profile, so Netskope has no Instance ID to match. With instances Untagged, the “instance = personal” destination matches nothing and the rule is dead.

Diagnosis

She opens Skope IT → Events → Application Events, filters on her own test upload, and finds the Instance field blank / Untagged.

Policies → Profiles → App Instance → New Custom App Instance
Fix

Create the corporate instance (Instance ID = icicicorp.com tenant, Tag = Sanctioned). Then write a catch rule on instance = Unsanctioned/Untagged → Block, so anything that isn’t the tagged corporate tenant is stopped.

Verify

Re-test from a personal Drive tab → Skope IT → Application Events shows Action = block with the rule name Block-Personal-GDrive-PII; the corporate Drive tab (instance = corporate) still uploads normally.

Quick check · Q2 of 10

You need to write a Real-time Protection rule whose destination is the App Instance Tag “Unsanctioned”. Which two conditions must be true?

Correct: a. The App-Instance-Tag destination field is exposed only for Any Web Traffic / Category / Cloud App destinations, and reading it requires the Inline CASB licence. API/managed status and CCI score are irrelevant to whether the tag field appears.

Pause & Predict

Predict: a developer pushes code to a public GitHub gist with no login. What Instance ID will Netskope show, and can you write a per-tenant rule on it? Type your guess.

Answer: It gets a placeholder Instance ID (public-link / unauthenticated / service-account), not a real corporate tenant ID. You can’t pin a per-tenant rule to it — instead handle it with an activity/DLP rule (e.g. block source-code uploads to unsanctioned/instance-less destinations).

③ Inline vs API — stop it live, or clean what’s already inside

CASB enforces in two completely different ways, and knowing which to reach for is the heart of this lesson. Inline CASB is in-band: traffic is steered through Netskope’s forward proxy, so it sees activity as it happens and can block, coach or allow in real time. API Data Protection is out-of-band: Netskope holds a delegated OAuth grant into a managed SaaS tenant and inspects data at rest already inside the app.

The cleanest analogy: inline is the security guard at the office door, checking every person and parcel in real time as they enter and leave. API is the night auditor who walks the filing room after hours, reviewing documents already stored inside. The guard can stop you mid-step; the auditor can’t — but the auditor finds what’s already there. You want both.

Figure 3 — Inline vs API — same DLP, opposite timing
Inline stops a leak as it happens; API finds a leak that already happened A two-column comparison of Inline CASB versus API Data Protection across six attributes plus a best-job panel: position in path, timing, what it sees, what it can do, requirement, and blind spot. Inline is in-band real-time on live traffic and can block live activity but needs steering; API is out-of-band near-real-time on data at rest and can quarantine but cannot stop a live transfer and needs a managed OAuth grant. Inline vs API — same DLP brain, opposite timing Inline CASB (forward proxy) API Data Protection Positionin-band, on the pathout-of-band, beside the appTimingreal time (now)near real time (after event)Seeslive traffic in motiondata at rest in the SaaSCan doblock / coach / allow livescan, quarantine, fix sharingNeedssteering + Inline CASB licencemanaged app + admin OAuth grantBlind tofiles already sitting in the appa transfer happening right now Best jobINLINE → stop theupload before it landsAPI → sweep + cleanwhat is already inside key ideaNot either/or.Inline to PREVENT,API to REMEDIATE.Run both.
Read row by row: inline is in-band/real-time on live traffic and can block now but needs steering; API is out-of-band/near-real-time on data at rest and can quarantine but needs a managed OAuth grant.

▶ One leak, two timings: Karthik shares a PII file in OneDrive

Watch how inline and API see the same file at different moments — and why you need both. Press Play for the healthy path, then Break it to see the failure.

① Live uploadKarthik (10.50.9.14) uploads salaries.xlsx → corporate OneDrive
② Inline verdictInline DLP scans in motion; PII match → block + user-coach in real time
③ Later — at restA file shared last week sits in OneDrive with a public link
④ API sweepAPI DLP finds it at rest → quarantine + revoke the public share
Press Play to step through the healthy path. Then press Break it.

A second, sharper rule: API needs a managed app. Because it works through the SaaS provider’s API with an admin OAuth grant, it only works where your org owns the tenant — Microsoft 365, Google Workspace, Salesforce, Box and similar. A sanctioned-but-unmanaged app can’t be API-scanned at all; inline is your only lever there. (Heads-up if you administer M365: Microsoft apps sometimes need an OAuth re-grant after permission changes, or the connector quietly stops scanning.)

Heads-up — Classic API is being retired

Netskope’s Classic API Data Protection reaches End-of-Service on 1 June 2027. New builds should use Next-Gen API Data Protection, which lets one policy span multiple apps and carry multiple DLP profiles, with a unified inventory page for threat hunting. If a doc or course mentions “Classic API”, note the migration deadline.

Quick check · Q3 of 10

A user is uploading a PII file to personal Dropbox right now and you must stop it before it lands. Which mode does the job?

Correct: b. Stopping a live transfer needs in-band, real-time inspection — the inline forward proxy. API is out-of-band and near-real-time: the file would land first and only be quarantined afterward, which is too late to “stop it before it lands”.

Pause & Predict

Predict: your manager asks “can API DLP block a file a user is downloading at this very moment?” What do you say, and why? Type your guess.

Answer: No. API Data Protection is out-of-band — it scans data already at rest inside the SaaS via the app’s API, not live network traffic. To act on a download happening right now you need inline Real-time Protection. Use API for the at-rest sweep, inline for the live activity.

④ Build it: block personal-instance uploads, keep corporate working

Now we put the three ideas together into one real Real-time Protection policy — the exact screen you’ll touch on day one. The goal: staff can use the corporate instance freely, but uploading client data to a personal instance of the same app is blocked with a coaching page. The build order matches the console fields top to bottom.

🖥️ The policy you’ll actually build — Netskope tenant → Policies → Real-time Protection → New Policy. Source = who, Destination = which app + instance tag, then Activity, Profile and Action. (Recreated for clarity — your tenant matches this.)
tenant.in.goskope.com · Policies → Real-time Protection → New Policy
1
Source (Users/Groups/OU)
All Users
2
Destination
Cloud App: Google Drive
3
App Instance
Tag = Unsanctioned (personal)
4
Activities & Constraints
Upload · File Type: any
Profile
DLP: PII-India
5
Action
Block + User Alert (coach)
Save & Apply Changes

Read the fields like a sentence: who (Source — Users / Groups / OUs, with optional Exclusions), to where (Destination — a Cloud App, Category, App Instance tag, or Private App Segment), doing what (Activities & Constraints — Upload, Download, Edit, Share, Post, with constraints like File Size / File Type), checked by which profile (a DLP or threat profile), with what governed activity action (Alert, Block, Quarantine, User Alert/Coach, Allow). Name it, optionally add Email + a Policy Schedule, and Save.

Verify the policy fired — Skope IT → Events (Application Events) filter
Skope IT > Events > Application Events
Filter:  user = karthik.r@icici  AND  app = "Google Drive"
         AND  instance = personal  AND  activity = Upload
Expected output
timestamp           user        app           instance   activity  action  policy
2026-06-05 14:22:07  karthik.r   Google Drive  personal   Upload    block   Block-Personal-GDrive-PII
2026-06-05 14:25:51  karthik.r   Google Drive  corporate  Upload    allow   —

The personal-instance upload shows action=block with your policy name; the corporate upload is allowed. If the personal row shows instance=Untagged, your App Instance Profile is missing — fix the tag first.
👉 So far: you tag the corporate instance, target the personal/Unsanctioned instance in a Real-time Protection rule, attach a DLP profile, set Block + coach, and verify in Skope IT. Next: the cheat card and the traps that catch L1s.
Figure 4 — The CASB cheat card
The CASB cheat card — CCL bands, the two axes, and inline-vs-API in one glance A cheat sheet with three panels: the five Cloud Confidence Level bands (Excellent 90-100, High 75-89, Medium 60-74, Low 50-59, Poor under 50); the two independent axes Sanctioned-vs-Unsanctioned and Managed-vs-Unmanaged; and a quick decision rule for choosing inline versus API protection plus a reminder to tag the instance. CASB exam card — memorise this one figure CCL bands (CCI score) Excellent90–100High75–89Medium60–74Low50–59Poorbelow 50 Two axes (don't confuse them) Sanctioned ↔ Unsanctioned= is it APPROVED by policy?(an admin tag) Managed ↔ Unmanaged= do we OWN the tenant +can OAuth its API? (API needs this) Sanctioned ≠ Manageda sanctioned app can be unmanaged Inline or API? Stop it LIVE? → Inlineupload / download / share happening nowneeds steering + Inline CASB licence Clean what's INSIDE? → APIfiles at rest, exposed sharesneeds managed app + OAuth grant Tag the INSTANCE, not just the appPolicies → Profiles → App Instancecorp = Sanctioned · personal = Unsanctioned
Three panels to memorise: the five CCL bands, the two independent axes (Sanctioned/Unsanctioned vs Managed/Unmanaged), and the one-line rule for choosing inline vs API.
Common mistake — “block personal, allow corporate” lets everything through

Symptom: your personal-instance block rule does nothing; every upload succeeds and Skope IT shows the events as Untagged. Cause: you never created an App Instance Profile, so there’s no Instance ID to match — the destination matches nothing. Fix: Policies → Profiles → App Instance, tag the corporate Instance ID as Sanctioned, then catch Unsanctioned/Untagged with a Block rule.

Prove you own the CASB model

Take any real ask — “stop staff uploading source code to personal GitHub, keep corporate GitHub working” — and name: the axis (instance tag, not domain block), the licence (Inline CASB), the screen (Policies → Profiles → App Instance, then Real-time Protection), the mode (inline to stop live; API later to sweep the corporate org), and where you’d verify (Skope IT). If you can, you’re ready for the DLP deep-dive.

Next: DLP Deep-DiveRelated: Next Gen SWG
Quick check · Q4 of 10

Final integration: which sequence correctly stops personal-instance leaks of client PII while keeping the corporate app usable?

Correct: c. You must tag the instance first (or the rule matches nothing), target the Unsanctioned/Untagged instance with a DLP profile and a Block action inline, then verify in Skope IT. Domain blocks kill the corporate app; disabling the Client removes all control; API-only is out-of-band and won’t stop the live upload.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Netskope docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

A CCI score of 78 maps to which Cloud Confidence Level band?

Correct: a. The bands are Excellent 90–100, High 75–89, Medium 60–74, Low 50–59, Poor below 50. 78 lands in High. Memorise the five bands — it’s a guaranteed exam point.
Q6 · Apply

Sneha must stop staff copying client data into personal OneDrive while keeping corporate OneDrive fully usable. What’s the right approach?

Correct: d. Instance-aware blocking (personal vs corporate) is the only approach that protects without killing the corporate app. A domain block kills both tenants; disabling the Client removes all control; API-only won’t stop the live upload.
Q7 · Apply

You’re building a rule whose destination is the App Instance Tag “Unsanctioned”, but that field isn’t selectable. What’s the most likely fix?

Correct: b. The App-Instance-Tag destination is only exposed for Any Web Traffic / Category / Cloud App and requires the Inline CASB licence. CCI score, action type, and managed status don’t control whether the field appears.
Q8 · Analyze

A “block personal Dropbox, allow corporate” policy silently allows every upload. Skope IT shows the test events as instance = Untagged. Root cause?

Correct: d. Untagged events mean no instance was ever tagged, so the “instance = personal” destination matches nothing and the rule is dead. Create an App Instance Profile (tag corporate = Sanctioned), then catch Unsanctioned/Untagged. SSL/DLP/exclusions would show different symptoms.
Q9 · Analyze

Your team needs to find and quarantine sensitive files that were shared via public links in the corporate Google Workspace last month. Which capability fits, and what does it require?

Correct: a. Files already at rest with exposed shares are an out-of-band, data-at-rest problem → API Data Protection, which needs a managed app (OAuth grant). Inline only sees live traffic; CCI is scoring, not remediation; Cloud Firewall handles non-web ports.
Q10 · Evaluate

A CISO says “we’ll just turn on API DLP for everything and skip inline.” Evaluate this plan for stopping live data leaks.

Correct: c. API is out-of-band: it catches data after it lands, not the live transfer, and only on managed apps. Live leaks and sanctioned-but-unmanaged Shadow IT need inline. The right design runs both — inline to prevent, API to remediate. Cost isn’t the core flaw.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why can a “Sanctioned” app still be impossible to protect with API DLP? Then compare to the expert version.

Expert version: Because Sanctioned only means “approved by policy”; API DLP needs a Managed app — one whose tenant your org owns and can OAuth — and a sanctioned-but-unmanaged app gives Netskope no API key, so inline is your only control.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CASB
Cloud Access Security Broker — the enforcement point between your users and SaaS apps; gives visibility and control.
Shadow IT
Cloud apps employees use without IT approval — the apps CASB discovery surfaces so you can act on them.
Sanctioned vs Unsanctioned
An admin tag for whether an app is approved by policy. Says nothing about ownership or API access.
Managed vs Unmanaged
Whether your org owns the tenant and can OAuth its API. API Data Protection requires a managed app.
CCI
Cloud Confidence Index — Netskope’s catalog of 85,000+ apps scored 1–100 on 50+ CSA-adapted attributes.
CCL
Cloud Confidence Level — the band a CCI score falls in: Excellent 90–100, High 75–89, Medium 60–74, Low 50–59, Poor below 50.
App Instance
A unique tenant of a SaaS app (corporate vs personal of the same app). Identified by an Instance ID.
Inline CASB
In-band control via the forward proxy — sees and acts on live traffic in real time (block/coach/allow).
Forward Proxy
A proxy in the live path of steered traffic that can act on it in real time as it flows.
API Data Protection
Out-of-band control via an OAuth connector that scans data already at rest inside a managed SaaS.
Next-Gen API Data Protection
Newer API engine: multi-app/all-app policies, multiple DLP profiles per policy (Classic API EoS 1 Jun 2027).
Governed Activity
The verb a policy controls — Upload, Download, Edit, Share, Post — chosen from what the app supports.

📚 Sources

  1. Netskope Docs — “Cloud Inline Protection” (forward/reverse proxy, GRE, real-time). docs.netskope.com/en/cloud-inline-protection
  2. Netskope Docs — “Classic API Data Protection” (out-of-band OAuth, data at rest; Classic EoS 1 Jun 2027) & “Next Generation API Data Protection Platform”. docs.netskope.com/en/api-data-protection
  3. Netskope Docs — “Understand the risk … by leveraging CCI”, “Evaluate Apps” & “App Instance Profile” (CCI/CCL bands, instance fields/path). docs.netskope.com
  4. Netskope Community — “How to Tag Application Instances” (two methods, requires Inline CASB licence) & “Sanctioned vs Unsanctioned” thread. community.netskope.com
  5. Netskope — SkopeAI / CASB product pages (GenAI-powered SaaS categorisation, inline LLM inspection). netskope.com/products/casb
  6. Netskope NSK100 (NCCSA) & NSK200 exam blueprints — in-band proxy (real-time policies) vs out-of-band API (near-real-time) contrast. itexams.com / pass4success.com

What's next?

Next we go deeper into DLP Deep-Dive.

Next · Netskope DLP Deep-Dive → Practice on exam.techclick.in →