TTechclick ⚡ XP 0% All lessons
Netskope · Posture · CSPM · SSPM · DSPMInteractive · L1 / L2 / L3

Netskope CSPM, SSPM & DSPM — Cloud & SaaS Posture

Your inline policies block bad traffic in real time. But who checks whether your S3 bucket is wide open, your Salesforce tenant leaks reports, or a forgotten database is stuffed with Aadhaar numbers? That is the job of Netskope’s out-of-band posture engines — CSPM, SSPM and DSPM. This lesson is the map of all of them.

📅 2026-06-05 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Learn Netskope CSPM, SSPM, DSPM and CIEM: API-driven, out-of-band posture. CSPM scans AWS/Azure/GCP misconfig vs CIS/NIST/PCI, SSPM checks M365/Salesforce settings, DSPM finds data at rest, CIEM flags over-permissioned identities. Real console paths + gotchas.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why posture exists

Out-of-band scanning vs inline blocking.

 2

The four engines

CSPM, SSPM, DSPM, CIEM — who scans what.

 3

Onboard it

AWS for CSPM, Salesforce for SSPM, the real paths.

 4

Gotchas & DSPM/AI

Event Grid, no auto-fix, scan lag, SkopeAI.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does CSPM sit inline in the traffic path like SWG?

Answered in Why posture exists.

2. A perfectly-configured, encrypted S3 bucket — can it still be a data risk?

Answered in Onboard it.

3. Which engine finds over-permissioned IAM identities?

Answered in The four engines.

Most engineers think…

Most engineers assume that once their inline DLP and threat policies are live, their cloud is “secured” — the policies are watching everything.

Wrong, and it is the gap that causes most cloud breaches. Inline policy only sees traffic that is steered through Netskope. It cannot see that someone left an S3 bucket public last Tuesday, that a Salesforce admin disabled MFA, or that a shadow database holds 40,000 card numbers. Those are posture problems — config and data sitting still — and they need the out-of-band CSPM/SSPM/DSPM engines that read your providers’ APIs directly.

① Why posture exists — out-of-band, not inline

Everything in this series so far has been inline: traffic is steered to Netskope, the engine decrypts it, a policy decides allow or block, all in real time. Inline is brilliant at one thing — stopping a bad action as it happens. But it has a blind spot the size of your whole cloud estate.

Think about what inline can never see. A developer at TCS leaves an S3 bucket public on Tuesday. Nobody uploads anything through Netskope — the bucket just sits there, exposed, until a scanner finds it on Friday. A Salesforce admin at Flipkart switches off a security setting. A team spins up a database full of customer PII that IT never knew existed. None of this is traffic. It is configuration and data at rest — and that is what posture management watches.

CSPM, SSPM and DSPM are out-of-band and API-driven. They do not sit in the traffic path. Instead they connect to your cloud and SaaS providers’ APIs on a schedule, read the configuration (and, for DSPM, the data), score it against compliance frameworks, and raise findings for you to fix. Same Netskope One console, completely different engine.

👉 So far: inline blocks traffic in real time; posture audits config and data out-of-band via API. Next: see the two engines side by side.
Figure 1 — Inline vs out-of-band posture
Posture (CSPM/SSPM/DSPM) is out-of-band — it scans config and data via API, it never sits in the traffic path Top half shows the inline path: a user goes through the Netskope SSE engine in real time to apps. Bottom half shows the out-of-band posture engine connecting by API on a schedule to AWS, M365 and data stores, reading configuration and raising findings — a separate engine in the same console. Two engines, one console: inline blocks traffic — posture audits config & data INLINE — real-time, in the path user SSE engineSWG·CASB·ZTNA app blocks/allows each request as it happens OUT-OF-BAND — scheduled API scan, NOT in the path Posture engineCSPM·SSPM·DSPM·CIEM(Netskope One) AWS / Azure / GCP M365 · Salesforce S3 · RDS · data store read config + data by API raises FINDINGS → you remediate untrusted / misconfiguredtrusted / inspectedscan / policykey ideacompliant
Top: the inline SSE engine in the path. Bottom: the posture engine reaching cloud/SaaS/data by API on a schedule, raising findings — never touching live traffic.
The one-line mental model

Inline answers “should I allow this request?” Posture answers “is anything standing still in my cloud that a checklist would flag?” Inline is the guard at the door; posture is the building inspector who walks the floors on a schedule with a CIS/NIST checklist.

Four terms before we go deeper

Tap each — these recur through the whole lesson.

🏗️
CSPM
tap to flip

Cloud Security Posture Management. Scans AWS/Azure/GCP config for misconfigurations against CIS/NIST/PCI. Finds the open door.

🧩
SSPM
tap to flip

SaaS Security Posture Management. Checks M365, Salesforce, Workspace tenant settings against benchmarks. Catches the disabled MFA.

🗂️
DSPM
tap to flip

Data Security Posture Management. Opens the stores and finds + classifies the actual sensitive data at rest. Tells you what is in the room.

🔑
CIEM
tap to flip

Cloud Infrastructure Entitlement Management. Audits identities — who can open which door — and flags over-permissioned access. So: least privilege.

Quick check · Q1 of 10

Sneha says “our inline DLP policy is live, so a public S3 bucket would be caught automatically.” Why is she wrong?

Correct: b. Inline policy only inspects traffic that is steered through Netskope. A bucket sitting public generates no steered request, so only an out-of-band CSPM scan of the AWS API would surface it. This is the core inline-vs-posture gap.

Pause & Predict

Predict: if posture engines never sit in the traffic path, how do they ever “see” your AWS account or Salesforce tenant? Type your guess.

Answer: By calling the provider’s management API with read permissions you grant during onboarding. CSPM reads the AWS/Azure/GCP config APIs; SSPM authenticates to the SaaS admin API; DSPM deploys scanners that read the data stores. It is pull-based and scheduled — not a packet ever leaves the inline path.

② The four engines — CSPM, SSPM, DSPM, CIEM

People lump “posture” into one word, but there are really four engines, and the interview-grade distinction is what each one scans.

CSPM scans your public-cloud configuration — AWS, Azure, GCP — looking for misconfigurations: a public bucket, an open security group, an unencrypted volume, an over-broad IAM policy. It scores everything against frameworks like CIS, NIST and PCI. Netskope calls the scan loop Continuous Security Assessment (CSA), and you can even write custom rules in a DSL.

SSPM does the same idea but for SaaS tenant settings — the M365 stack (Entra ID, Defender, Exchange, SharePoint, Teams, Intune), plus Salesforce, Google Workspace, GitHub, Okta, Box, Slack, ServiceNow, Workday and more. It checks against benchmarks like CIS, CISA SCuBA, GDPR, HIPAA, ISO 27002 and PCI-DSS 4.0, and offers Guided Remediation to walk you through the fix.

DSPM is the different one. It does not check settings — it goes inside the stores and finds the actual sensitive data at rest. It discovers data stores, schemas, tables, fields and files (including shadow data stores nobody knew existed), classifies the data, and even profiles which users have over-privileged access to it. CIEM is the identity angle: it walks your cloud entitlements and flags over-permissioned identities so you can enforce least privilege.

Figure 2 — The four posture engines
CSPM scans cloud config, SSPM scans SaaS config, DSPM finds the data itself, CIEM audits identities Four labelled lanes. CSPM points at AWS/Azure/GCP misconfiguration. SSPM points at M365/Salesforce/Workspace settings. DSPM points at the actual sensitive data inside stores. CIEM points at over-permissioned identities. A note clarifies CSPM/SSPM check settings while DSPM checks the data and CIEM checks who can reach it. Four posture engines — config, SaaS config, the data, and the identities CSPM— Cloud configscans: AWS · Azure · GCPchecks: misconfig vs CIS/NIST/PCIout-of-band · API · scan-interval drivenSSPM— SaaS configscans: M365 · Salesforce · Workspacechecks: tenant settings vs benchmarksout-of-band · API · scan-interval drivenDSPM— The data itselfscans: S3 · RDS · file shareschecks: find + classify data at restout-of-band · API · scan-interval drivenCIEM— Identitiesscans: IAM users · roles · keyschecks: over-permissioned accessout-of-band · API · scan-interval driven CSPM/SSPM check SETTINGS · DSPM checks the DATA · CIEM checks WHO can reach it
CSPM=cloud config, SSPM=SaaS config, DSPM=the data itself, CIEM=identities. Note the bottom band: settings vs data vs who-can-reach-it.
Figure 3 — Config-posture vs data-posture
The trap: a bucket can be perfectly configured (CSPM green) and still hold un-classified PII (DSPM red) Left column: CSPM checks the S3 bucket settings — encryption on, not public — and passes it green. Right column: DSPM opens the same bucket and discovers it is full of unclassified Aadhaar and card numbers, raising a red data-risk finding. The thesis is that config-posture and data-posture answer different questions. Same bucket, two questions — "is it configured right?" vs "what is inside it?" CSPM — checks the SETTINGS s3://payroll-export-prod ✓ encryption: AES-256 ON ✓ public access: BLOCKED ✓ versioning: ON CSPM verdict: COMPLIANT DSPM — opens it and reads the DATA s3://payroll-export-prod ⚠ 42,000 Aadhaar numbers ⚠ 11,500 card PANs ⚠ tag: none · owner: unknown DSPM verdict: HIGH DATA RISK A bucket can pass CSPM and still be a breach waiting to happen. CSPM finds the open door; DSPM tells you the room is full of cash. Run both. untrusted / misconfiguredtrusted / inspectedscan / policykey ideacompliant
The trap that separates juniors from seniors: a bucket can be perfectly configured (CSPM green) and still hold un-classified PII (DSPM red). Run both.

That comparison is the single most important idea in this lesson. CSPM and SSPM check the settings; DSPM checks the data. A bucket can be encrypted, private and versioned — CSPM gives it a green tick — and still be stuffed with 42,000 unclassified Aadhaar numbers that DSPM flags as high risk. Run config-posture and data-posture; neither alone is the full picture.

Aditya at Wipro faces this

Aditya, an L2 cloud-sec analyst, is told “CSPM says the production account is 96% compliant, so we’re fine for the audit.” The auditor then asks where the customer PII actually lives — and nobody can answer.

Likely cause

CSPM only graded the configuration. It never opened a single object to see what data was inside. The 96% says “settings are mostly correct,” not “we know where our regulated data is.”

Diagnosis

He checks which engine discovers and classifies data at rest, versus the one that scores config.

Posture: CSPM = config score · DSPM = data discovery + classification
Fix

In the Netskope One DSPM app, onboard the same accounts under Administration → Infrastructure Connections → Add Infrastructure and deploy a sidecar (Platform Settings → Sidecar) so DSPM can discover data stores, classify PII/PCI, and surface shadow stores. CSPM stays for config; DSPM answers “where is the regulated data.”

Verify

After the DSPM scan, the data catalog lists each store with a sensitivity classification and owner — the auditor’s “where is the PII” question now has a concrete answer.

Quick check · Q2 of 10

Priya needs to find a forgotten database full of customer card numbers that no one documented. Which engine is built for this?

Correct: c. Finding and classifying data at rest, and surfacing unknown (shadow) data stores, is exactly DSPM. CSPM/SSPM only evaluate configuration; CIEM looks at identities, not the data itself.

Pause & Predict

Predict: a junior says “DSPM and CIEM do the same thing — both are about access.” Where does that break down? Type your guess.

Answer: DSPM is about the data — what sensitive data exists and where. CIEM is about the identities — who is over-permissioned. They meet in the middle (DSPM can profile who has over-privileged access to data), but DSPM answers “what data” and CIEM answers “which identity has too much.” Different starting questions.

③ Onboarding — AWS for CSPM, Salesforce for SSPM

Posture engines see nothing until you onboard the target. Onboarding = granting Netskope read access to the provider’s API. The exact console path differs by engine, and mixing them up is the most common newbie mistake — so learn both paths precisely.

CSPM — onboard an AWS account

For public-cloud CSPM the path is Settings → Configure App Access → Classic → IaaS → Setup. Note the words Classic and IaaS — this is the CSPM lane. The onboarding flow is Continuous Security Assessment (CSA) and runs in two phases the console literally labels “Step 1/2: Configure AWS Accounts & Services for CSA” and “Step 2/2: Configure AWS Permissions for CSA.” Before you start, prep a list of AWS Account numbers, Account names and optional email addresses; in step 2 you download Netskope’s CloudFormation Template (CFT, aws-instance-setup.yml) and run it in the AWS console (CloudFormation → Create stack) to create a cross-account IAM role Netskope assumes to read the config. Finish with Add Accounts to land them on the Classic → IaaS page.

🖥️ This is the CSPM onboarding screen — Settings → Configure App Access → Classic → IaaS → Setup. The two-step CSA flow. (Recreated for clarity — your tenant matches this.)
tenant.goskope.com · Configure App Access → Classic → IaaS
1
Onboarding flow
Continuous Security Assessment (CSA)
2
Step 1/2
Configure AWS Accounts & Services for CSA
Account number
482915736204
Account name
wipro-prod-payments
Email (optional)
cloudsec@wipro.example
3
Step 2/2
Configure AWS Permissions for CSA — run CFT aws-instance-setup.yml
Save

▶ Follow a CSPM scan: onboarding an AWS account through to a finding

Watch one AWS account go from onboarded to a remediated finding. Press Play for the healthy path, then Break it to see the failure.

① OnboardSettings → Classic → IaaS → Setup: CSA Step 1/2 + Step 2/2 grant a cross-account IAM role
② ScanOn the next cycle, CSA reads the AWS config API for acct 482915736204
③ ScoreRule “S3 must block public access” fails → FINDING raised vs CIS AWS Foundations
④ RemediateAdmin blocks public access; next scan clears the finding → compliant
Press Play to step through the healthy path. Then press Break it.

SSPM — onboard a Salesforce tenant

For SaaS SSPM the path is different: Settings → Configure App Access → Next Gen → Security Posture. Note Next Gen and Security Posture — this is the SSPM/DSPM lane, not Classic/IaaS. Click the Salesforce icon → Setup Security Posture Instance and fill the form: Site Domain (e.g. sample.my.salesforce.com), Administrator Email, Security Scan Interval, and optional Instance Name. Then Grant Access → authenticate → AllowClose, and refresh the browser.

🖥️ This is the SSPM Salesforce onboarding form — Settings → Configure App Access → Next Gen → Security Posture → Salesforce → Setup Security Posture Instance. (Recreated for clarity.)
tenant.goskope.com · Configure App Access → Next Gen → Security Posture
1
Site Domain
flipkart-it.my.salesforce.com
2
Administrator Email
sf-admin@flipkart.example
3
Security Scan Interval
Every 6 hours
Instance Name (optional)
(blank → auto-named)
4
Authorize
Grant Access → Allow
Grant Access
Common mistake — CSPM in the wrong menu

Symptom: you go to onboard AWS, land in Next Gen → Security Posture, and there is no IaaS / CSA option anywhere. Cause: that menu is the SSPM/DSPM lane. Fix: CSPM lives under Classic → IaaS → Setup; SSPM/DSPM live under Next Gen → Security Posture. Do not mix the two paths — this is a favourite exam distractor.

👉 So far: CSPM onboards under Classic → IaaS (CSA, two steps); SSPM onboards under Next Gen → Security Posture (Salesforce form fields). Next: DSPM scanners, plus the three gotchas that bite in production.
Quick check · Q3 of 10

You need to onboard an AWS account for cloud misconfiguration scanning. Which console path is correct?

Correct: a. CSPM for public cloud is under Classic → IaaS → Setup (the CSA flow). “Next Gen → Security Posture” is the SSPM/DSPM path — the classic distractor. Policies and Skope IT are inline/analytics, not posture onboarding.

Pause & Predict

Predict: the Salesforce SSPM form has a “Security Scan Interval” field. What does that single field tell you about how SSPM works? Type your guess.

Answer: That posture is scan-interval driven — out-of-band, not real-time. A setting changed right after a scan won’t be flagged until the next cycle. SSPM (like CSPM) lags config changes by up to one scan interval; tighten the interval if you need fresher results.

④ DSPM scanners, the three gotchas & SkopeAI

DSPM onboards differently because it has its own Netskope One DSPM application (separate from the SSE console’s Configure App Access menus) and has to reach inside the stores. The flow is: Administration → Infrastructure Connections → Add Infrastructure (select AWS / Azure / GCP / OCI → Add Account/Organization — typically via a CloudFormation, Terraform or Helm deploy that grants discovery IAM roles), enable Auto-Discover New Data Stores, then deploy a scanner (sidecar) — administered under Platform Settings → Sidecar — so sensitive data never leaves your environment to be classified. From there the left-nav gives you Data Stores (inventory), Classification & Tagging, Policies & Alerts, and Risk / User Assessment dashboards & reports.

Gotcha 1 — Azure multi-subscription needs per-subscription Event Grid

When you onboard a whole Azure Management Group for CSPM, you create one Azure AD App (recording its Directory ID, Application ID and Authentication Key) and assign a custom role at the group level. But teams hit a wall: data only shows for some subscriptions. The cause is that Microsoft Event Grid registration is per-subscription and cannot be done group-wide in one shot. Register Event Grid on every subscription individually, and reuse the same Azure AD App — do not mint a new Authentication Key per sub, which breaks the existing binding.

Common mistake — “I onboarded the Management Group, why only half my subs report?”

Symptom: you onboard 50 Azure subscriptions via a Management Group but DLP/event-driven data appears for only a few. Cause: Event Grid registration is per-subscription; it cannot be done at the group level all at once. Fix: register Event Grid on each subscription individually, reusing the SAME Azure AD App (same Authentication Key).

Gotcha 2 — CSPM does not auto-remediate

New engineers expect CSPM to fix what it finds. It does not. Netskope CSPM surfaces findings; remediation is manual — or a framework you build. The community pattern for AWS auto-remediation is a Lambda + CloudFormation StackSets setup that polls the Netskope API, deployed per region in the delegated security account (not the Org management account), with cross-account IAM roles. The function re-checks compliance before acting, so it does not “fix” a false positive.

CSPM finding pulled from the Netskope REST API (what the auto-remediation Lambda reads)
GET /api/v2/posture/findings?status=open&severity=high
Host: tenant.goskope.com
Authorization: Bearer
Expected output
{
  "finding_id": "csa-aws-1182",
  "account": "482915736204",
  "rule": "S3 bucket must block public access",
  "framework": "CIS AWS Foundations",
  "resource": "s3://payroll-export-prod",
  "status": "open",
  "auto_remediated": false   <-- CSPM never sets this; your StackSets Lambda must
}

Gotcha 3 — posture is scan-interval driven, not instant

Because posture is out-of-band, a finding lags the change that caused it by up to one scan cycle. “The compliance score looks stale / a new misconfig isn’t flagged yet” almost always means the scan hasn’t run since the change. Tighten the Security Scan Interval if you need fresher data — but never expect inline-DLP immediacy from a posture engine. They answer different questions.

Figure 4 — Posture cheat sheet
Netskope posture cheat sheet — which engine, what it scans, the console path A six-tile cheat sheet pairing each posture engine and key term with its scan target and the real Netskope console path: CSPM via Classic IaaS, SSPM via Next Gen Security Posture, DSPM via the Netskope One DSPM app under Administration Infrastructure Connections, plus CSA, findings, and DSL custom rules. Posture in one card — engine · scans · where you click CSPMpublic cloud misconfigConfigure App Access → Classic → IaaSSSPMSaaS tenant settingsConfigure App Access → Next Gen → Security PostureDSPMsensitive data at restOne DSPM app: Administration → Infrastructure ConnectionsCSAthe CSPM scan loopContinuous Security Assessment (2 steps)Findinga failed check vs a ruleno native auto-fix — remediate / StackSetsDSLcustom CSPM rule languageDomain Specific Language (AWS/Azure/GCP)
Your one-card map: each engine/term, what it scans, and the real console path. Screenshot this before any posture interview.

The 2025 angle — DSPM meets AI (SkopeAI)

The newest reason posture matters: AI. In April 2025 Netskope shipped Netskope One DSPM innovations under the SkopeAI brand that use DSPM’s data classification to stop sensitive or regulated data feeding LLMs — whether by direct input, RAG, or fine-tuning — with policy-driven AI governance. This ties DSPM to AI-SPM: you cannot govern what an AI is allowed to ingest unless you first know where your sensitive data is. That is DSPM’s job.

Prove you’ve got the posture model

Take any real ask — “the auditor wants proof our PII is encrypted, accounted for, and not feeding our chatbot.” You should name: CSPM (is the store encrypted? config check), DSPM (where is the PII, and is it classified?), and the SkopeAI/DSPM link (is that classified data blocked from the LLM path?). If you can wire those three together, you’re posture-ready.

Related: Netskope Threat ProtectionNext: SkopeIT, Analytics & Incidents
Quick check · Q4 of 10

A team asks “why isn’t Netskope CSPM auto-fixing our public-bucket findings?” What is the correct answer + fix?

Correct: d. Netskope CSPM surfaces findings but does not auto-remediate out of the box. The documented community pattern is a customer-deployed Lambda + StackSets framework, per region, in the delegated security account, that polls the Netskope API and re-checks before acting.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Netskope docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Are CSPM, SSPM and DSPM inline or out-of-band?

Correct: a. Posture engines are out-of-band and API-driven: they read cloud/SaaS/data APIs on a schedule and raise findings. The inline path is SWG/CASB-inline/ZTNA. This inline-vs-posture split is the foundation of the lesson.
Q6 · Apply

Karthik must onboard a Salesforce tenant for SaaS posture scanning. Which console path is correct?

Correct: c. SSPM (and DSPM) live under Next Gen → Security Posture. Classic → IaaS → Setup is the CSPM/public-cloud path — the common distractor. Policies and Skope IT are inline/analytics, not posture onboarding.
Q7 · Apply

A team onboards 50 Azure subscriptions via a Management Group, but DLP/event data appears for only a handful. What is the fix?

Correct: d. Event Grid registration is per-subscription and cannot be done group-wide at once. Register it on every sub individually and reuse the SAME Azure AD App — minting a new Authentication Key per sub breaks the existing binding.
Q8 · Analyze

CSPM reports a production S3 bucket as fully compliant, yet a breach later exposes Aadhaar numbers from that exact bucket. What did CSPM miss, and which engine would have caught it?

Correct: b. CSPM checks configuration, not contents. A bucket can be encrypted and private (CSPM green) while holding unclassified PII. DSPM opens the store, discovers and classifies the data, and flags the data risk. Config-posture and data-posture answer different questions.
Q9 · Analyze

An admin asks why a misconfiguration they fixed an hour ago still shows as a finding, while another change made yesterday is already cleared. What explains the difference?

Correct: c. Out-of-band posture lags changes by up to one scan cycle. The hour-old fix simply hasn’t been re-scanned; yesterday’s change had a full cycle to be re-evaluated. Tighten the Security Scan Interval for fresher results — but it is never instant like inline.
Q10 · Evaluate

Two proposals for cloud security: (A) rely on inline DLP/threat policy alone; (B) add out-of-band CSPM + DSPM on top of inline. Which is the stronger default and why?

Correct: a. Inline only sees steered traffic, so it is blind to a public bucket, a disabled SaaS setting, or a shadow database full of PII — all config/data at rest. CSPM/SSPM/DSPM cover exactly those gaps. The two layers are complementary; inline alone leaves the cloud-estate blind spot open.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why can a bucket pass CSPM and still be a serious data risk? Then compare to the expert version.

Expert version: Because CSPM only grades the configuration (encryption, public-access block, versioning) — it never opens the objects, so a perfectly-configured bucket can still hold un-classified PII that only a DSPM data scan would flag.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CSPM
Cloud Security Posture Management — API scan of AWS/Azure/GCP config for misconfigurations against CIS/NIST/PCI.
SSPM
SaaS Security Posture Management — config posture of M365, Salesforce, Google Workspace and more.
DSPM
Data Security Posture Management — finds and classifies sensitive data at rest, including shadow stores.
CIEM
Cloud Infrastructure Entitlement Management — discovers over-permissioned identities to enforce least privilege.
CSA
Continuous Security Assessment — Netskope’s name for the recurring CSPM scan loop (two-step AWS onboarding).
Finding / Violation
A failed check against a rule — CSPM also calls these security assessment violations.
Security assessment policy
The rule set CSPM evaluates cloud resources against.
DSL
Domain Specific Language — the language for writing custom CSPM rules across AWS/Azure/GCP.
Scanner / Sidecar
A DSPM deployment unit that scans a data store from inside your environment.
Data store
A scannable repository — S3, RDS, Azure SQL, GCP, OCI, on-prem or SaaS — that DSPM inspects.
Shadow data store
An unknown, unmanaged data store nobody registered — DSPM surfaces it.
Guided Remediation
Netskope SSPM’s step-by-step workflow for fixing a SaaS posture finding.
SkopeAI
Netskope’s platform-wide AI brand powering DSPM AI-risk features (block sensitive data feeding LLMs).
RAG
Retrieval-Augmented Generation — an LLM data path (docs fed at query time) that DSPM governs.

📚 Sources

  1. Netskope Docs — “Getting Started with CSPM for Public Cloud” (security assessment framework, violations, DSL custom rules, CIS frameworks). docs.netskope.com/en/getting-started-with-cspm-for-public-cloud
  2. Netskope Docs — “Enabling Security Posture Management for AWS” (Settings → Configure App Access → Classic → IaaS → Setup; CSA two-step flow). docs.netskope.com/en/enabling-security-posture-management-for-aws
  3. Netskope Docs — “SaaS Security Posture Management” & “Configure Salesforce for Next-Gen SSPM” (Next Gen → Security Posture; Site Domain, Administrator Email, Security Scan Interval, Instance Name). docs.netskope.com/en/saas-security-posture-management
  4. Netskope Docs — “Netskope One DSPM Architecture Overview”, “Onboard AWS Infrastructure via CloudFormation” (Administration → Infrastructure Connections → Add Infrastructure; Auto-Discover New Data Stores) & “DSPM Sidecar Administration Overview” (Platform Settings → Sidecar; shadow stores, classification). docs.netskope.com/en/netskope-one-dspm-architecture-overview
  5. Netskope Community — “Onboarding multiple subscriptions for Azure CSPM” (Management Groups, reuse one Azure AD App, per-subscription Event Grid) & “CSPM auto-remediation for AWS” (Lambda + CloudFormation StackSets, delegated security account). community.netskope.com
  6. Netskope Press / PR Newswire — “Netskope Advances AI Security with new DSPM innovations” (Apr 28, 2025: Netskope One DSPM + SkopeAI, prevent sensitive data feeding LLMs via input/RAG/fine-tuning). netskope.com/press-releases
  7. Pearson VUE — Netskope certification (NSK300 Certified Cloud Security Architect / NSK101); posture management, CSPM custom rules using DSL, API-based misconfiguration scanning are examinable. pearsonvue.com/us/en/netskope

What's next?

You can now see config and data sitting still. Next we go deeper into the live view — SkopeIT, Analytics & Incidents — where every event, alert and investigation lands.

Next · Netskope SkopeIT, Analytics & Incidents → Practice on exam.techclick.in →