Datawall is not yet available. It will require an Enterprise plan. This page describes planned functionality.
When to use Datawall
Use Datawall when you want stronger protections around code, credentials, tickets, prompts, or other sensitive material that enters an environment and should not leave it unchecked. Typical use cases:- environments handling confidential repositories or internal documentation
- agents reading tickets, MCP responses, or secrets that should not be copied out
- teams that need an explicit exfiltration control in addition to identity, policy, and audit logs
How Datawall works
When confidential data enters the environment, Ona registers that material for monitoring. The kernel fingerprints it and compares outbound network traffic against those fingerprints. This is designed to catch transfers across common network paths, including:- HTTP and HTTPS
- SSH-based traffic such as
git pushandscp - traffic relayed through helper processes
- common encoding transforms such as base64, hex, and URL encoding
What Datawall detects well
| Scenario | Detected |
|---|---|
| Agent sends data verbatim over HTTP or HTTPS | Yes |
| Agent encodes data before sending | Yes |
| Agent relays data through a child process | Yes |
| Agent writes data to disk and another process sends it | Yes |
| Agent sends data over SSH | Yes |
| Agent encrypts data at the application layer before sending | Yes |
| Agent splits data across multiple requests | Partial |
| Agent paraphrases or rewrites the data | No |
Operating and investigating
Every detection produces a structured event that is written to environment logs and reported to the management plane. Review the event to understand:- which action triggered the match
- where the traffic was going
- which process attempted the transfer
- when the detection occurred