This disclosure describes techniques that enable a security monitoring application to detect the use of plaintext sensitive data by a user application on a user device. The security monitoring application may reside on a user device or may reside on a standalone device, such as a security monitoring controller, within an enterprise network. The security monitoring application may be configured to intercept a computing operation executed by a user application that includes user-plane data. In doing so, the security monitoring application may determine whether the user-plane data includes plaintext sensitive data and if so, quarantine the user-plane data.