Techniques are disclosed herein for scanning encrypted data sent to and from applications executing in user space of a computer system. A traffic monitoring tool of a network intrusion prevention system detects a secure session being established between an application executing on a client and a server. The traffic monitoring tool retrieves, from the client application, a symmetric key generated by the client application. The traffic monitoring tool intercepts encrypted data transmitted between the client application and the server as part of the secure session. The traffic monitoring tool decrypts the encrypted data using the retrieved symmetric key. Upon determining that the decrypted data indicates a threat to the client, transmission of the encrypted data is blocked.