Watching the exits¶

Exfiltration is the moment the theft completes. Everything before it was preparation; this is the part that cannot be undone. Data leaves via DNS tunnelling, HTTPS to cloud storage, email, or purpose-built tools designed to blend into normal traffic. Volume and destination are the two levers defenders have: unusual amounts of data going somewhere unexpected, or expected destinations carrying unexpected volumes. Neither is easy to tune in a noisy environment, which is why exfiltration remains one of the hardest phases to catch in real time.

Exfiltration: channels and tells
The data egress hunt