Skip to main content
ThreatsSIEMFirewallXDR

What is Exfiltration?

Data exfiltration is the unauthorized transfer of sensitive data from a victim environment to attacker-controlled infrastructure, the stage where intellectual property, credentials, customer data, or other valuable information is stolen.

Definition

Exfiltration
Data exfiltration is the unauthorized transfer of sensitive data from a victim environment to attacker-controlled infrastructure, the stage where intellectual property, credentials, customer data, or other valuable information is stolen.

How Exfiltration Works

Exfiltration typically occurs after the attacker has sufficient access. Before exfiltrating, attackers stage data: collecting files from across the network, compressing them, and sometimes encrypting them to avoid content inspection.

Exfiltration channels: HTTPS to cloud storage (Dropbox, OneDrive, Google Drive) is common because these services are whitelisted at the firewall. DNS exfiltration encodes data in query names (base64 as subdomains). Physical exfiltration uses USB drives. Email exfiltration sends data to personal accounts.

DLP systems detect and block exfiltration. Network monitoring looks for large outbound transfers, connections to cloud storage from unusual processes, and anomalous outbound DNS traffic volume. UEBA tracks data access patterns and alerts when users access far more data than their baseline.

Exfiltration in SOC Operations

Detecting exfiltration in progress, before the transfer completes, can prevent the most damaging outcome of a breach. Watch for large outbound transfers to cloud services, DNS anomalies (high query volumes to single external domains), and DLP alerts on sensitive data categories. When exfiltration is confirmed or suspected, immediate containment (blocking the connection, isolating the host) is critical.

Free forever

Practice Exfiltration in a Real SOC

SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating exfiltration scenarios with zero consequences — free forever.

Start Free — No Credit CardTry Shift Mode

Related Terms

DLPTools

Data Loss Prevention (DLP) is a set of technologies and policies that detect and prevent unauthorize...

Command and ControlThreats

Command and Control (C2) refers to the infrastructure and communication channels adversaries use to ...

Insider ThreatThreats

An insider threat is a security risk from current or former employees, contractors, or partners who ...

NDRTools

Network Detection and Response (NDR) is a security platform that passively monitors network traffic ...

ContainmentProcesses

Containment is the incident response phase focused on limiting the spread and impact of a confirmed ...

More Threats Terms

PhishingBrute Force AttackLateral MovementPrivilege EscalationPersistenceCommand and ControlAll Threats

Related SOC Training Resources

Career Path

Threat Hunter Career Guide — Salary & Skills

Threat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…

Read more Career Path

Incident Responder Career Guide — Salary & Skills

Incident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…

Read more Career Path

SOC Analyst (Tier 2) Career Guide — Salary & Skills

Tier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…

Read more Comparison

SOCSimulator vs Hack The Box — Comparison

Different tools for different career paths. SOCSimulator trains defensive analysts. Hack The Box trains offensive securi…

Read more Comparison

SOCSimulator vs TryHackMe — Comparison

SOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…

Read more Tool

SIEM Training Console — SOCSimulator

The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…

Read more Tool

Firewall Training Console — SOCSimulator

The Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…

Read more Tool

XDR Training Console — SOCSimulator

The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…

Read more Technique

MITRE ATT&CK Techniques — Detection Training Library

Browse all MITRE ATT&CK techniques with detection strategies and example alerts.

Read more Career Path

Cybersecurity Career Paths — 2026 Guide

Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.

Read more Playbook

SOC Investigation Playbooks — Step-by-Step Guides

Practitioner investigation playbooks with decision trees and real SIEM queries.

Read more Feature

Shift Mode — Real-Time SOC Simulation

Practice alert triage under realistic time pressure with SLA timers and noise injection.

Read more

We use cookies to improve your experience and measure usage. Learn more