Code Room
On-callHardoc-g357
Subject Data exfiltrationLevel Senior–Staff~45 minCommon in Reliability & on-call interviewsIndustries Software development, Technology

Question

Your egress DLP alerts on any host exceeding 5GB/day outbound to non-allowlisted destinations — it's been quiet for months. A threat-intel tip names a destination domain. You check and find a reporting host has been sending ~2–3GB/day to it for 6 weeks — always **just under** the 5GB threshold, only during business hours, chunked over HTTPS to what looks like a legit CDN, and the volume rides *alongside* normal traffic so the daily total never spiked enough to alarm. Cumulatively that's ~100GB. How do you triage what was taken, contain it, and fix a detection that an attacker clearly tuned around?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.