Question
Your egress DLP alerts on any host exceeding 5GB/day outbound to non-allowlisted destinations — it's been quiet for months. A threat-intel tip names a destination domain. You check and find a reporting host has been sending ~2–3GB/day to it for 6 weeks — always **just under** the 5GB threshold, only during business hours, chunked over HTTPS to what looks like a legit CDN, and the volume rides *alongside* normal traffic so the daily total never spiked enough to alarm. Cumulatively that's ~100GB. How do you triage what was taken, contain it, and fix a detection that an attacker clearly tuned around?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.