Question
An internal **service account** (`svc-integration`, used by a partner sync) shows a 12x jump in calls to `GET /api/v2/customers/{id}` over 3 days — but total bytes egress is normal and no DLP fired. The calls walk customer IDs in near-sequential order, succeed (200s), and stay just under the per-account rate limit. The service account is legitimately authorized to read customer records for the sync, so authz isn't denying anything. The partner says they didn't change their integration. How do you triage whether this is exfiltration vs. a runaway job, contain it without breaking a live partner integration, and remediate?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.