A notification population of 1.2 million records and a regulatory fine exposure in the eight figures should not rest on the phrase “likely exfiltrated based on outbound traffic patterns.” Yet that is the language that routinely appears in IR reports submitted to DPAs, reinsurers, and subrogation panels — language that collapses the moment opposing counsel asks which packet capture, which proxy log, which netflow record the assertion rests on.
Proving exfiltration is not the same as suspecting it. The two are separated by artifacts, methodology, and a willingness to write down what is not known.
What Counts as Evidence of Egress
Exfiltration claims survive adversarial scrutiny when each assertion is bound to a specific artifact class. The defensible categories are narrow: full packet captures with payload, proxy logs with byte counts and destination tuples, netflow or IPFIX records with session duration and volumetrics, cloud audit logs (S3 GetObject, Graph API calls, Drive export events) with object identifiers, and EDR telemetry showing process-to-socket lineage with file handles.
Everything else — firewall summary statistics, SIEM alerts, threat intel matches on a destination IP — is corroborative at best. It supports an exfiltration finding. It does not establish one.
The Confidence Interval Discipline
At Hexmortem, every exfiltration finding is published with an explicit confidence level and the artifact basis it rests on. A finding might read: high confidence that 14.2 GB egressed to 185.x.x.x between 02:14 and 02:47 UTC, reconstructed from full packet capture; medium confidence on file-level contents, reconstructed from partial reassembly of TLS-decrypted streams; low confidence that the staging archive included the HR database, inferred from filesystem timestamps without direct read evidence.
That structure is not stylistic. It is what allows a finding to hold under a DPA technical review or a reinsurer challenge. A report that asserts “approximately 50 GB of sensitive data was exfiltrated” without artifact attribution is not an evidentiary document. It is a narrative.
When Bytes-on-Wire Reconstruction Is Required
Notification populations and regulatory exposure scale with scope. When the difference between 200,000 and 2 million notified individuals turns on whether a database export completed or aborted mid-transfer, hand-waved estimates are not defensible. The Hexmortem Exfiltration Scoping Audit replaces those estimates with bytes-on-wire reconstruction: session-level volumetrics tied to specific destinations, content reconstruction where TLS keys or unencrypted segments permit, and a stated confidence interval on every population estimate.
The audit is built for matters where indemnity limits, GDPR Article 33/34 obligations, or subrogation causation hinge on egress scope being precise rather than conservative-by-default.
Why Reconstruction Often Comes Late
Most exfiltration disputes surface 60 to 180 days after the incident, when the carrier’s claims team or counsel begins testing the original IR narrative against the notification cost or fine exposure it now drives. By then, the EDR retention window has rolled, the proxy logs have aged out, and the affected hosts have been rebuilt. This is the operating range of Cold-Case Reconstruction — forensic rebuild from fragmented artifacts when the live evidentiary record is gone.
What survives is often sufficient: memory snapshots captured during initial triage, restored backups with filesystem metadata, cloud audit trails (which retain longer than on-prem logs), and the original IR vendor’s own collected artifacts. The reconstruction methodology is different from live IR, and so is the deliverable.
What the Final Document Has to Do
An exfiltration finding submitted to a regulator, produced in litigation, or relied upon by a reinsurer must do three things: name the artifacts, state the methodology, and disclose the confidence interval. If any of the three is missing, the finding is operational rather than evidentiary — useful for remediation, but not durable under cross-examination.
If the original report on your matter asserts exfiltration scope without those three elements, or if the scope figure is now driving claim or notification economics that need to hold up to challenge, Hexmortem conducts independent reconstructions sized to the evidentiary record that remains. The lab sells no tooling, runs no live IR practice, and holds no carrier retainers — which is the structural reason it can be engaged when the original responder cannot.