When indemnity limits, regulatory fines, and notification costs all turn on the precise scope of data egress, the phrase “approximately 40 GB exfiltrated” is not a finding. It is an estimate, and estimates do not survive a reinsurer challenge or a DPA technical review.
An exfiltration scoping audit replaces estimates with reconstruction. The methodology below is how Hexmortem structures the work product so each finding holds under cross-examination.
Bytes-on-Wire Reconstruction
The core of the audit is reconstructing what actually traversed the network boundary, from the artifacts that remain. The primary sources are full packet captures where they exist, proxy logs with byte-count and destination tuples, netflow or IPFIX records with session-level volumetrics, and TLS-decrypted segments where key material or middlebox logging permits content recovery.
Each session is reconstructed independently and bound to its source artifact. A finding does not read “data egressed to 185.x.x.x.” It reads: 14.2 GB transferred between 02:14:08 and 02:47:33 UTC on the date in question, reconstructed from netflow record set N-2847 and corroborated by proxy log entries P-118431 through P-118502, with destination ASN and reverse DNS captured from the original artifacts.
Content Attribution and the Limits of Inference
Volumetric reconstruction establishes that bytes left. Content attribution — what those bytes contained — operates on a separate evidentiary track and frequently at a lower confidence level.
Direct content evidence comes from packet payload reassembly, unencrypted protocol captures, and source-side artifacts (filesystem read events, database query logs, application audit trails timestamped to the egress window). Inferential content evidence comes from staging artifacts: archives assembled on disk before transfer, filesystem timestamps clustered near the egress window, process command lines indicating which directories were enumerated.
Hexmortem publishes both, separately. A finding might read: high confidence on 14.2 GB volumetric egress; medium confidence that the egress contained the contents of staging archive C:\ProgramData\temp\backup.7z reconstructed from filesystem journaling; low confidence that the archive included the customer database export, inferred from process lineage without direct read evidence.
Notification Population Mapping
For matters where the audit drives GDPR Article 33/34 notification, state breach law obligations, or contractual breach notification clauses, volumetric and content findings are mapped to affected data populations with a stated methodology.
This is where the audit produces its highest-stakes output. A finding that a 4.2 GB archive of customer records left the network is not equivalent to a finding that 340,000 individuals require notification. The mapping methodology — record size assumptions, deduplication logic, schema reconstruction from staging artifacts — is documented explicitly so the population estimate can be tested by counsel and challenged by opposing experts.
The Deliverable
The audit output is a Technical Evidence Board: a hash-verified, exhibit-grade document where each assertion is bound to its underlying artifact, methodology, and confidence interval. It is engineered for adversarial venues — DPA technical reviews, reinsurer panels, deposition exhibits, subrogation submissions.
What it does not do is present a single tidy egress number. Egress is a distribution of findings across artifacts, and the report reflects that distribution. A reader gets the highest-confidence number, the corroborating evidence, the inferential extensions, and the explicit gaps in the record.
When the Audit Is the Right Engagement
The scoping audit is built for matters where the original IR report’s egress finding is being tested — by a carrier reconciling notification costs against the preliminary scope, by counsel preparing for litigation, by a reinsurer reviewing a large claim, or by subrogation counsel building causation against a third-party vendor.
It is not built for live containment, and it does not replace the operational IR work that has already occurred. It addresses a specific question the original engagement was rarely scoped to answer with evidentiary precision.
If the egress scope on your matter is now driving claim economics that need to hold up to challenge, the conversation to have is whether the artifacts that remain can support a reconstruction at the confidence level the venue requires. Hexmortem scopes that question before any engagement begins, because an audit that cannot reach the required confidence interval is not worth conducting.