Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0010: Exfiltration

The adversary is trying to steal data.

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

EnterpriseTA0010TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Exfiltration is the point where an intrusion becomes a data-loss event: the adversary is trying to remove stolen data from the environment. For business leaders, this tactic matters because it drives breach notification decisions, legal and regulatory exposure, customer trust impact, and incident response urgency. MITRE notes that adversaries may package data with compression or encryption and move it through command-and-control or alternate channels, sometimes with size limits to avoid detection.

Executive priority

Prioritize Exfiltration as a resilience and evidence-readiness concern, not only a network security issue. Leaders should ask whether the organization can prove what data left, through which paths, and when. Budget and control decisions should focus on visibility into outbound data movement, containment procedures, and incident response evidence needed for legal, privacy, audit, and executive decision-making.

Technical view

Because this is a tactic-level ATT&CK object with no platform-specific detection guidance, SOC and IR teams should validate coverage across the exfiltration problem space rather than a single analytic. Confirm whether monitoring can identify unusual outbound transfers, use of command-and-control channels for data movement, alternate egress paths, compressed or encrypted payload movement, and repeated small transmissions. Detection engineering should tie alerts to data collection context, staging behavior, and outbound transfer evidence where available, while IR playbooks should preserve network, endpoint, identity, and data-access evidence needed to determine scope.

Likely telemetry

  • Outbound network flow and proxy logs
  • Firewall, secure web gateway, and egress control logs
  • DNS and command-and-control related network telemetry
  • Endpoint file activity showing data staging, compression, or encryption
  • Cloud, SaaS, and storage access logs where applicable to local architecture

Detection direction

  • Validate that outbound transfer monitoring is not limited to known malware channels; MITRE notes exfiltration may use command-and-control or alternate channels.
  • Tune for patterns consistent with packaged data movement, such as compressed or encrypted archives followed by outbound transfer, while accounting for legitimate backup, software distribution, and business file-transfer workflows.
  • Look for low-and-slow or size-limited transfer patterns, since the ATT&CK description notes adversaries may limit transmission size.
  • Correlate data access, staging, compression or encryption, and egress events rather than relying on a single network alert.
  • Document blind spots where encrypted traffic, unmanaged endpoints, unmonitored cloud services, or missing egress logs prevent confident scoping.

Mitigation priorities

  • Establish and enforce egress visibility and control for approved data-transfer paths.
  • Reduce unnecessary outbound channels and require business justification for alternate transfer mechanisms.
  • Improve data classification and logging so IR teams can determine whether sensitive data was involved.
  • Harden monitoring around data staging, compression, encryption, and outbound movement without assuming all encrypted traffic is malicious.
  • Prepare incident response procedures for rapid containment, evidence preservation, legal review, and breach assessment.
Analyst notes and limits

This object is a tactic, not a specific technique. The supplied ATT&CK fields define the adversary objective as stealing data and describe common exfiltration characteristics such as packaging, compression, encryption, command-and-control channels, alternate channels, and size-limited transmissions. No relationship context or official detection guidance was supplied, so this take focuses on defensive validation questions and evidence classes rather than specific analytics.

Platforms, official detection guidance, and related techniques were not supplied for this object. Local architecture, data locations, approved transfer workflows, cloud/SaaS usage, and available telemetry are required to determine actual detection coverage or control gaps.

Official MITRE ATT&CK definition

Exfiltration

The adversary is trying to steal data.

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6c4e2e42d208a43a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6c4e2e42d208…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0010
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use