A link to an example data set based on this blog can be found here.
Modern data exfiltration has become a study in patience and camouflage. Attackers no longer rely on bulk transfers over unusual ports or connections to flagged infrastructure. The techniques that define current exfiltration are precisely calibrated to exploit one core assumption: that malicious activity looks different from normal activity. Increasingly, it does not. And artificial intelligence is accelerating how effectively attackers can maintain that illusion.
This post examines why exfiltration is so difficult to detect at the network level, how AI has compounded that difficulty, and why the structural properties of exfiltration behavioral timelines mean it remains detectable, regardless of how the data moves.
Why individual flows tell you almost nothing
Network-level exfiltration detection has always faced a fundamental problem: the unit of observation is wrong. A single flow between an endpoint and a cloud storage service proves nothing. It could be a scheduled backup, a developer syncing a repository, or a SaaS tool doing its job. Without context, a flow is just a flow.
Attackers have systematically exploited this for years. They use legitimate protocols (HTTPS, DNS), trusted destinations (cloud APIs, CDNs, SaaS platforms), session fragmentation to distribute transfers across many short connections, and rate limiting to stay under volume thresholds. Living-off-the-land tooling like rclone, curl, and PowerShell Invoke-WebRequest produces flows that are structurally identical to legitimate administrative traffic at the event level. Each individual flow is designed to be unremarkable in isolation.
The result is that by the time exfiltration completes, every flow that carried it appeared benign. The detection opportunity was never in the events themselves. It was in the relationship between them.
How AI has compounded the problem
Artificial intelligence has introduced several new dimensions to the exfiltration problem that go beyond traditional technique refinement.
LLM APIs as exfiltration channels. Attackers are already weaponizing LLMs across multiple phases of intrusion, and exfiltration channels are no exception. Traffic to AI inference endpoints is universally trusted, TLS-encrypted, and behaviorally indistinguishable from legitimate developer or enterprise AI usage. Researchers have documented how data encoded in prompts sent to these services can be retrieved without triggering any network-level controls. The destination is approved. The protocol is expected. The volume is modest. There is nothing for a signature or reputation system to act on.
AI-optimized evasion. Microsoft Threat Intelligence has documented nation-state actors using LLMs specifically for anomaly detection evasion: using AI to develop methods that help malicious activity blend into normal traffic patterns. This is documented attacker behavior from tracked threat groups. The implication is that an adversary can now reason systematically about what a specific environment's baseline looks like and construct an exfiltration plan that stays entirely within it. The deviation that traditional detection waits for is engineered out before the operation begins.
AI IP as the exfiltration target. Proprietary model weights, fine-tuning datasets, embedding stores, and RAG knowledge bases represent high-value intellectual property with relatively modest transfer volume. Palo Alto Unit 42 documented how model exfiltration via poisoned deployments in cloud AI platforms can move proprietary models without triggering conventional data loss controls. MLOps-style traffic and model checkpoint uploads provide effective cover because they look exactly like legitimate engineering operations.
Indirect exfiltration through AI agents. Multi-modal AI agents introduce paths that produce no obvious network event at all from the defender's perspective. Trend Micro research shows how hidden instructions embedded in documents processed by AI agents can trigger data transfer to attacker-controlled endpoints without any user interaction. The network sees an outbound connection to a legitimate destination. Nothing in the flow record distinguishes it from normal agent activity.
The problem these techniques share is structural: they attack the assumption that detection systems can identify exfiltration by finding what is different. When AI helps attackers model what normal looks like and stay within it, the deviation never appears. Anomaly-based detection has no signal to act on because the anomaly has been removed.
What stays constant regardless of how exfil is packaged
Here is the detection insight that changes the picture.
While attackers can make individual flows appear completely normal, they cannot make the behavioral timeline structure of exfiltration resemble the behavioral timeline structure of legitimate operational traffic. Exfiltration has a structural signature. The relationship between forward and backward bytes across flows between two endpoints reflects that data is leaving rather than arriving. Session cadence, duration distribution, and service destination patterns follow arrangements that backup jobs, API polling, and heartbeat traffic do not produce, even when each individual event is constructed to be unremarkable. An exfiltration behavioral timeline looks like an exfiltration behavioral timeline. That structure is not something an attacker can eliminate while still accomplishing the objective of moving data out.
Individual flows (all appear normal in isolation)
|
v
Behavioral timeline construction
(all flows between endpoint pair)
|
v
LogLM: behavioral embedding
(structural representation of the full timeline)
|
v
Classifier: intent assignment
|
___________
| |
[Operational] [Exfiltration]
MITRE TA0010
This is not anomaly detection. Anomaly detection asks whether something deviates from a learned baseline. Attackers operating with AI assistance can and do stay within baselines. What DeepTempo's LogLM foundation model learns is the structural signature of behavioral timelines themselves: what operational behavioral timelines look like, what exfiltration behavioral timelines look like, and how those structural patterns differ even when individual flows appear identical to benign traffic.
The two-stage architecture is what makes this work. The LogLM foundation model produces behavioral embeddings, compact representations of the complete structure of a behavioral timeline across all flows between an endpoint pair. A classifier then interprets those embeddings to assign intent: does this behavioral timeline match operational activity, or does its structure match exfiltration patterns? This evaluation happens at the behavioral timeline level, not the event level. A single flow to an S3 bucket is not the detection unit. The behavioral timeline of all flows between those two endpoints, evaluated as a complete structural object, is. Each behavioral timeline is evaluated independently for what it is trying to accomplish.
This means LLM API channels, cloud storage endpoints, CDN destinations, and indirect agent-mediated transfers do not provide evasion at the structural level. The exfiltration behavioral timeline still carries the structural signature of exfiltration. The destination does not change that. The protocol does not change that. The rate limiting does not change that. The structural pattern of data leaving an endpoint pair is what it is, and it does not look like data staying in.
The detection also generalizes. It does not require a known exfiltration technique, a recognized destination, a volume threshold, or a signature match. A novel AI-mediated channel used for the first time produces a behavioral timeline. That behavioral timeline has a structure. If the structure matches learned exfiltration patterns, it is classified accordingly, regardless of whether the specific mechanism has been seen before. Zero-shot accuracy in this context does not mean guessing: it means the foundation model already learned what exfiltration behavioral timelines structurally look like before deployment in a given environment. That learning transfers across environments and across techniques.
For more context on how this plays out in practice, see how attackers stay invisible and zero-shot detection in practice.
What this means for detection engineers
Event-level inspection and threshold-based rules do not have access to the structural signal described above. They operate on individual flows and have no way to evaluate the behavioral timeline as a complete object. AI-optimized exfiltration is specifically designed to defeat event-level detection. The detection surface it leaves behind is only visible at the behavioral timeline level.
The practical implication is that detection coverage for AI-mediated exfiltration requires a system that evaluates behavioral timelines as the primary unit of analysis, not individual flows. A system that only looks at events will miss the structure. A system that compares events to baselines will miss the intent. The structural approach is what survives when attackers use AI to eliminate every other signal.
Closing note
Modern exfiltration is well-optimized against detection systems that evaluate individual flows, compare events to baselines, or rely on known signatures. AI has extended that optimization to include active evasion of anomaly detection, novel exfiltration channels, and high-value AI intellectual property as a target. None of these changes eliminate the structural signature of the exfiltration behavioral timeline. Exfiltration still looks like exfiltration. The detection system just needs to be evaluating the right unit.
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
