Section 25 · Data Management
Intrusion Detection
Intrusion detection systems, data exfiltration monitoring, and security alerting for smaller budgets
This guide walks you through auditing a project's intrusion detection capabilities, focusing on data exfiltration detection and alerting for smaller-budget implementations.
The Goal: Early Warning System
Know when someone is stealing your data before they finish, not after the breach report.
- Active IDS — Some form of intrusion detection (WAF, SIEM, or cloud-native tools) is deployed and monitored
- Exfiltration detection — Unusual outbound data volumes trigger alerts, whether via network or API
- Database anomaly monitoring — Large or unusual queries are logged and flagged for review
- Actionable alerts — Security notifications reach the right people immediately with context to act
Before You Start
- Identify infrastructure provider (AWS, GCP, Azure, Cloudflare, etc.)
- Identify CDN/WAF in use (Cloudflare, AWS WAF, Fastly, etc.)
- Identify database type (PostgreSQL, MySQL, MongoDB, etc.)
- Understand project scale - big projects require Critical severity for all items
General Security Monitoring
Some IDS solution in place (WAF, SIEM, cloud-native security, or open-source); appropriate for project scale and budget
“How long would an active breach go unnoticed?”
Data Exfiltration Detection
Monitors outbound data volume per IP/session; thresholds defined for unusual activity; alerts configured
“Would 10GB leaving your network tonight trigger an alert?”
Database queries logged with row counts; thresholds defined for unusual query sizes; alerts on large result sets
“Could someone dump your whole users table undetected?”