Squirrel exfil and exit

A one-day workshop where stealth meets strategy—learn how data leaves the forest, and how defenders spot it.

What is it?

In the Red part of the forest, the squirrel is small, quick, and adept at moving valuable things unnoticed. The “OUT” workshop focuses on exfiltration—how data or digital assets can be moved out of a network or system safely, and how defenders detect these movements. Participants explore controlled, low-tech exercises to understand risk without touching live production systems.

Why it matters

Exfiltration is the endgame of most attacks. If information leaves unnoticed, the impact can be severe. By practicing and understanding these methods in a safe lab, teams gain insight into defensive controls, monitoring gaps, and organizational habits that could be exploited.

Workshop flow (what participants do)

Session

Activity

Background link

Squirrel stash (Morning)

Examine common channels for data leaving a system (USB, documents, logs). Learn how small signals can indicate data movement.

The art of squirreling away goodies (2025)

Pathways and tunnels (Midday)

Simulate safe exfil in a lab environment: moving small sample files between isolated networks, observing traces and signals.

Highway nut robbery: Blending in like a squirrel in traffic

Mapping the escape (Afternoon)

Teams create a visual map of the exfiltration paths explored, identify potential weak points, and reflect on defensive strategies.

Tail-flick escape: Vanishing with the loot

What you’ll walk away with

  • Practical understanding of how data can be exfiltrated.

  • Awareness of signals and traces that defenders can monitor.

  • A simple visual map of exfiltration paths.

  • Improved collaboration between technical and non-technical staff on security awareness.

Who is this for?

  • Security teams and analysts who want hands-on experience with exfil techniques.

  • Technical staff seeking insight into how data leaves systems and how to detect it.

  • Non-technical staff interested in organizational risk and awareness.

Delivery at a glance

  • Duration: Full-day, split into morning, midday, and afternoon sessions with lab exercises and group reflections.

  • Setup: Local lab environment provided; no cloud required. Participants can use laptops or small isolated networks.

  • Why it works: Participants practice realistic methods in a guided, narrative format—learning through hands-on exploration and discussion, without jargon.