← Case studies

Data egress · Health-tech archetype

Illustrative scenario: spotting anomalous egress without reading a file

Context

A health-tech company operates a data platform holding sensitive records. A team of analysts, engineers, and data scientists queries a warehouse and object storage daily. Access is legitimately broad — these people are supposed to touch data — which makes "who's allowed" a poor risk signal on its own. Because of the data's sensitivity, content inspection is exactly what they want to avoid doing to their own staff, and regulatory expectations make over-collection its own liability.

The challenge

The risk that keeps them up at night is bulk exfiltration that looks, at a glance, like normal work: an authorized user pulling far more than their role ever needs, exporting to an unusual destination, or doing it at an odd hour. Traditional DLP would mean inspecting the contents of sensitive datasets — increasing exposure to catch misuse of that very data. They needed a way to see too much, too fast, to the wrong place without reading the data itself.

What the signals show

Secriiti reads volume and pattern metadata from the warehouse and storage — record counts, object counts, query cardinality, destinations, and timing — and baselines them per role and team. The signals that surface include:

  • Volume anomalies: an account exporting an order of magnitude more than its role's normal in a short window.
  • Destination anomalies: data moving to a destination or egress path the role has never used.
  • Timing and sequence anomalies: bulk access at off-hours, or a dormant credential waking up immediately before a large pull.

Crucially, every one of these is computed from the envelope — how much, where, when — and never from the contents of a single record.

The Secriiti approach

  • Data-movement anomaly detection compares each identity's egress shape to its role baseline and flags meaningful spikes.
  • Identity & credential signals correlate the spike with how the session authenticated — new device, new location, dormant key.
  • Explainable recommendations give the team the context to triage fast: what deviated, by how much, and what to check — without ever exposing the underlying data.
You don't need to read the records to notice that someone just took ten times their normal share of them to a place they've never sent data before.

What good looks like

Illustrative targets for a team like this:

  • High-confidence egress anomalies surfaced within the same day, ranked by deviation.
  • A clear separation between "broad but normal" access and genuine outliers — fewer false alarms than a contents-based approach.
  • A monitoring story that satisfies regulators and respects the analysts, because no one's queries are being read.

Takeaway

For sensitive-data teams, the safest way to catch misuse is often to look at less, not more. Volume, destination, and timing metadata catch the exfiltration patterns that matter while keeping the data — and your employees' trust — untouched.

Catch egress risk from metadata alone

Secriiti's data-movement detection is designed for sensitive-data teams. Request early access.

Back to all case studies · Read our deep dive on metadata vs. content →