The security incidents that cause the most lasting damage are often the ones nobody notices for months. Rather than moving large volumes of data in a single burst that triggers volumetric detection, sophisticated attackers trickle data out over weeks using stealth techniques specifically designed to bypass threshold-based alerts: a few gigabytes a week, staying well below alert thresholds while quietly draining an organization’s most sensitive assets.
Volume-based alerts are structurally incapable of catching this pattern. The data moves slowly enough that no single event crosses a threshold. The attack is invisible to tools that only look at peaks. Detecting it requires analyzing behavior across observation windows that are orders of magnitude longer than what most security tools use. That requires continuous, full-fidelity network flow telemetry.
Low-and-slow exfiltration is designed to look normal at any given moment. It only reveals itself when you analyze behavior across an extended observation window. That is the detection model NFO enables.
Why Threshold-Based Tools Miss It
Low-and-slow attacks exploit three structural gaps in how most security tools operate. First, alert thresholds are calibrated against normal traffic patterns to avoid false positives — attackers simply stay below that floor, consistently and deliberately. Second, most enterprise exfiltration uses encrypted channels (HTTPS, TLS, cloud storage APIs), rendering content inspection tools blind to what is being transferred. Third, attackers route transfers through legitimate services (AWS S3, Azure Blob, Google Drive) that organizations have already whitelisted, so the destination itself looks normal.
The common thread: at any single point in time, each transfer event is unremarkable. The anomaly only exists in the aggregate, across weeks or months of data. Catching it requires a fundamentally different analytical approach.
Three Flow Analysis Techniques That Surface the Pattern
NetFlow Optimizer (NFO) delivers continuous, full-fidelity, enriched flow telemetry to your SIEM. Three analytical approaches, built in the SIEM against NFO’s data stream, address the low-and-slow detection gap directly.
1. Flow Duration Analysis
Duration is the metadata field that low-and-slow exfiltration cannot hide. A legitimate large file transfer completes quickly. A low-and-slow campaign transferring the same data over 30 days generates dozens of short, recurring sessions to the same destination: each individually unremarkable, but collectively revealing a persistent pattern no legitimate application produces. SIEM searches against NFO’s duration-stamped records identify hosts with recurring transfer sessions to a specific external destination across 7, 30, or 90-day windows.
2. Destination Consistency Analysis
Legitimate outbound traffic is varied. A workstation communicates with dozens of external destinations across a week. An exfiltration campaign returns consistently to the same collection endpoint. By analyzing the distribution of external destinations over time, SIEM searches can identify hosts whose outbound communication has become abnormally concentrated around a small number of destinations, particularly ones that are new to that host’s communication history.
3. Cumulative Volume Across Extended Windows
Low-and-slow exfiltration stays below daily alert thresholds by design. The solution is to aggregate total outbound bytes from a specific user or host to a specific destination across 30-day rolling windows. A host transferring 500MB per day to the same external destination represents 15GB over a month, a figure that would trigger immediate investigation if it happened in a single session, but is currently invisible to hourly threshold alerting.
Why Enrichment Turns a Pattern into an Investigation
Raw flow records reveal behavioral patterns. NFO’s enrichment layer (user identity from Active Directory, Okta, and Entra ID; application name via device DPI; threat intelligence scoring; GeoIP and ASN) transforms those patterns into actionable investigation triggers:
| Raw Flow Shows | NFO Enrichment Adds | Investigation Value |
| 10.1.4.22 → 198.51.100.45, 847MB over 30 days | User: j.smith | App: HTTPS | Dst: AWS S3 | Threat Intel: Clean | Named employee with consistent cloud uploads: warrants business justification review |
| 10.1.7.55 → 203.0.113.8, 15MB/day for 45 days | User: svc-reporting | App: HTTPS | Dest: First-contact | GeoIP: Eastern Europe | Threat Intel: Flagged | Service account, flagged destination, first-contact, 45 consecutive days: high confidence exfiltration indicator |
| 10.2.1.88 → 104.x.x.x, 300MB, 3x weekly | User: contractor a.jones | App: Google Drive API | Outside business hours | Contractor with consistent off-hours cloud uploads: policy review regardless of threat intel score |
Without enrichment, row 2 is an internal IP talking to an external IP at low volume. With NFO’s enrichment, it is a service account with no legitimate external communication purpose sending data every day for 45 days to a flagged, previously-unseen destination. That is the difference between a data point and a confirmed investigation trigger.
Where This Fits in the Full Attack Sequence
Low-and-slow exfiltration is the final phase of most successful intrusions. NFO’s flow telemetry supports detection across every phase, complementing the detection capabilities covered in earlier blogs in this series:
| Attack Phase | What Happens | NFO + SIEM Coverage |
| Initial Access | Credential theft, VPN compromise | Identity Threat Detection at the Network Layer |
| Lateral Movement | Internal reconnaissance, accessing target systems | The Ransomware Pre-Flight Check |
| Data Staging | Aggregating target data internally before exfiltration | Large internal transfers from file servers to workstations visible in user-attributed flow records |
| Exfiltration (Low and Slow) | Persistent low-volume outbound transfers over weeks or months | Duration analysis, destination consistency, and cumulative volume across extended windows. This blog. |
The Bottom Line
Low-and-slow exfiltration is a patience game. Attackers move slowly because they know most security tools are built for speed: for peaks, spikes, and sudden anomalies. Sustained, deliberate, low-volume transfers simply do not register.
The answer is not louder alerts. It is longer memory. Continuous, full-fidelity flow telemetry analyzed across weeks and months reveals what no single-event alert ever will. The question is whether your visibility extends far enough to see it.
Ready to build low-and-slow detection in your environment? Start a free 60-day trial of NetFlow Optimizer or schedule a technical demo to see long-window flow analysis in action.
Start Free Trial | Schedule a Demo | NFO Data Enrichment | Splunk Integration