Data breaches pose escalating threats, imposing dual pressures on enterprises: loss of confidential data and substantial incident response costs. This paper introduces the first adversarial game-theoretic model specifically for data exfiltration. In this model, the attacker dynamically selects exfiltration paths and rates to maximize payoff, while the defender optimizes detection thresholds to balance false-negative losses against false-positive operational costs. Crucially, the model formalizes the strategic interaction between attacker and defender as a non-cooperative game—marking the first rigorous characterization of the Nash equilibrium linking threshold selection and adaptive attack behavior. By explicitly modeling utility functions that quantify trade-offs between detection efficacy and operational overhead, the work uncovers an inherent tension between defensive sensitivity and attacker adaptability. The results yield an interpretable theoretical framework and actionable design principles for dynamically optimizing anomaly detection thresholds in real-world data protection systems.

Data exfiltration is a growing problem for business who face costs related to the loss of confidential data as well as potential extortion. This work presents a simple game theoretic model of network data exfiltration. In the model, the attacker chooses the exfiltration route and speed, and the defender selects monitoring thresholds to detect unusual activity. The attacker is rewarded for exfiltrating data, and the defender tries to minimize the costs of data loss and of responding to alerts.