By Nathan Pearce, Senior Principal Marketing Manager at Aviatrix. Aviatrix was shortlisted in the ‘Best Network Security Solution‘ and ‘Best VPN Security Solution‘ categories at The 2025 Cloud Security Awards.

There’s no doubt that reliance on the cloud for business-critical workloads has fundamentally shifted the way enterprises think about defending themselves from incoming threats.

Firewalls, intrusion detection systems, and access controls scrutinize ingress or inbound traffic attempting to enter your corporate network.

However, many cloud network security strategies have a dangerous gap: egress security— monitoring and controlling the traffic leaving your network. Recent high-profile attacks like the Salt Typhoon campaign and the rise of Medusa ransomware-as-a-service demonstrate that this “back door” has become a primary target for sophisticated threat actors.

To effectively protect your network from data breaches and malware, you need to secure your egress. Here’s why.

The Overlooked Vulnerability: Network Egress

While most organizations defend their ingress from unauthorized access, they pay much less attention to their egress. Who cares where traffic goes when it’s leaving your network?

Egress traffic is vulnerable to threat actors because the way out becomes their way in. They use strategies including:

  • Data exfiltration – Threat actors can use egress traffic to extract valuable data that they can hold for ransom or auction off on the dark web.
  • Command and Control (C2) evolution – Advanced threats require ongoing communication between compromised systems and the attacker’s infrastructure. Modern C2 channels are increasingly sophisticated, often mimicking legitimate business traffic over standard protocols like HTTPS. Without robust egress monitoring, these communications channels remain invisible—allowing attackers to maintain persistent access even after initial detection.
  • Exploiting multicloud security gaps – As organizations adopt multicloud strategies, network architectures have grown increasingly complex. Traffic flows between different cloud service providers, often through complex network topologies that lack unified visibility. This complexity creates natural blind spots where egress traffic can evade scrutiny, particularly when different cloud environments use different security tools with varying capabilities.
  • Multicloud security gaps — Multicloud and hybrid networks sometimes fail to extend the capabilities of native firewalls provided by major cloud service providers, which protect only their own clouds and don’t always offer advanced features. According to CyberRatings.org, several major CSP firewall offerings fall short by lacking security features such as URL filtering, TLS decryption, and comprehensive threat detection. Additionally, they often require complex configurations and integrations with multiple components, leading to increased operational overhead and potential points of failure. Attackers who understand this gap in security can slip in undetected.

Neglecting egress security can expose organizations to significant security risks and operational challenges. Recent security incidents show that this isn’t a danger on the horizon; it’s a current reality.

The Worst that can Happen: Recent Incidents of Compromised Egress Security

Here are some recent security events that highlight the vulnerability of egress traffic:

  • The Salt Typhoon APT (advanced persistent threat) campaign, attributed to nation-state actors, leveraged egress channels to maintain persistent access to compromised environments.
    • Their GhostSpider malware established command and control (C2) infrastructure specifically designed to blend with legitimate outbound traffic, making detection exceptionally difficult using traditional security tools. Better egress controls could have detected and blocked suspicious outbound traffic patterns, even when they mimicked legitimate business communications. Enhanced egress monitoring can also prevent unauthorized data exfiltration by identifying and restricting abnormal outbound data flows.
  • Similarly, the Medusa ransomware operation exploits egress weaknesses not just to exfiltrate sensitive data but to maintain communication with compromised systems. By improving egress security, organizations can disrupt these communication channels, effectively isolating the ransomware and preventing it from receiving further instructions or updates from the attackers. Robust egress filtering and monitoring can detect and block unusual outbound traffic, limiting the ransomware’s ability to exfiltrate data and communicate with its Command and Control servers.

These attacks succeed largely because they exploit a common vulnerability: in cloud environments, controlling what leaves your network is just as important as controlling what enters it. By prioritizing egress security, organizations can significantly reduce the risk of data breaches, persistent threats, and ransomware attacks, ensuring a more secure and resilient network infrastructure.

Good Egress Security is the Best Ingress Security

The more we see successful data exfiltration attacks in the news targeting companies with comprehensive “ingress security” solutions, the bigger the spotlight being shined on this critical area of neglected data theft protection. What many don’t realize is that good egress security is the best ingress security.

To illustrate this point: one of the best visualizations of the typical cyberattack flow is the Unified Kill Chain, created by Paul Pols, a master of laws (M.L), applied ethics (MA) and cyber security (MSc). This diagram shows how most attacks progress from getting In, to getting Through, to getting Out of your network, causing significant damage in the process.

Most people assume that egress security happens at the Out stage of things, when an attacker has collected data and credentials or executed a malicious payload like a ransomware attack. However, good egress security can intervene much earlier in the process, preventing an attack before the attacker even enters the organization.

  • Prevents the attacker from delivering their payload by downloading malware
  • Prevents the attacker from establishing persistence
  • Prevents the attacker from establishing command control or instructing the malware to do more harm

In other words, good egress security prevents attackers from gaining anything more than a foot in the door, neutralizing their ability to do damage.

Building Effective Egress Security Controls

So how do you effectively monitor and filter your egress traffic? It’s best to start small and build a multi-layered approach, combining technical controls, architectural considerations, and operational practices.

1. Comprehensive Egress Filtering

First, implement filtering mechanisms that monitor and control outbound connections based on destination, protocol, and behavior patterns. This should include:

  • DNS (Domain Name System) filtering Set security policies for allowed vs. non-allowed domains that traffic from your network can access. These policies will prevent communication with known malicious domains.
  • Smart Source Filtering based on a broad range of cloud resource properties:
    • Cloud service provider (CSP) resource tags: these tags identify resources you can group. This is the preferred classification method, as this automatically includes new resources created in the cloud with the same set of tags.
    • Resource attributes: classify by account or region.
  • IP addresses or classless inter-domain routing (CIDR): for resources that are not tagged, you can directly specify IP addresses or CIDRs.
  • Protocol restrictions limiting which communication protocols are permitted to leave the network.
  • Data loss prevention (DLP) monitoring to identify sensitive data in outbound traffic.

2. Network Architecture for Egress Control

Beyond filtering, use network architecture to guard your egress. Deploy:

  • Centralized egress points that funnel all outbound traffic through monitored pathways
  • Network segmentation that restricts which internal systems can initiate external connections
  • Proxy services that provide additional inspection capabilities for encrypted traffic
  • Cloud security posture management ensuring consistent policies across cloud environments

Organizations should design network architectures assuming that some systems will eventually be compromised. The goal is to implement “defense in depth” that makes it extraordinarily difficult for attackers to move laterally and establish outbound communication channels.

3. Advanced Detection Mechanisms

Take advantage of all monitoring capabilities to watch your egress traffic:

  • Behavioral analytics to identify unusual patterns in outbound traffic
  • Machine learning models trained to detect subtle indicators of compromise
  • Encrypted traffic analysis that can identify suspicious patterns without decryption
  • Correlation across multiple data sources including network flows, endpoint telemetry, and cloud logs

Integrate these mechanisms with broader security operations to provide comprehensive visibility and enable rapid response to potential egress-based threats.

4. Operational Practices for Egress Security

Beyond filtering, architecture, and detection, make sure egress security is a part of your operations. Your plan should include:

  • Regular egress security testing including simulated data exfiltration exercises
  • Continuous monitoring with clearly defined escalation procedures
  • Incident response playbooks specifically addressing egress-based attacks
  • Security awareness training educating employees about the risks of shadow IT and unauthorized data transfers

Action Plan: Real-World Egress Security Implementation

All these tools and best practices seem overwhelming, but you can start small and create a step-by-step approach for your egress security.

  1. First, conduct an egress traffic analysis. Begin by cataloging all legitimate business reasons for outbound traffic from your environment. This creates a baseline against which you can detect anomalies. Use network flow analysis tools to identify existing traffic patterns and document expected communication channels.
  2. Second, implement incremental filtering. Rather than attempting to lock down all egress traffic at once, which can disrupt business operations, take an incremental approach. Begin with obvious restrictions—blocking traffic to high-risk countries or known malicious destinations—before gradually implementing more granular controls.
  3. Third, establish monitoring before blocking. For many organizations, moving directly to blocking unauthorized egress traffic can create significant operational disruption. Instead, begin with comprehensive monitoring to understand potential business impact before implementing blocking rules.
  4. Fourth, prioritize critical assets. Focus initial egress security efforts on your most sensitive systems—those containing intellectual property, customer data, or financial information. These systems should have the most restrictive egress controls, often limited to communication with specific, verified external services.

Measuring Egress Security Effectiveness

Effective egress security requires ongoing measurement and refinement. Key metrics to track include:

  • Unauthorized egress attempts blocked (indicating policy effectiveness)
  • Mean time to detect egress-based threats (measuring detection capabilities)
  • Data exfiltration attempts identified (validating monitoring effectiveness)
  • False positive rates (ensuring operational efficiency)

Regular testing should include simulated data exfiltration attempts that mimic real-world attacker techniques. These exercises help identify gaps in current controls and provide opportunities for improvement.

Conclusion

While it’s easy to envision your network as a locked garden and focus your energy on keeping bad actors out, the truth is that bad guys and malware may already be inside. Your next step is neutralizing them so they can’t steal data, move laterally, introduce malware, or otherwise disrupt your business operations. Start crafting an egress security plan today to disarm attacks like the Salt Typhoon hack, Medusa ransomware, or whatever artfully-named and maliciously-designed threats confront your network.

Aviatrix Logo

Aviatrix® is the cloud network security company trusted by more than 500 of the world’s leading enterprises. As cloud infrastructures become more complex and costly, the Aviatrix Cloud Network Security platform gives companies back the power, control, security, and simplicity they need to modernize their cloud strategies. Aviatrix is the only secure networking solution built specifically for the cloud, that ensures companies are ready for AI and what’s next. Combined with the Aviatrix Certified Engineer (ACE) Program, the industry’s leading secure multicloud networking certification, Aviatrix unifies cloud, networking, and security teams and unlocks greater potential across any cloud.​

About the Author: Nathan Pearce

Nathan Pearce is an accomplished Product Marketing professional with over 20 years of computer networking experience. He combines a robust engineering background, strategic marketing experience, and insatiable curiosity to drive thought leadership in the industry, particularly in the areas of AI and cloud security.

Related Posts

Why Security Strategy Breaks Down Between Detection and Decision

Why Security Strategy Breaks Down Between Detection and Decision

May 14th, 2026|0 Comments
Email Governance is the Missing Layer in Cloud Strategy

Email Governance is the Missing Layer in Cloud Strategy

May 7th, 2026|0 Comments
Banks are Winning Over SMBs with Better Digital Banking and Cloud Payments

Banks are Winning Over SMBs with Better Digital Banking and Cloud Payments

April 30th, 2026|0 Comments
7 Ways AI-Powered FinOps Is Transforming Azure Cost Management

7 Ways AI-Powered FinOps Is Transforming Azure Cost Management

April 23rd, 2026|0 Comments
From Tool to Teammate: The 2026 Transformation of the Front Office

From Tool to Teammate: The 2026 Transformation of the Front Office

April 16th, 2026|0 Comments
Why Cybersecurity Leaders Are Rethinking the Role of AI in Decision-Making

Why Cybersecurity Leaders Are Rethinking the Role of AI in Decision-Making

April 9th, 2026|0 Comments
The Power of Two: How Combining Agentic AI and RAG Drives Enterprise Success

The Power of Two: How Combining Agentic AI and RAG Drives Enterprise Success

April 2nd, 2026|0 Comments
Tax Resolution and the AI Revolution: How a Proactive Stance Defends Against Predictive Enforcement

Tax Resolution and the AI Revolution: How a Proactive Stance Defends Against Predictive Enforcement

March 26th, 2026|0 Comments
Why Market Leaders are Moving to the Cloud in 2026

Why Market Leaders are Moving to the Cloud in 2026

March 17th, 2026|0 Comments