Threat actors increasingly abuse legitimate native utilities, third-party tools, and cloud service clients for data exfiltration, bypassing traditional static detections. The Exfiltration Framework models the behavioral and forensic characteristics of these tools to enable detection based on execution context, network patterns, and artifact persistence rather than tool presence.