Explained at length below: after subjective indicator of possible breach, by monitoring, allowlisting and then deleting outbound network traffic sources (i.e. apps) on the device, then look closely at any remaining, non-allowlisted traffic, which should be zero.