The 10-second correlation window for file access + network connection is a smart heuristic for catching exfiltration. Scanning /proc/pid/fd every few seconds is lightweight enough to not annoy people. How granular is the network allowlist? Some dev workflows hit a lot of dynamic endpoints.