Infamous recent cyber attacks on businesses and governments have demonstrated that even the best contemporary security systems can not prevent well-resourced adversaries from infiltrating their networks and gaining access to sensitive information. Stealthy malware can spread through a network undetected by utilizing zero-day exploits to propagate and hiding malicious behavior in normal activity, potentially doing significant damage before exploited vulnerabilities can be identified or patches developed. In this work, we consider a scenario in which an attacker deploys propagating malware enabling the exfiltration of data from infected devices, and a defender deploys detection and recovery mechanisms designed to control malware spread while obeying network-wide resource constraints. We use a stochastic model to represent changes in the state of the network and analytically derive an upper bound on the total rate at which an optimal attacker can exfiltrate data from the network, expressed in terms of several network parameters, when the detection rate is proportional to the outgoing data rate at each infected device. Our results can help inform cybersecurity decision-makers in judiciously allocating resources to manage risk.