A startup with a predictable monthly AWS bill of around $3,000 had a developer commit a config file containing an AWS access key to a public GitHub repo. An automated scanner found it within minutes, and 48 hours passed before the key was revoked, resulting in a bill of over $10,000 for those 48 hours. The compromised key had broad EC2 permissions, and within the first hour, the attacker ran RunInstances calls in three regions the account had never used, launching GPU instances for cryptomining. Activity was visible in CloudTrail immediately, but nobody was watching in real time; GuardDuty was enabled, but findings were routed to a security email alias unchecked over the weekend. By Saturday morning, the account had spent $4,000 in EC2 charges across unfamiliar regions, and by Sunday evening, over $10,000. Cost Explorer showed every dollar but missed the cause, as EC2 charges appeared under the same service line as legitimate workloads. Within the first two hours, three signals appeared: a regional spend anomaly, a CloudTrail RunInstances from an unfamiliar IP, and a GuardDuty finding of UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration, but none were acted upon due to a gap in workflow connecting cost spikes to security investigations.