In partnership with
π Welcome to Unlocked
Detection failures often arenβt about a weak SOC or a flawed SIEM β they start earlier, with missing, incomplete, or ignored logs.
In 2025, attackers are exploiting this more aggressively than ever.
According to the IBM Cost of a Data Breach Report 2025, organizations took an average of 204 days to identify a breach β and log gaps were cited as a contributing factor in nearly half of incidents.
Worse: 59% of security teams reported that at least one major tool produced incomplete or missing telemetry during a real incident.
This week, weβre looking at why logs fail, where attackers hide, and how AI is reshaping visibility.
Letβs break it down.
βοΈ Our Sponsor
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
β¨ Dynamic Voice guides users in the moment
β¨ Picture-in-Picture stay visible across your site and others
β¨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.
π¨ The Signal-to-Noise Problem in SIEM
SIEMs promise visibility β but often create fog.
Security teams now ingest logs from cloud, SaaS, endpoints, identity systems, OT/IoT devices, and third-party integrations. The result? Overload.
Key 2025 findings (Splunk State of Security):
71% of SOC teams mute or ignore entire classes of SIEM alerts.
Over 40% of telemetry never becomes actionable due to formatting or normalization failures.
Cost pressures lead 1 in 3 organizations to discard logs to reduce ingestion fees.
This creates the perfect hiding place.
Attackers donβt need to evade your SIEM β they just need to blend into the noise you already ignore.
π΅οΈ How Attackers Exploit Log Blind Spots
Adversaries in 2025 arenβt just bypassing logs β theyβre shaping them.
Modern log-evasion techniques include:
Log suppression: Disabling AWS CloudTrail, Azure Audit Logs, or Windows Event Logging during critical activity.
Living-off-the-land: Using legitimate admin tools that SIEM rules consider βroutine.β
Cloud console abuse: Actions inside cloud dashboards often produce limited audit entries unless enhanced logging is enabled.
Log poisoning: Injecting misleading entries to distort correlation.
Token-based attacks: Session hijacking produces βnormalβ log entries unless you correlate device or location anomalies.
Recent cloud IR cases from Unit 42 and Mandiant show attackers now spend more time manipulating logs than trying to avoid them.
π§ AI Is Transforming Breach Reconstruction
Traditional logging canβt keep up with highly distributed, multi-cloud environments β especially when logs are missing.
AI is now filling that gap.
How AI helps in 2025:
1. Pattern reconstruction
ML models infer likely attacker movement even when logs are incomplete or tampered with.
2. Cross-environment correlation
AI stitches together endpoint, identity, cloud, and SaaS activity that humans canβt manually correlate.
3. Negative-space detection
AI flags what should have happened:
βNo MFA challenge triggered when one was expected.β
βNo corresponding login for a privileged token use.β
4. Tamper detection
AI spots timestamp irregularities, entropy changes, and unusual event frequency β often the first signs of manipulation.
ποΈ The Retention Crisis: Logs That Disappear Before You Need Them
Organizations still retain logs for far too short a window.
Key 2025 stats (Verizon DBIR 2025):
64% of breaches are discovered months after compromise.
Over 45% of companies keep identity logs for fewer than 90 days.
Misconfigured or missing cloud logs contributed to 27% of breach investigations.
Attackers increasingly design βslow-quietβ campaigns meant to outlast log retention.
Best practices emerging in 2025:
12β24 months of retention for IAM logs
Immutable storage for privileged actions
Cross-cloud log export to external storage
Cold storage archiving in low-cost object storage
(See: Verizon DBIR 2025)
π₯οΈ Multi-Cloud Logging: A Growing Visibility Gap
With organizations now distributing workloads across AWS, Azure, GCP, Oracle, and dozens of SaaS tools, logging has become fragmented by default.
Each ecosystem logs:
different event types
different timestamps
different levels of detail
different retention defaults
This creates enormous βblind seamsβ where attackers hide.
More organizations in 2025 are adopting:
OpenTelemetry for consistent log collection
SIEM-agnostic log pipelines
Normalization layers before ingestion
Cloud-agnostic identity logs as the anchor source of truth
βοΈ How to Reduce Log Blind Spots (Without Blowing Up Your SIEM Bill)
For Security Teams:
β’ Prioritize IAM, authentication, and token logs
β’ Implement immutable storage for high-value logs
β’ Use AI to detect log gaps and correlation anomalies
β’ Build a unified log inventory covering SaaS, cloud, and endpoint sources
β’ Export cloud logs externally to avoid deletion by attackers
For Leadership:
β’ Treat logs as a security asset β not an IT cost
β’ Budget for long-term retention using cold storage
β’ Require log coverage verification in vendor onboarding
π‘ Unlocked Tip of the Week
Pick one high-risk system and ask:
βIf this were breached today, would our logs tell us β or would we only find out months later?β
If youβre unsure, your visibility isnβt complete.
π Poll of the Week
Whatβs your biggest visibility challenge right now?
π Author Spotlight
Meet Samuel Ortiz - Junior Platform Engineer
Samuel Ortiz works on platform automation, event logging, and backend systems that support modern identity architectures. With a background in Python, Go, and cloud-native tooling, he helps maintain telemetry pipelines, improve log reliability, and support incident analysis teams with better data quality.
Samuel is passionate about security automation and enjoys exploring how AI and machine learning can improve detection workflows. He brings a practical, engineering-first mindset, focusing on clean implementation and strong operational discipline.
β Wrapping Up
The most dangerous breaches arenβt hidden because attackers are invisible β
theyβre hidden because the telemetry to detect them never existed.
In 2025, visibility is a strategic imperative.
If identity is the new perimeter, logs are the new radar.
Improving retention, normalizing data, and adopting AI-driven correlation lifts the fog β and reveals what attackers hope you never see.
Stay observant. Stay proactive. Stay secure.
Until next time,