Security logging and monitoring failures rank no.9 on the OWASP Top 10 – and for good reason. If you’re not capturing and reviewing key security events, attackers may breach your system and remain undetected for weeks or even months.

So what does this category include, how is it exploited, and how can you fix it?

–

01 – What are logging and monitoring failures?

This risk covers the failure to detect, record, or respond to suspicious behaviour. Without effective logging and monitoring, malicious activity often goes unnoticed until damage is done.

Some common examples:

• Missing logs – No records of login attempts, privilege changes, or access to sensitive data.
• Unmonitored alerts – Security tools trigger warnings, but no one investigates them.
• Short log retention – Logs are overwritten too quickly to support post–incident analysis.
• Insecure log storage – Attackers can alter or delete logs if not centralised or protected.
• No incident response – There’s no formal process for investigating anomalies or acting on alerts.

Logging isn’t just about collecting data – it’s about detecting breaches and enabling timely response.

–

02 – How is it exploited?

Attackers rely on stealth. If you’re not watching, they’ll take advantage of it.

A classic case: the Target breach (2013). Attackers exfiltrated 40 million payment card records after installing malware on POS systems. Alerts were generated – but not acted on – allowing the breach to persist undetected for weeks.

This isn’t rare. Many organisations only discover they’ve been breached after a third party reports suspicious activity. Poor logging and response dramatically extend attacker dwell time and increase the cost of a breach.

–

03 – How do you prevent it?

The good news: logging and monitoring failures are avoidable with the right practices.

• Log critical events – Capture authentication attempts, privilege changes, data access, and security control changes across your application, infrastructure, and APIs.
• Use tamper-resistant logging – Centralise logs in a SIEM or secure logging platform. Use cryptographic integrity (e.g. hashing, append–only storage) to detect tampering.
• Enable alerting and monitoring – Use anomaly detection, threshold alerts, and real–time analysis to flag unusual activity – like repeated login failures, unexpected access patterns, or unusual API usage.
• Include context in logs – Log metadata such as user ID, source IP, device type, and timestamp to support effective investigation.
• Establish and test an incident response plan – Define clear procedures for alert triage, investigation, and response. Regularly run tabletop exercises or simulations to test your readiness.

–

Even the most secure systems can be breached – what matters is how quickly you detect and contain the attack. Strong logging and monitoring reduce breach severity by limiting attacker dwell time and enabling effective forensics.

By embedding robust observability, alerting, and response into your architecture, you transform logging from a compliance checkbox into a strategic defence layer.