Modern attackers increasingly operate quietly inside legitimate workflows, bypassing traditional SOC assumptions around visibility and alerting. This blog explores why modern detection strategies struggle against stealth-focused adversary behaviour and what security teams must rethink.
Detection should evolve beyond alerts, signatures & endpoint visibility
Security Operations Centres (SOC) were built around a familiar detection model.
Malware executes. Anomalous traffic spikes. A signature matches. An alert triggers.
An analyst investigates.
For years, this model worked reasonably well because attacks were often loud. Threat actors relied on aggressive exploitation, obvious malware payloads, brute force activity, or disruptive lateral movement. Detection logic evolved around identifying those signals quickly.
But modern adversaries increasingly operate differently.
During red team exercises, we repeatedly observe attack activity progressing quietly through environments without triggering meaningful detection. Not because the organisation lacks tools, but because the activity blends into workflows that already exist. This is the growing detection gap many SOCs are struggling with today.
The shift from disruption to stealth
Modern attack paths are increasingly designed around legitimacy.
Instead of introducing malicious binaries, attackers use trusted administrative tools. Also, instead of exploiting systems aggressively, they move through authenticated sessions. In addition, generating noisy reconnaissance is no more the strategy but commands are staggered over time and aligned with normal user behaviour.
From the SOC’s perspective, much of this activity appears operationally valid. This is especially visible in environments heavily dependent on:
- APIs and microservices
- Cloud-native infrastructure
- Identity-driven access models
- Hybrid work environments
- Custom business applications
These systems generate enormous volumes of legitimate activity every day. Attackers no longer need to bypass security controls directly if they can operate inside the same workflows those controls are designed to trust.
Why traditional detection models struggle
Many SOC architectures still prioritise endpoint and infrastructure telemetry.
That visibility is important. Endpoint Detection and Response (EDR) platforms, SIEM tools, and network monitoring systems remain foundational security controls. The challenge emerges when organisations assume those layers represent complete visibility.
In reality, many modern attack paths remain concentrated within:
- Application logic
- API interactions
- Identity and session behaviour
- Cloud control plane activity
- Trusted binaries and administrative tooling
These layers often lack the telemetry depth required for meaningful detection. A common example is application monitoring. Many organisations collect HTTP access and error logs but lack visibility into authorization flows, object access patterns, API abuse, or session manipulation. The SOC can see traffic, but not intent.
Similarly, endpoint visibility is often dependent on EDR alerts rather than deep telemetry ingestion. If the endpoint tool does not classify activity as suspicious, the SOC may never see the underlying behaviour.
The result is a dangerous assumption: If no alert exists, no compromise occurred.
Red team exercises continue to expose the same gaps
This is why red team engagements remain valuable even in mature environments. They test whether detection strategies align with how attacks realistically unfold. In many exercises, compromise succeeds without relying on sophisticated malware. Instead, the engagement progresses through:
- Credential misuse
- Privilege escalation within legitimate sessions
- PowerShell execution
- Trusted Windows binaries
- API abuse
- Low-and-slow lateral movement
These techniques frequently avoid detection because they do not appear overtly malicious in isolation. The issue is not always absence of logs. It is absence of contextual detection engineering. For example:
- A successful logon event may appear normal unless correlated with token manipulation activity.
- PowerShell execution may be visible but meaningless without script block logging.
- API requests may look legitimate unless object-level access patterns are analysed.
- Cloud activity may appear routine without cross-environment behavioural baselining.
Attackers increasingly exploit where visibility is shallow, fragmented, or operationally disconnected.
The logging problem is bigger than most organisations realise
One of the most recurring findings during red team assessments is incomplete telemetry. This usually appears in predictable ways:
- PowerShell logging disabled due to volume concerns
- Limited Sysmon deployment across endpoints
- Cloud logs enabled but not centrally correlated
- SIEM coverage restricted to compliance-scoped systems
- Application logs lacking security-relevant context
In many environments, monitoring depth differs significantly between servers, workstations, APIs, and cloud services. Attackers notice these inconsistencies quickly.
A lightly monitored user workstation often becomes a more practical starting point than a hardened server. A forgotten development API may provide more visibility gaps than an internet-facing production system. A trusted administrative tool may generate less scrutiny than custom malware. Modern adversaries increasingly optimise for operational invisibility, not technical complexity.
Detection engineering must evolve
Improving SOC effectiveness today requires more than adding new tools or increasing alert volume. It requires rethinking how detection is engineered. Strong detection programs increasingly focus on:
- Threat modelling aligned to realistic attack paths: Understanding how compromise would actually progress through applications, identities, APIs, and cloud environments.
- Telemetry depth over telemetry quantity: Prioritising meaningful visibility rather than indiscriminate log collection.
- Cross-layer correlation: Linking endpoint behaviour, identity activity, API interactions, and cloud telemetry into a unified detection strategy.
- Continuous validation: Using red and purple team exercises to validate whether detection logic reflects real adversary tradecraft. The goal is not creating more alerts. It is improving confidence that meaningful adversary behaviour will be detected before objectives are achieved.
Detection is becoming a visibility alignment problem
Modern SOCs are not failing because security teams are inactive or underinvested.
They are struggling because detection models designed for noisy attacks are increasingly confronting adversaries who operate quietly inside legitimate workflows.
That distinction matters.
When attacks blend into normal business activity, traditional assumptions around visibility, alerting, and response begin to break down. Organisations that recognise this shift early will be better positioned to improve detection maturity in practical, measurable ways.
At CyberNX, we continued to study these detection gaps and evasion techniques over a period of time and developed practical remediation strategies. We have explored all this and much more in greater depth in our latest white paper:
When SOC Misses Red Team Activities: Why Detection Fails & How to Close the Gaps
Download the full white paper to explore how modern red team tradecraft exposes structural weaknesses in SOC visibility and detection engineering.
FAQs
Why do SOCs struggle to detect modern adversary behaviour?
Many SOCs are heavily focused on endpoint and infrastructure telemetry, while modern attacks increasingly operate through APIs, identity layers, cloud services, and legitimate user workflows. This creates visibility gaps where attack activity appears operationally normal.
How do red team exercises help improve SOC detection?
Red team exercises simulate realistic adversary behaviour to identify where monitoring, telemetry, and detection logic fail. They help organisations validate whether attacks can be detected before meaningful compromise occurs.
Why are APIs and applications difficult for SOCs to monitor?
Traditional monitoring tools are often designed around infrastructure and endpoint activity. APIs and applications generate large volumes of legitimate traffic, making it difficult to distinguish malicious behaviour without contextual logging and behavioural correlation.
What is the role of detection engineering in modern SOCs?
Detection engineering helps align monitoring with realistic attack paths. It involves designing use cases, correlating telemetry across layers, improving logging depth, and continuously validating detection logic through adversary simulation.
