The app sec community was happy to see that OWASP is considering making a move in their Top 10 update: “Security Logging and Alerting Failures” from position #10 to position #9, and highlighted in the 2025 release with a new name emphasizing a critical component that was often overlooked—alerting.
“Security Logging & Alerting Failures” represents more than a simple reordering of priorities. It signals a shift in how organizations will approach application security in an era of increasingly sophisticated threats and compliance requirements.
Why the Promotion Matters
The journey from “Insufficient Logging & Monitoring” in 2017 to “Security Logging and Monitoring Failures” in 2021, and finally to “Security Logging & Alerting Failures” in 2025 tells a story of growing recognition. While this category continues to be underrepresented in CVE/CVSS data and remains challenging to test, the security community voted it into this position for good reason.
As OWASP explicitly states in their 2025 documentation: “Great logging with no alerting is of minimal value in identifying security incidents.” This simple statement captures why the category earned its promotion. Although it’s important to note that while logging and alerting failures are not typically exploited directly, they materially increase the impact and dwell time of other vulnerabilities. OWASP accounts for this through its risk methodology, combining data with expert and community input.
Organizations can generate mountains of log data, but without effective alerting mechanisms that trigger appropriate action, they’re essentially flying blind.
Failures in logging and alerting directly impact three critical security capabilities:
- Visibility into what’s happening across your application infrastructure
- Incident alerting to catch problems before they escalate
- Forensics to understand what went wrong and prevent future incidents
Without robust logging and alerting, security teams cannot detect breaches in progress, respond to active threats, or conduct post-incident analysis to strengthen defenses.
Why Application Security Teams Should Care
For application security teams, this promotion validates what many have known intuitively but struggled to prioritize: you cannot secure what you cannot see.
Consider the real-world scenarios OWASP highlights. An attacker scans for users with common passwords, taking over accounts systematically. For most users, this leaves only a single failed login attempt. Without comprehensive logging and alerting configured to detect patterns across multiple accounts, this attack flies under the radar until significant damage is done.
Application security teams face several specific challenges that make this category critical:
1. Detection of Complex Attack Patterns: Modern attacks rarely announce themselves with a single obvious indicator. They unfold across multiple sessions, IP addresses, and timeframes. Only comprehensive logging with intelligent alerting can connect these dots.
2. Compliance Requirements: Regulations like PCI-DSS, GDPR, and HIPAA mandate specific logging capabilities. The OWASP promotion underscores that these aren’t just checkbox requirements—they’re essential security controls.
3. Incident Response Speed: When a security incident occurs, every minute counts. Effective logging and alerting compress the time between detection and response, potentially preventing a minor breach from becoming a catastrophic data loss.
The Challenge for Application Security Vendors
For application security vendors, the OWASP promotion presents both an opportunity and a challenge. Organizations are now prioritizing logging and monitoring capabilities in their security tool selection, creating market demand for solutions that address this category effectively.
However, vendors face significant technical hurdles:
The Volume Problem: Modern web applications generate enormous quantities of log data. A single high-traffic application can produce terabytes of logs daily. Web Application Firewalls generate particularly high volumes due to the nature of edge security—every HTTP request potentially generates multiple log entries as it’s evaluated against various security rules.
The Storage Economics Problem: Many first-generation observability and security platforms were built before the era of cloud-scale architectures. They often rely on expensive, tightly coupled storage architectures that make long-term retention of high-volume logs economically prohibitive.
The Access Speed Problem: Logs are only valuable if they can be queried quickly when needed. But many vendors force customers to choose between hot storage (expensive but fast) and cold storage (cheap but slow), creating operational friction that defeats the purpose of comprehensive logging.
Why Most Observability Solutions Struggle at Scale
Many first-generation observability solutions don’t scale well when confronted with application security log volumes, especially from enterprise-grade WAFs.
Consider WAF deployments. Organizations using a WAF can generate hundreds of gigabytes to multiple terabytes of security logs per day. Each HTTP request evaluated by the WAF creates log entries containing information about the request, the rules triggered, actions taken, and contextual metadata.
First-generation, tightly coupled observability platforms face impossible economics at this scale:
Cost Explosion: Platforms charging per-GB ingestion or per-GB storage see costs spiral out of control. Organizations face bills that can easily consume 30% of their total cloud infrastructure budget just for observability.
Forced Data Sacrifice: To manage costs, teams resort to sampling, aggregation, or simply discarding data after short retention periods. This directly undermines the security visibility that OWASP’s category emphasizes.
Query Performance Degradation: As data volumes grow, query performance suffers on platforms not architecturally designed for log-scale workloads. What should be a five-second investigation turns into a five-minute wait, or simply times out.
The storage costs alone can break the bank for most organizations. When you’re ingesting terabytes daily and industry compliance or security best practices demand retention periods of months or years, traditional per-GB pricing models become untenable.
How to Address the Challenge
To solve the problem that the OWASP promotion highlights – providing comprehensive, actionable visibility into high-volume security and application logs at economically sustainable cost – companies need a real-time data platform that alerts second after ingest, doesn’t cost a fortune no matter the amount of data and keeps all data hot for rapid querying.
They need:
Real-Time Alerting at Scale: Real-time data platforms, like Hydrolix, that ingest and make data available for alerting within seconds, even at massive scale, can ingest over 10 million rows per second while maintaining single-digit second latency.
15+ Months of Hot Data Retention: Many data analytics and observability providers force data into cold storage after 7-30 days. That’s exactly what creates the conundrum of discarding or sampling data vs. keeping it all. Companies should look for platforms that maintain all data in “hot” queryable storage for 15 months or more as standard, and with high compression volumes. This means security teams can hunt threats across historical data without the delays and friction of data rehydration.
Sub-Second Query Performance: Sub-second query response times even on datasets containing billions of rows, enable the kind of rapid investigation and analysis that effective incident response demands.
Economic Sustainability: Platforms like Hydrolix come with a 75% cost reduction compared to traditional observability platforms for equivalent workloads. This isn’t through data sampling or shortcuts—it’s through fundamental architectural advantages, such as decoupling storage from compute, and 25-50x compression.
When running multiple security solutions, companies need seamless integration with all data sources, offering consolidated visibility into security events and delivery traffic in a single platform. With insights in one place, it’s easier to spot issues quickly, and significantly reduce the MTTR.
The Architecture That Makes It Possible
Achieving those goals requires fundamental architectural choices:
Decoupled Storage and Compute: Many traditional data platforms come with tightly coupled compute and storage architectures. Decoupled, however, is critical because it allows independent scaling of each component based on actual workload requirements. Not only does that increase the speed to insights, but also reduces costs.
Stateless Kubernetes Infrastructure: Platforms should run on stateless Kubernetes architecture, enabling dynamic scaling up during peak events and down during quiet periods, directly controlling costs.
Advanced Compression Technology: High-density compression can significantly reduce costs without sacrificing query performance, fundamentally changing the economics of long-term retention.
Streaming ETL on Ingest: When data transformation and enrichment happen during ingestion, it allows multiple log sources to be combined into unified tables while reducing downstream processing costs.
Optimized for Cloud Object Storage: By maximizing the performance of commodity object storage rather than requiring expensive specialized storage, companies can get enterprise-grade performance at dramatically lower infrastructure costs.
The Broader Implications
The promotion of “Security Logging & Alerting Failures” in the OWASP Top 10 represents more than a tactical shift in security priorities. It signals a broader recognition that in the modern threat landscape, comprehensive visibility is not optional.
As applications move to cloud-native architectures, adopt microservices patterns, and scale to serve global user bases, the volume and complexity of log data will only increase. The traditional approach of treating logs as a cost center to be minimized must give way to recognizing them as a critical security asset.
Organizations that embrace comprehensive logging and alerting will gain significant security advantages:
- Faster threat detection and incident response
- Better compliance posture with auditable evidence
- Deeper understanding of application behavior and user patterns
- Ability to proactively identify and address vulnerabilities
- Foundation for advanced use cases like threat hunting and behavioral analysis
The OWASP Top 10 promotion of “Security Logging & Alerting Failures” isn’t a reshuffling of priorities—it’s a call to action: organizations must prioritize visibility, detection, and response capabilities.
For application security teams, this means making logging and alerting a core part of the overall security stack.
For security vendors, it means building or adopting platforms that can handle log-scale data without forcing impossible tradeoffs.
For data analytics platforms, it’s a moment of reckoning. Solutions that cannot economically handle the log volumes generated by modern applications and security tools like enterprise WAFs will increasingly find themselves sidelined.
Hydrolix delivers a new approach that aligns with OWASP’s recommendations and without breaking the bank.
If you are interested in learning more, visit hydrolix.io
:::info
This story was published under HackerNoon’s Business Blogging Program.
:::
