Threat-Informed Defense: The Gap Between What Attackers Do and What SOCs See
The gap between modern breach data and most SOC tooling is real. This data-driven blueprint shows where attacks land and how to build detection around it.
Threat-Informed Defense: The Gap Between What Attackers Do and What SOCs See
The data is not the problem.
The Verizon 2025 DBIR analyzed 22,052 incidents and 12,195 breaches. The Microsoft Digital Defense Report 2025 documented attack trends across billions of signals. The threat intelligence is abundant, detailed, and largely consistent across sources. We know what attackers are doing.
The gap is between what those reports say and what most SOCs are actually instrumented to detect.
This is the pillar article for a series on threat-informed defense. The series is a blueprint, not a reading list. Each article gives you something to implement, not just understand. This first piece frames the problem: the structural gap between modern attack patterns and traditional SOC architectures. The series covers the Microsoft tools built to detect the top threats, the log sources required for detection and forensics, the architecture decisions that make Sentinel scalable as a data platform, migration patterns to unified SecOps and the data lake, and how AI agents compress the time between seeing and acting.
Let's walk through what the breach data actually shows.
Three breach realities most SOC tooling wasn't built for
1. Ransomware is a credential problem, not a malware problem
Ransomware appeared in 44% of breaches and grew 37% year over year (DBIR 2025). That's not news. Ransomware has dominated headlines for years. What matters for SOC architecture is how ransomware operators are getting in.
Human-operated ransomware campaigns increased 87% year over year (MDDR 2025). These aren't spray-and-pray malware drops. They're hands-on-keyboard intrusions that start with stolen credentials, move laterally through valid accounts, and stage data for exfiltration before encryption ever begins.
The DBIR makes this connection explicit: 54% of ransomware victims had domains that appeared in infostealer or marketplace data. Forty percent had corporate emails in compromised credential logs. Infostealer malware now accounts for 51% of initial access methods observed by Microsoft Defender Experts.
If your SOC is waiting for a malware detection to signal ransomware, you're missing the first three stages of the attack chain. By the time the payload drops, the attacker has already mapped your network, elevated privileges, and staged your data.
The detection opportunity isn't malware detonation. It's anomalous authentication, credential access patterns, and lateral movement using valid accounts.
2. Vulnerability exploitation is outpacing remediation
Exploitation of vulnerabilities reached 20% of breaches and grew 34% year over year (DBIR 2025). Edge devices and VPNs accounted for 22% of exploitation cases, specifically the systems that are hardest to patch and easiest to expose externally.
Here's the number that should concern every SOC leader: median time to full remediation was 32 days (DBIR 2025). Only 54% of edge vulnerabilities were fully remediated during the year.
That's a 32-day window where attackers can operationalize public exploits against systems you know are vulnerable. And for 46% of edge vulnerabilities, that window never closes.
Espionage-motivated breaches make this even clearer. Seventy percent of espionage breaches used vulnerability exploitation for initial access (DBIR 2025). Nation-state actors aren't phishing their way in — they're walking through unpatched doors.
The detection opportunity isn't just blocking the exploit. It's post-exploitation behavior: unusual process execution on edge devices, lateral movement from VPN-adjacent systems, and authentication anomalies following vulnerability-class traffic patterns.
3. Third-party exposure has doubled, and most SOCs are blind to it
Third-party involvement in breaches doubled from 15% to 30% (DBIR 2025). Snowflake, Change Healthcare, CDK Global — these aren't edge cases. They're the new normal.
Most SOCs have no visibility into partner-side access. When a third-party identity authenticates to your tenant, you see the authentication event. You probably don't see what led to that identity being compromised. You definitely don't see the partner's telemetry.
The DBIR frames third-party compromise as both an initial-access problem and a blast-radius problem. A single compromised SaaS provider or managed service provider can cascade into dozens or hundreds of downstream victims. And the downstream victims often lack the forensic data to understand what happened.
The detection opportunity is identity-centric: conditional access policies that challenge or block high-risk third-party authentication, continuous monitoring of OAuth consent grants and application permissions, and anomaly detection on partner account behavior.
What Microsoft sees at scale
The DBIR provides incident-level statistics. The Microsoft Digital Defense Report adds telemetry-scale context from billions of signals across endpoints, identity, cloud, and email. Together, they paint a picture of what's actually hitting organizations.
Infostealer prevalence: 51% of initial access methods observed by Microsoft Defender Experts involved infostealer malware. Lumma Stealer, RedLine, Vidar, and the rest of that ecosystem aren't post-exploitation tools anymore. They're how attackers buy their way into networks.
Business email compromise: 21% of attack outcomes were BEC, compared to 16% for ransomware (MDDR 2025). The FBI IC3 reported more than $6.3 billion in BEC losses in 2024, with a median loss around $50,000 and wire transfer as the preferred payout method at 88% (DBIR 2025).
Human-operated ransomware: 87% increase year over year. Seventy-nine percent of ransomware operators use remote monitoring and management (RMM) tools for persistence. Forty percent of attacks now target both on-premises and cloud infrastructure (MDDR 2025).
Data exfiltration: 80% of Microsoft incident response engagements involved data collection, with 51% showing confirmed exfiltration. Eighty-two percent of ransomware incidents included large-scale data theft before encryption (MDDR 2025).
These aren't edge cases. They're the dominant patterns. And they share a common thread: they depend on credential compromise, valid-account abuse, and lateral movement that doesn't trip traditional detection rules.
Why the gap exists
Most SOCs were built around alert-driven architectures. A sensor sees something suspicious, fires an alert, and an analyst investigates. The model assumes that attacks generate detectable anomalies — malware signatures, network intrusion attempts, brute-force lockouts.
The modern attack chain doesn't work that way.
Stage 1 is credential theft. The attacker buys infostealer logs from a marketplace or compromises a system via ClickFix social engineering. The victim organization sees nothing, because the compromise happened on a personal device or a non-managed endpoint. Forty-six percent of corporate-login infostealer systems were non-managed, per DBIR 2025.
Stage 2 is initial access. The attacker authenticates using valid credentials. If MFA is absent or bypassable, access succeeds. If conditional access is in place, the attacker might trigger a risk-based challenge, but only if the sign-in looks anomalous enough to score as high-risk.
Stage 3 is lateral movement. The attacker uses built-in tools, PowerShell, Remote Desktop, and legitimate RMM software, to move through the environment. Living-off-the-land techniques don't trigger malware signatures. Unless you're correlating authentication, process execution, and data access patterns, the activity blends in with normal admin behavior.
Stage 4 is data staging. The attacker collects high-value files, compresses them, and exfiltrates through cloud storage, encrypted tunnels, or legitimate file-sharing services. If you're not monitoring data movement and DLP violations, this stage is invisible.
Stage 5 is impact. Encryption, extortion, or both. By this point the attacker has been in the environment for days. Average dwell time is 12 days, average attack length 58 days (MDDR 2025). The ransomware alert is not the detection opportunity. It's confirmation that the opportunity already passed.
The gap isn't a training problem. It's a structural problem. Alert-driven architectures that depend on signature-based detection can't see credential-driven intrusions that use valid access and legitimate tools.
Closing the gap means getting tools, telemetry, and response automation into alignment with how attacks actually move.
The blueprint
This series covers each of those requirements in depth.
Article 1: The Top 10 Threats and the Microsoft Tools Built to Detect Them
The first supporting article maps the breach data to the Microsoft security stack. For each of the ten DBIR-documented threat categories — infostealer malware, credential abuse, ransomware, BEC, vulnerability exploitation, third-party exposure, data exfiltration, ClickFix social engineering, software supply chain attacks, and insider threats — we cover which Microsoft products detect the threat, how detection works at the telemetry level, and what gaps remain. A bonus eleventh threat covers AI agent infrastructure attacks as a forward-looking vector SOCs need to start preparing for now.
It maps threat intelligence to detection capability. If you're running Microsoft Defender XDR, Sentinel, Entra ID Protection, and Defender for Cloud, you have most of the building blocks. The question is whether they're configured and integrated to catch the attack chains that actually compromise organizations.
Article 2: The Log Sources SOCs Need for Detection, Forensics, and Hunting
The second article covers telemetry. You can't detect what you can't see, and you can't investigate what you didn't log.
We walk through the log sources required to detect each threat category: identity logs for credential abuse, endpoint telemetry for lateral movement, cloud audit logs for exfiltration, and email telemetry for BEC. The article covers Microsoft-native sources in depth alongside the third-party and infrastructure sources — DNS, VPN, PAM, firewall, proxy — that complete detection coverage. Retention requirements, ingestion patterns, and the forensic gaps that emerge when log sources are missing or misconfigured.
If you've ever tried to investigate an incident and found critical logs weren't captured, this article is for you.
Article 3: How AI Agents Compress Time Between Seeing and Acting
The third article covers response automation through AI agents. Detection is only half the problem. The other half is responding fast enough to matter.
Human-operated ransomware operators work quickly. The gap between initial access and impact is measured in hours or days, not weeks. Traditional SOC response workflows — triage, escalation, approval, remediation — can't keep pace with an attacker who's already in the environment with valid credentials.
AI agents change that. They can correlate signals, pull context, and kick off response actions faster than any analyst working a queue. The design question is how to build those workflows so they're reliable, auditable, and actually fit for how your organization manages risk. The article also covers the failure modes — including how AI agent triage workflows become attack surfaces if you don't account for cross-prompt injection and verdict manipulation.
Article 4a: Why Your SIEM Architecture Needs to Change
Most SIEM architectures were designed for a different era — everything into analytics, aggressive data pruning to control costs, log sources added reactively after incidents. That architecture breaks down when AI agents need to reason over 12 months of behavioral history to surface an anomaly.
This article covers the fundamental architecture shift — from analytics-first to data lake-aware — and why the organizations that make this transition early will have a structural detection advantage.
Article 4b: The Design Decisions That Will Define Your Detection Capability
The architecture decisions you make in the next 12 months will shape what you can detect, investigate, and automate for years. Log routing, retention tiers, data lake query access, agent integration points — these aren't IT configuration choices. They're security strategy decisions.
This article works through the specific decisions: which log sources go to the analytics tier, which go to the data lake, how to structure the dual-ingest pattern for high-volume sources, and how to make the data lake queryable for both human analysts and AI agents.
Article 5: Migrating to Unified SecOps and the Sentinel Data Lake
Microsoft's unified SecOps platform consolidates SIEM, XDR, and exposure management under one workspace. The Sentinel data lake extends retention to 12 years at a fraction of analytics-tier cost, with full KQL query access for analysts and agents.
This article is the migration playbook: workspace architecture, data connector migration, log routing rules, the unified portal switchover, and how to validate that behavioral baselines are building correctly before you need them for an investigation.
Article 6: Building a Threat Hunting Program with KQL and the Sentinel Data Lake
Detection rules catch what you expect. Hunting finds what you don't. This article covers how to build a systematic threat hunting program — hypothesis-first, grounded in the threat model from Article 1, with working KQL patterns for T1, T2, T5, T7, and T9, and Jupyter notebook behavioral anomaly scoring against the data lake tier built in Articles 4a/4b.
The practical payoff for the data lake architecture investment: behavioral baselines deep enough to distinguish attacker credential reuse from normal authentication variation.
Article 7: Seeing the Attack Path Before the Breach — Graph Analytics in Microsoft Sentinel
KQL tells you what happened. Graph tells you what's possible. This article covers blast radius visualization, hunting graph traversal, and relationship-based attack path analysis — the detection layer that surfaces multi-hop privilege chains that tabular queries miss entirely.
Covers what's generally available today (blast radius graph, hunting graph with the data lake), what's in preview (graph MCP tools, custom graphs), and the three specific threat scenarios — T7 third-party, T10 insider threat, T11 agent identity abuse — where graph traversal changes the detection outcome.
Article 8: Measuring What Matters — SOC Metrics for the Agentic Era
Most SOC metrics measure activity. The ones that matter measure outcomes. This article covers the measurement framework for the full architecture: MTTD vs. the 12-day MDDR benchmark, log source coverage validation, behavioral baseline maturity tracking, agent workflow cycle time targets, and a 30/60/90 day implementation checkpoint.
The goal is a measurement program that tells you whether the architecture is actually working — not whether the team is busy.
Executive summary for security leadership
The detection gap is a business risk, not a technical debt issue. Organizations with misaligned detection architectures see longer time-to-detection, higher remediation costs, and more damage when incidents occur. It shows up directly in breach probability and dwell time.
The gap is measurable. Track MTTD against the 12-day average ransomware dwell time from MDDR 2025. If you're finding breaches after day 12, you're not stopping them.
The tooling is probably already licensed. Closing the gap requires Entra ID Protection, Defender for Identity, Defender for Endpoint, Defender XDR, Defender for Cloud Apps, and Microsoft Sentinel. Organizations with M365 E5 licensing own most or all of these. The investment is configuration, integration, and operational maturity, not new procurement.
This quarter: validate that your detection architecture covers the full credential abuse chain, from infostealer compromise through lateral movement to confirmed exfiltration. If you can't trace that chain in your current tooling, that's the first project.
Moving forward
The breach data is clear. Ransomware, credential abuse, vulnerability exploitation, and third-party exposure are the dominant patterns. The question is whether your SOC can see any of it happening.
This series is a blueprint for closing that gap. Each article gives you something specific to implement: threat mapping in Article 1, log architecture in Article 2, agent automation patterns in Article 3, SIEM architecture strategy in Articles 4a and 4b, a migration playbook in Article 5, a threat hunting program in Article 6, graph attack path analysis in Article 7, and a measurement framework in Article 8.
What's next: Start with Article 1: The Top 10 Threats Breaching Organizations Right Now. It maps the threat data to specific Microsoft products and detection patterns, with a practical starting point for evaluating your current architecture.
The gap between what attackers do and what SOCs see is structural. Closing it means matching your tools, telemetry, and response automation to the threats that are actually landing.
Let's get to work.
This article uses statistics from the Verizon 2025 Data Breach Investigations Report and the Microsoft Digital Defense Report 2025. Your environment will vary — treat the tool and log recommendations in this series as a baseline, not a complete configuration. Start with Article 1 to begin closing the gap, and work through the series in sequence from there.