Global Fortune 500 Financial Institution · Financial Services
The institution's SIEM was configured to ingest roughly 8% of total security telemetry — a deliberate cost-control decision made when storage and inference costs made full ingestion financially unjustifiable. Their SOC team was working from an incomplete picture, relying on heuristic rules and threshold-based alerts that sophisticated threat actors had learned to evade. Over an 18-month period, three separate incidents were later traced back to signals that existed in the unindexed telemetry — signals that would have surfaced the intrusion weeks or months earlier.
The institution connected their full telemetry pipeline — authentication logs, network flows, endpoint events, and cloud access logs — to LLM reasoning at 100% coverage. Rather than replacing their existing SIEM, the enriched intelligence was routed back into their existing workflow, with LLM-scored events, confidence levels, and cross-event pattern summaries delivered alongside standard alerts.
"We had the data. We just couldn't afford to read it. Now we can — and the first thing we found was an active lateral movement pattern that had been sitting undetected in our authentication logs for 11 days."
Chief Information Security Officer
The most significant finding in the first 30 days was a coordinated credential stuffing campaign spread across 847 IP addresses, operating at volumes designed to stay below individual threshold rules. The pattern was invisible at 8% coverage. At 100%, it resolved immediately. The campaign was neutralized before any accounts were compromised.