European Telecommunications Group · Telecommunications
The telco operated infrastructure across 12 countries with thousands of third-party integrations. Their security team had grown accustomed to working with sampled telemetry — a pragmatic response to the cost of full ingestion. The specific logs being dropped were those generated by low-priority service accounts and API integrations — exactly the category attackers had begun targeting in supply chain campaigns.
Full coverage LLM reasoning was applied to all API access logs, service account activity, and integration telemetry. The LLM model was tasked with identifying behavioral anomalies — not just rule violations — across the complete event stream.
"The pattern was subtle — a service account authenticating at unusual hours with slightly elevated API call rates. Nothing that would have triggered a rule. The LLM flagged it as anomalous because it had the full behavioral context. Our old system never would have seen it."
Head of Security Operations
The compromised integration belonged to a third-party monitoring vendor. The attacker had established a low-and-slow foothold using legitimate credentials, incrementally escalating access over several weeks. At sampled telemetry coverage the activity was indistinguishable from normal operation. At full coverage, the cumulative behavioral signature was clear within 11 days of the initial compromise.