Security Logging and Monitoring Failures
detect, prioritise, remediate

What are security logging and monitoring failures?

Security logging and monitoring failures is the OWASP Top 10 category that covers every situation in which an application, platform, or programme fails to capture, transport, store, monitor, alert on, or retain the security-relevant events the defender needs to detect, investigate, and report an incident. OWASP renamed the category as A09:2021 (it was previously A10:2017 Insufficient Logging and Monitoring) and broadened it from logging gaps in code to the full operational chain across the production stack. The canonical parent CWE is CWE-693 (Protection Mechanism Failure), with the A09 mapping spanning CWE-117 (improper output neutralisation for logs), CWE-223 (omission of security-relevant information), CWE-532 (insertion of sensitive information into log file), CWE-778 (insufficient logging), CWE-779 (logging of excessive data), CWE-1295 (debug messages revealing unnecessary information), and CWE-285 (improper authorization) where access decisions never reach the audit chain.

The category is a parent, not a single bug. A finding falls inside A09:2021 when authentication failures, access denials, privilege changes, administrative actions, or server-side errors are never written to a queryable log, when logs are written but stripped of the actor identity, timestamp, source address, request path, response status, or correlation identifier required to reconstruct the event, when logs are captured on the host but never shipped off the application surface and disappear at redeploy, when logs reach the central store but no alert rule reads the security signals inside them, when alerts fire but no runbook routes the on-call response, when the log retention window is shorter than the audit obligation in scope, when integrity protection is absent so an attacker on the host can edit or delete the only record of their activity, or when sensitive content (passwords, tokens, API keys, PAN, PII) is written to logs in cleartext creating a CWE-532 secondary exposure on top of the missing detection.

A09:2021 is mechanistically broader than the per-finding entries it produces. The category is the operating chain, and the entries usually seen on an engagement record are the specific findings underneath it: insufficient logging and monitoring for the most common per-application sub-pattern, information disclosure when verbose error logs and debug responses leak internal state, broken authentication where credential-stuffing and brute-force activity never trips a detection rule, and security misconfiguration when default log levels suppress security events. SecPortal records the programme view through activity log with CSV export for every workspace decision and through findings management so logging-gap findings carry the same lifecycle as any other vulnerability across detect, triage, prioritise, route, remediate, and verify.

Where A09 failures live in the operating chain

A09 reaches across every layer of the detection and response chain, and a programme that fixes only one layer surfaces only one slice of the category. The six layers below carry distinct decisions, each with its own owner, evidence trail, and audit citation.

How A09 surfaces in production

OWASP names A09 as a category because the same risk shape arrives through several distinct failure modes. The four patterns below are the most common entry points for an A09 finding on an enterprise engagement record.

Common causes

How to detect A09 failures

Detection is layered. Active testing produces signals a scanner can read (a verbose error, a leaked stack trace, a missing security header that breaks alerting context), and programme-stage review surfaces the gaps a scanner cannot see (a missing event baseline, an unowned central store, an absent runbook). A defensible A09 posture runs both halves and lands the gaps on a record that distinguishes a per-application logging finding from a programme-level governance gap.

How to fix A09 failures

How SecPortal records and tracks A09 findings

SecPortal is not a SIEM, is not a log aggregator, is not a SOAR platform, and does not host an alert rule engine. It is the workspace where every A09 finding lands on the engagement record alongside source-level findings, external attack-surface findings, and authenticated DAST findings so severity, ownership, evidence, fix, and retest stay on one canonical record per logging or detection gap. The flow for an A09 finding looks like this on the platform.

What SecPortal does not do

Honesty on capability matters when the topic is detection and response. SecPortal is not a SIEM (Splunk, Sentinel, QRadar, Chronicle, Sumo Logic, Datadog Security, Elastic Security), is not a log aggregator (Loki, Datadog Logs, Sumo Logic, CloudWatch Logs, Stackdriver), is not a SOAR platform (Tines, Torq, Palo Alto XSOAR), is not an extended detection and response platform, does not host an alert rule engine, does not ingest the live security event stream from your applications, does not federate against your identity provider for sign-in monitoring, does not parse SIEM correlation output, does not maintain an alert tuning calendar inside the workspace, does not run the on-call runbook on your behalf, does not integrate with Jira, ServiceNow, Slack, PagerDuty, Opsgenie, or any ticketing or paging system through a packaged API surface, and does not host a managed-detection-and-response (MDR) service. Programmes that need real-time event ingestion, real-time alerting, automated containment, or 24/7 SOC operations typically run a dedicated SIEM and SOAR or contract an external MDR provider and land the resulting detection-gap findings on the SecPortal engagement record through bulk finding import. The platform value is the consolidated record where every A09 finding (whether it came from native authenticated scanning, external scanning, code scanning, bulk import from an outside detection engineering review, a tabletop exercise after-action, or a manual finding entry against a runbook gap) lives alongside the rest of the security backlog with the same lifecycle, the same role-based access control, the same activity log, and the same evidence trail.

Related vulnerabilities and recommended reading

A09 is the parent category for a cluster of more specific findings and the upstream concern for several SecPortal workflows. The pages below cover the per-finding shapes A09 produces, the frameworks that map control evidence against logging and monitoring posture, and the programme workflows that hold the A09 backlog across detect, triage, prioritise, route, remediate, and verify.

• Insufficient logging and monitoring the per-application sub-pattern that A09 most often produces on a single engagement, with CWE-778 as the primary mapping and a pentester-side writeup angle.
• Information disclosure the disclosure symptom that surfaces when an A09 missing-suppression gap lets verbose errors, stack traces, or debug responses reach the external observer.
• Broken authentication the paired finding A09 most often hides, where credential-stuffing and brute-force activity proceed undetected because the auth event chain has gaps.
• Security misconfiguration the deployment-stage cause when default log levels suppress security events or when log forwarding configuration is incomplete across environments.
• Insecure design (A04:2021) the upstream design-stage category that explains why an A09 failure exists when the threat model never named the detection requirement.
• Missing rate limiting the abuse pattern that most exposes an A09 logging gap because the brute-force or enumeration activity reaches volume without anyone noticing.
• OWASP ASVS Chapter V7 Error Handling and Logging is the verification standard section that reads against the controls A09 expects across the event-capture, retention, and integrity layers.
• ISO/IEC 27001 Annex A.8.15 logging and A.8.16 monitoring activities are the ISO mapping for A09 control evidence in an ISMS-style audit.
• SOC 2 CC7.2 system monitoring and CC7.3 incident response are the trust services criteria the auditor reads for A09 evidence across the audit period.
• PCI DSS Requirement 10 (log and monitor all access to system components and cardholder data) is the payment-industry mapping for A09 evidence with the twelve-month online retention bound.
• NIST SP 800-53 the AU audit and accountability control family and SI-4 information system monitoring are the federal mapping for A09 detection posture evidence.
• NIS2 Directive Article 21 risk-management measures and Article 23 incident reporting are the EU regulatory mapping for the detection capability A09 expects.
• OWASP Top 10 explained the parent reference that sets A09 alongside the rest of the Top 10 and the 2021 rename from Insufficient Logging and Monitoring to Security Logging and Monitoring Failures.
• Incident response plan guide the operating spine the A09 detection chain feeds into when an alert fires and the runbook routes the response.
• Incident response tabletop exercise guide the rehearsal vehicle that exposes A09 gaps before an incident does, including missing alerts, missing runbooks, and missing escalation paths.
• Security programme KPIs and metrics framework the leadership reporting reference that translates A09 coverage and mean-time-to-detect into board-readable metrics.
• Security leadership reporting the workflow that carries A09 coverage gaps, detection trends, and remediation cadence into the leadership read without rebuilding the narrative each cycle.
• Audit fieldwork evidence request fulfillment the workflow that turns A09 findings and the closure trail into the evidence pack the audit fieldwork request reads.
• SecPortal for AppSec teams the audience overview for the teams that own application-layer logging requirements across the portfolio.
• SecPortal for security operations leaders the audience overview for the leaders who answer the detection coverage question and pair A09 evidence to the SOC posture read.

Compliance impact