Chamuditha Ravindu, SOC Analyst, SecMatters.
Most security teams are highly effective at detecting what they can see.
Endpoint alerts, authentication logs and network telemetry provide a constant stream of signals that help identify suspicious activity. These controls are designed to detect malware, compromised accounts and known attack patterns across the environment.
But an increasing number of attacks are not designed to be seen at all.
They operate outside traditional monitoring layers, below the operating system, across wireless channels or through devices that lack visibility entirely. And in many cases, they leave no malware, no exploit alerts and no obvious indicators of compromise.
For security leaders, this creates a critical question:
What risks exist in parts of the environment we are not actively monitoring?
The Expanding Attack Surface Beyond Traditional Endpoints
Modern enterprise environments now extend far beyond laptops and servers.
Connected devices are embedded across offices, facilities and operational environments, including IP cameras, access control systems, smart locks, environmental sensors and building automation platforms.
These devices are now essential to how organisations operate. But they were not designed with the same level of security visibility as traditional IT assets.
Most lack:
- endpoint detection capabilities
- detailed logging
- consistent patching or lifecycle management
As a result, they often operate outside the visibility of standard security controls.
Industry research highlights the scale of this challenge. A 2025 device security report by Palo Alto Networks analysing 27 million connected devices across 1,803 enterprise networks found that nearly half of network connections involve high-risk IoT and IT devices, many of which are vulnerable or misconfigured.
This is not just an expansion of infrastructure. It is an expansion of the attack surface into areas where monitoring is inherently limited.
Attacks That Occur Before Monitoring Even Begins
Traditional detection assumes that attacks interact with software, systems or networks that can be observed.
However, some of the most effective attacks today occur before those layers are even involved.
In these cases, attackers target the hardware or firmware of a device rather than the operating system itself.
For example, firmware can be extracted and analysed to identify hardcoded credentials, hidden services or security weaknesses. Once identified, it may be modified to include persistent backdoors and reinstalled on the device, allowing ongoing access that survives resets or standard remediation.
Other attacks exploit hardware debugging interfaces such as UART or JTAG, which are sometimes left accessible in production devices. These interfaces can allow direct access to device consoles or bypass authentication controls entirely.
In more advanced scenarios, attackers may manipulate the boot process itself, loading modified firmware before the operating system starts.
Because these techniques operate below the level where most monitoring tools operate, they often leave little or no trace in traditional security logs.
When “Valid” Activity Is Not Legitimate
Not all attacks rely on compromising devices directly. Some exploit trust in the systems organisations rely on every day. Replay attacks are a clear example.
These attacks involve capturing a legitimate radio-frequency signal, such as one used by an access badge or wireless key and replaying it to gain access.
From the system’s perspective, the signal is valid. The authentication succeeds. The event is logged as legitimate. But the activity itself is not.
These attacks commonly target:
- building access systems
- smart locks and door controllers
- vehicle access systems
- wireless sensor networks
As tools capable of capturing and replaying wireless signals become more accessible, these techniques are no longer limited to highly specialised attackers.
For security teams, this creates a new challenge: How do you detect an attack when the activity appears completely valid?
The Visibility Gap in Modern Security Monitoring
Hardware-based attacks and replay attacks share a defining characteristic:They occur outside the traditional visibility layer of security monitoring.
- Hardware attacks take place through physical interfaces
- Replay attacks operate over radio-frequency communication rather than IP networks
- Authentication logs often show successful, legitimate activity
- No malware or exploit alerts are generated
As a result, security teams rarely detect the attack itself. Instead, they detect what happens next.
Detecting What Others Miss
Even when attacks are designed to remain invisible, they often leave subtle traces. These signals are rarely obvious in isolation, but when viewed together, they begin to reveal patterns.
Security teams may observe:
- unexpected outbound connections from devices that typically remain passive
- communication with unfamiliar or external systems
- unusual protocols originating from embedded devices
- network scanning behaviour from systems that should have limited functionality
In some cases, authentication data may also reveal inconsistencies, such as access events occurring at unusual times or appearing in multiple locations within unrealistic timeframes.
Individually, these signals may not trigger alerts. But together, they can indicate that something is wrong. This is where modern detection has fundamentally shifted. The goal is no longer to detect the exploit itself. It is to detect the behavioural patterns that follow it.
Why Detection Now Requires More Than Technology
Organisations today are not lacking data. They are often overwhelmed by it.
Logs exist across endpoints, networks, identity systems, cloud platforms and connected devices. But without context, correlation and interpretation, these signals remain fragmented. This is why detection is no longer just a technology problem. It is an interpretation problem.
Automated systems and AI-driven analytics are highly effective at processing large volumes of data and identifying anomalies. But distinguishing between harmless anomalies and genuine threats often requires understanding how systems are expected to behave within the context of the business.
For example:
- Should this device ever initiate outbound communication?
- Does this access pattern align with normal operations?
- Is this behaviour consistent with the role of the user or system?
These are questions that cannot always be answered through automation alone. They require human judgement.
What This Means for Security Leaders
The nature of cyber risk is evolving. It is no longer confined to endpoints, networks or applications that can be easily monitored. It now extends into physical devices, wireless systems and embedded technologies that operate outside traditional visibility.
For security leaders, this has several implications:
- Not all threats will trigger alerts or appear in logs
- Valid activity cannot always be assumed to be safe
- Visibility must extend beyond traditional IT systems
- Detection requires correlation across multiple sources, not isolated signals
- Effective security operations depend on both technology and human insight
Seeing What Others Don’t
In an increasingly connected environment, some of the most significant risks are not the ones that generate obvious alerts. They are the ones that initially appear invisible.
The organisations that detect these threats earliest are not necessarily those with the most tools. They are the ones that can connect signals, interpret behaviour and recognise when something does not align with how their environment is supposed to operate.
Because in modern cybersecurity, the difference between normal and suspicious activity is not always defined by what the system sees. But by what experienced analysts understand.