The SOC Visibility Quad: Why Application Visibility Completes the SOC in 2025

In 2015, Anton Chuvakin introduced what became one of the most widely adopted Security Operations Center (SOC) frameworks of the past decade: the SOC Visibility Triad. Logs, endpoint, and network telemetry were the three pillars every SOC needed to detect and respond effectively.

Fast-forward to 2025. After ten years and countless debates, Anton has now expanded the model to a SOC Visibility Quad, with the fourth leg being application visibility.

This addition reflects a fundamental reality: without visibility into the application layer, SOCs cannot detect where today’s most dangerous attacks originate.

‍Why the Original Triad Isn’t Enough‍

The triad pillars remain critical, but their coverage has limits in modern environments:

1. Logs provide breadth but often lack context, generating overwhelming volume.
2. Endpoints offer visibility into hosts and processes, but not into cloud-native execution paths.
3. Networks are harder to monitor in a world of encryption, distributed workloads, and SaaS.

Each of these remains essential, but they do not give SOC teams a clear view of application runtime behavior – the layer attackers increasingly target and, sometimes, don’t need to leave to be successful (example: https://app-attack-matrix.com/bybit/).

The Case for Net-New Application Telemetry

Application visibility closes this blind spot. SOCs need direct telemetry from within applications themselves – not just signals derived from infrastructure. 

Here’s why:

• Application blindspots: Attackers exploit vulnerabilities at the application layer to remain undetected for long periods.
• Limits of legacy defenses: Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) were early attempts to close the gap, but both fell short. WAFs provide only surface-level filtering, while RASP introduced performance and operational challenges.
• Supply chain clarity: Applications depend heavily on open source and third-party components. Application telemetry can reveal which vulnerable libraries are actually loaded and executed, helping SOCs focus on real risk.
• Keeping pace with attackers: Relying only on log correlation or delayed alerts means reacting after damage is done. Application-level telemetry enables prevention by spotting and stopping malicious function calls in real time.

Mapping Application-Layer Threats

If logs, endpoints, and networks were enough, SOCs would already be catching application-layer attacks. But they aren’t, because these attacks require a new lens.

To make this concrete, the Application Attack Matrix was created in collaboration with experts in threat intelligence and application security from companies like AWS, Google Cloud (Mandiant), Intel, Microsoft, and Salesforce. Modeled after MITRE ATT&CK, the matrix classifies and tracks the most critical threats targeting the application layer.

This gives SOCs a structured way to understand how attackers target applications, and why traditional log, endpoint, and network telemetry misses so many of these signals.

CADR: Operationalizing the Fourth Pillar

This is where Cloud Application Detection and Response (CADR) comes in. CADR gives SOCs the ability to integrate application visibility alongside logs, endpoints, and networks – completing the quad and delivering net-new telemetry that is critical to protect against attacks in modern environments.

CADR provides:

• Runtime application insights: Monitoring actual code execution paths, not just events.
• Exploit detection at the application layer: Identifying active attempts to exploit vulnerabilities based on deep monitoring of app components.  
• Supply chain risk reduction: Showing which OSS and third-party components are in use and exploitable.
• Noise reduction for vulnerability management: Prioritizing only vulnerabilities attackers can reach.
• Real-time protection: Blocking malicious function calls before they spread into the broader cloud environment.

The Quad is Here

The SOC Visibility Quad is not a vision for 2030. It’s the reality of 2025. Logs, endpoints, and networks remain indispensable – but without application visibility, SOCs will continue to miss the layer where the majority of attacks unfold.

CADR makes the Quad operational today, giving SOCs the net-new telemetry they need to detect, prioritize, and prevent application-layer attacks.

If you’re interested in learning how CADR can help your team respond to threats quicker and with better precision, contact us today: https://www.oligo.security/demo. 

‍