Your Security Logs Are Lying to You — How Multi-Vector Attacks Exploit the Gaps Between Your Dashboards

I am about to describe something that happened to a client of mine two weeks ago, and if you manage any kind of web infrastructure, you are going to want to put down your coffee for this one.

They got hit with a DDoS attack on a Tuesday afternoon. Standard stuff — volumetric flood targeting their main API endpoint. Their Cloudflare setup caught it, mitigated it, everyone breathed a sigh of relief. Good job, team. High fives all around.

Except the DDoS was the distraction.

While their security team was watching the pretty graphs of blocked traffic spike and fall, someone was quietly exploiting a misconfigured API endpoint on a completely different subdomain. By the time they noticed, the attacker had exfiltrated about 12,000 customer records. The DDoS was the smoke. The API exploit was the fire.

This is what security researchers call a multi-vector attack, and it is becoming the default playbook for serious threat actors in 2026. Cloudflare just published a detailed blog post about how their new Log Explorer features help investigate exactly these kinds of attacks, and honestly, the timing could not be better.

What Is a Multi-Vector Attack and Why Should You Care?

A multi-vector attack is exactly what it sounds like: instead of hitting you with one thing, attackers hit you with several things simultaneously. The goal is not necessarily for every vector to succeed. The goal is for one vector to succeed while you are busy dealing with the others.

Think of it like a heist movie. One person sets off the fire alarm. Everyone runs outside. Meanwhile, someone else walks into the vault because all the guards are in the parking lot.

My colleague Hannah, who has done incident response for longer than some of our interns have been alive, describes it more bluntly: “Modern attacks are not puzzles with one solution. They are orchestras. And if you are only listening to the drums, you are going to miss the violin stealing your data.”

The most common multi-vector combinations we are seeing right now:

• DDoS + credential stuffing — flood the front door while picking the back lock
• Phishing + API exploitation — social engineer an employee to get initial access, then pivot to API abuse
• Bot traffic + web scraping + vulnerability scanning — hide malicious scans in a tsunami of bot noise
• Application-layer attack + DNS manipulation — attack the app while quietly redirecting a subdomain

Why Traditional Logging Falls Apart

Here is the fundamental problem: most organizations log things in silos. Your WAF logs go one place. Your DNS logs go another. Your API gateway logs sit in a third system. Your authentication logs are in yet another dashboard.

When everything is in separate buckets, correlating events across attack vectors is manual, slow, and error-prone. By the time you realize the DDoS and the API exploit happened within the same 15-minute window from overlapping IP ranges, the attacker is long gone and your customer data is on a Telegram channel somewhere.

Marcus, a security engineer I have worked with for about six years, told me about an incident at his company last fall. “We had all the logs,” he said. “Every single data point we needed was sitting in our SIEM. But it took us four days to piece together the full attack chain because the data was spread across 11 different log sources with different formats, different timestamps, and different retention policies. Four days. The attacker was in and out in four hours.”

Four hours to attack. Four days to understand what happened. That ratio tells you everything about the state of security logging in most organizations.

What Cloudflare Just Did (And Why It Matters)

Cloudflare’s Log Explorer now supports 14 additional datasets beyond the original HTTP request logs. That means you can now correlate across:

• HTTP requests (the traffic itself)
• Firewall events (what got blocked and why)
• DNS queries (who is looking up what)
• Bot management decisions (bot or not bot?)
• Access authentication events (who logged in)
• Workers and Pages deployment logs
• And several more

The key word here is correlate. Instead of checking five different dashboards and manually matching timestamps, you can now query across all of these datasets in one place. “Show me all events from this IP range, across all log types, in this time window” is a query that used to require a dedicated SIEM and a data engineering team. Now it is a Log Explorer search.

I am not going to pretend this is revolutionary technology. SIEMs have existed for decades. But the difference is accessibility. A Cloudflare customer can do this without deploying Splunk, without hiring a SIEM engineer, without spending six months on integration projects. That matters a lot for the mid-market companies that are increasingly the targets of targeted attacks but do not have Fortune 500 security budgets.

A Step-by-Step Investigation Walkthrough

Let me walk through how you would actually investigate a multi-vector attack using this kind of unified logging. I am going to use a scenario based on real incidents I have seen (with details changed, obviously).

Step 1: The Alert

Your monitoring fires. Unusual spike in 403 responses on your authentication endpoint. Could be nothing — could be a bot hitting cached credentials. Could be everything.

Step 2: Time Window Analysis

Pull all events in a 30-minute window around the alert. Not just authentication events — everything. HTTP requests, firewall blocks, DNS queries, bot scores. You want the full picture.

Step 3: IP Correlation

Look at the source IPs hitting your auth endpoint. Now check: are those same IPs (or the same ASN/subnet) appearing in other log types? Are they also scanning your API endpoints? Making unusual DNS queries? Hitting your admin panel?

In the incident I described at the top, this is where we found the connection. The DDoS traffic and the API exploitation came from different IPs but the same hosting provider in the same country, registered within 24 hours of each other. That is not a coincidence.

Step 4: Timeline Reconstruction

Build a minute-by-minute timeline of the attack across all vectors. You will often find that the “distraction” attack starts 5-10 minutes before the real attack. Attackers want your team focused on the wrong screen before they make their move.

Step 5: Scope Assessment

Once you know all the vectors involved, assess the damage for each one. The DDoS might have caused 20 minutes of degraded performance. The API exploit might have exposed data. The DNS probe might have been unsuccessful. Each vector needs its own impact assessment.

Five Things You Should Do This Week

Whether or not you use Cloudflare, the principle of unified logging applies. Here is what I would prioritize:

1. Audit Your Log Sources

List every place your infrastructure generates logs. Every. Single. One. I guarantee you will find at least two sources you forgot about. Last time I did this exercise with a client, we found their staging environment had been logging to a bucket that had not been checked in seven months.

2. Centralize or Correlate

Get your logs into a single system where you can search across them. Whether that is Cloudflare Log Explorer, a SIEM like Elastic or Splunk, or even a basic log aggregation setup — the ability to query across log types is not optional anymore.

3. Create Cross-Vector Alert Rules

Set up alerts that trigger when suspicious activity appears in multiple log types simultaneously. “DDoS mitigation activated AND unusual API error rate AND authentication failures from the same region” should wake someone up.

4. Practice Investigation Workflows

Run tabletop exercises specifically for multi-vector scenarios. Most incident response plans assume a single attack type. What happens when your team is dealing with two or three at once? (Spoiler: chaos. But practiced chaos is better than unpracticed chaos.)

5. Reduce Your Correlation Time

Measure how long it takes your team to go from “we see an alert” to “we understand the full attack chain.” If that number is measured in days, you have work to do. The goal is hours. Ideally, less than the duration of the attack itself.

The Uncomfortable Reality

I am going to be direct about something: multi-vector attacks are going to get worse. The tooling available to attackers is getting better. AI-assisted attack orchestration is real — we have seen attack campaigns that adapt their secondary vectors based on how the target responds to the primary vector. That is a level of sophistication that was reserved for nation-states three years ago. Now it is available to anyone with a cryptocurrency wallet and access to the right forums.

The defenders who will survive this are the ones who stop thinking about individual attack types and start thinking about attack campaigns. Not “we got DDoS’d.” Not “someone tried credential stuffing.” But “someone orchestrated a coordinated campaign against our infrastructure, and here is the full picture of what they did and why.”

Rachel, a CISO at a healthcare company, told me something at a conference last month that stuck with me. She said: “We stopped having a DDoS response plan and a phishing response plan and an API security plan. We have one plan now: the ‘someone is attacking us’ plan. Because by the time you figure out which type of attack it is, you have already missed two others.”

Hard to argue with that logic.

(And if your current logging setup involves checking six different browser tabs with different credentials, maybe start there. Nobody has ever successfully investigated a multi-vector attack while also trying to remember which tab had the DNS logs. Trust me on this one.)