TL;DR Security teams invest heavily in detection. But detection requires data, and the data most organizations keep is not the data investigations actually need. Logs record that something happened. Files reveal what it actually was. Attackers plan around retention windows. Hash lookups break the moment a payload is recompiled. A private file corpus that retains every executable from every endpoint, continuously reanalyzed as new intelligence arrives, closes the gap that every other security control depends on.
Security teams have spent years investing in detection.
Organizations deploy better EDR platforms, build stronger SIEM rules, subscribe to richer threat intelligence feeds, and hire skilled analysts to monitor the results. The assumption behind all of this investment is straightforward. When something malicious appears in the environment, the tools will catch it, alerts will fire, and an investigation will begin.
That assumption contains a blind spot. Detection requires data. And the data most organizations retain is not the data they actually need.
Table of Contents
- What Logs Actually Tell You
- The Retention Window Problem
- What Forensic Readiness Really Requires
- The SOC Telemetry Gap
- Why Hash Lookups Are Not Enough
- The Cost Equation Has Changed
- Why Stairwell Starts With the Files
- The Missing Security Control
- Frequently Asked Questions
What Logs Actually Tell You
The modern security stack runs on logs. Every platform generates them. Every SIEM ingests them. Every investigation begins with them. Logs record events. A process executed. A file was written. A network connection was established. A registry key was modified. These entries create a timeline of what happened in the environment.
What logs do not contain is the evidence itself. A log entry can tell you that a file named payload.exe was written to disk at a specific time. What it does not capture is the file itself. That distinction becomes critical the moment an investigation requires deeper analysis. A log entry cannot answer questions about what the file actually did. It cannot reveal whether the executable belongs to a known malware family. It cannot show whether the file shares code with a payload tied to a campaign that was identified months after the original event occurred.
Logs preserve activity. Files preserve evidence. Security programs that treat those two things as interchangeable are operating with a structural blind spot that only becomes obvious during a serious incident.
The Retention Window Problem
Most organizations maintain formal log retention policies. Thirty days. Ninety days. A year for some regulated environments. These policies exist for practical reasons. Storage costs money. Data has to be managed. Compliance frameworks specify minimum retention requirements.
What these policies rarely account for is how long modern attacks actually unfold. Sophisticated adversaries often preposition inside an environment for months before executing their final objective. A loader may land on an endpoint in February and remain dormant while occasionally communicating with external infrastructure. The ransomware payload may not detonate until September.
By the time incident responders begin investigating, the log entries from February may already be gone. The file that enabled the initial compromise was never retained in the first place. The investigation begins with a gap that covers the most important part of the attack timeline.
This pattern is not unusual. It is common across ransomware operations, state sponsored campaigns, and advanced criminal groups. These actors understand retention windows and plan around them. Long dwell times are not accidents. They are deliberate. Security architectures optimized for real time detection often struggle to reconstruct events that happened months earlier.
What Forensic Readiness Really Requires
Many organizations talk about forensic readiness. The concept is widely accepted. It means being prepared before an incident occurs to collect and preserve the evidence needed to understand what happened.
In practice, most forensic readiness programs focus on log collection. SIEM coverage is expanded. EDR telemetry is preserved. Network flow data is archived. These are valuable data sources. But they share a common limitation. They describe what happened around the file. They do not preserve the file itself.
When an incident escalates to the point where deep analysis is required, the questions become more specific. What did the file contain before the endpoint was wiped or reimaged? What was the file’s behavior? What code did it execute? Was it related to other files seen elsewhere in the environment? Did it match indicators published after the incident window? Logs cannot answer those questions on their own. They reference files but do not preserve them.
Answering those questions requires the files themselves. They must be retained in a form that remains searchable and analyzable long after the original endpoint has been remediated. Many organizations believe they have a forensic record when what they actually have is an incomplete outline of events.
The SOC Telemetry Gap
Security operations teams invest significant effort in understanding their visibility. Analysts know which endpoints have EDR deployed, which authentication logs are captured, and which network telemetry is available for analysis.
What often goes unexamined is what the SOC cannot see because the underlying evidence was never retained. Imagine a file that executed three months ago. An alert fired and an analyst reviewed it. The event was classified as low risk and the case was closed. The executable itself was never stored.
Today a threat intelligence report is published describing a malware campaign. The indicators match the file that triggered the earlier alert. The SOC still has the alert in the SIEM. What it no longer has is the file. Analysts cannot determine whether the file belonged to a known malware family, whether it shared code with other samples in the campaign, or whether related variants existed elsewhere in the environment.
The alert proves that something happened. The file would reveal what it actually was. Over time this gap compounds. Every file that was not retained becomes a question that cannot be answered later. Every investigation built entirely on logs carries a ceiling on how far analysis can go.
The telemetry gap in most SOCs is not about present day visibility. It is about analytical depth across the past.
Why Hash Lookups Are Not Enough
When analysts encounter a suspicious file, the standard workflow begins with a hash lookup. The file’s hash is checked against threat intelligence sources and a verdict is returned. Known malicious. Known benign. Unknown.
Hash based detection works for files that have been seen before in exactly the same form. It fails the moment an adversary modifies the payload. Recompiling with a different compiler flag. Changing a single byte. Repacking with a different tool. Each of these produces a new hash that will not match any existing signature.
Sophisticated adversaries understand this. They routinely modify their tooling before deployment specifically to defeat hash based lookups. The result is that the most targeted and dangerous files are precisely the ones that produce no match in any public or commercial threat intelligence feed.
Detecting those files requires deeper analysis. Code similarity. Behavioral patterns. Structural characteristics that remain consistent across variants.
But none of that analysis is possible without the file itself. You cannot perform code similarity analysis on a log entry. You cannot detect variants based on shared functionality from a hash alone. You cannot run a new YARA rule against an executable that was never retained.
Serious malware analysis requires the files.
The Cost Equation Has Changed
The traditional argument against large scale file retention has been cost. Storing every executable across a large enterprise produces significant data volume. Security budgets are already stretched and logs appear to provide a cheaper substitute.
That calculation has shifted. The cost of a major incident includes external response teams, operational disruption, regulatory exposure, and reputational damage. Organizations that discover during an investigation that their forensic record is incomplete because files were never retained often reconsider the cost equation quickly.
Infrastructure has also evolved. When file storage is treated as a core security capability rather than a simple IT expense, the value calculation changes. Historical visibility, deeper investigations, variant detection, and the ability to prove containment all depend on access to the files themselves.
In that context, the question becomes different. It is no longer whether the organization can afford to store files. It is whether the organization can afford to operate without the evidence those files contain.
Why Stairwell Starts With the Files
Stairwell was built around this exact problem. The platform collects and stores every executable from every endpoint in a private vault owned by the organization. The data does not become part of a shared repository or public intelligence platform. It remains private and continuously available for analysis. That persistent corpus becomes the foundation for continuous malware intelligence.
When new threat reports appear or new YARA rules are written, the intelligence is applied retroactively across the entire file history. A file that appeared unremarkable six months ago may suddenly connect to a newly documented campaign. That connection surfaces automatically because the file was retained and the analysis never stopped. This is what we call continuous hindsight.
Variant Discovery identifies files that share structural DNA with known threats regardless of hash or signature. One confirmed malicious file becomes the starting point for visibility across the entire malware family. Run to Ground maps the full scope of an incident across every endpoint in the environment, turning a single alert into complete campaign visibility.
AI Triage reads files rather than detonating them, providing structured reasoning about what each file does, how it works, and why it exists. Every file in the vault has this analysis available continuously, not just the ones an analyst thought to query.
None of these capabilities work without the files themselves. Detection requires data. The most important data is the files. And the files must be kept.
The Missing Security Control
Security teams have invested heavily in improving detection logic. They tune alerts, refine analytics, and expand telemetry coverage across the enterprise. But the effectiveness of every one of those controls depends on the evidence available for analysis.
Logs provide context. They show when something happened. Files provide truth. They reveal what actually happened.
Organizations that retain those files gain the ability to investigate the past with the same clarity they apply to the present. Those that do not are forced to work from partial evidence and incomplete timelines.
File retention is not an operational afterthought. It is the control that makes every other security capability possible.
Stairwell preserves every file from every endpoint inside a private vault and continuously re-analyzes that corpus as new intelligence emerges. The forensic record required for serious investigations begins with keeping the evidence that matters.
Frequently Asked Questions
Why aren’t logs enough for a serious investigation?
Logs capture that an event occurred. A process ran. A file was written. A connection was made. What logs do not capture is the file itself. When an investigation requires code similarity analysis, variant detection, or retroactive YARA matching, the file has to be there. Logs reference evidence. Files are evidence.
How do attackers exploit retention windows?
Sophisticated actors understand that most organizations retain logs for 30 to 90 days. Long dwell times are deliberate. A loader may land in February and remain dormant until September. By the time the incident is detected, the logs covering the initial compromise may have aged out and the original file was never retained. The investigation starts with a gap covering the most critical period.
Does retaining files replace our EDR or SIEM?
No. EDR and SIEM remain part of the stack. What file retention adds is the analytical depth that log-based tools cannot provide on their own. When a new threat report drops six months after an incident, you can retroactively check whether those files were ever in your environment. You cannot do that with a SIEM alert that has already aged out.
What about storage costs?
The cost equation has shifted. The expense of a major incident, including external response teams, regulatory exposure, and operational disruption, routinely exceeds what file retention would have cost. When organizations realize mid-investigation that their forensic record is incomplete because files were never kept, the cost comparison becomes obvious quickly.
How is this different from a sandbox?
A sandbox detonates files and records what happened during execution. That is useful. It is also a one-time event. A private file corpus retains every executable across your entire environment, applies new intelligence retroactively, detects variants through code similarity, and lets you prove containment with historical evidence. It is not a detonation tool. It is a continuous intelligence layer built on the files themselves.
What does “continuous reanalysis” actually mean?
It means new intelligence is applied backward, not just forward. When a new YARA rule is written or a new malware family is identified, Stairwell runs that intelligence against your entire historical file corpus automatically. A file that looked unremarkable a year ago may be immediately flagged as part of a known campaign. You gain retroactive visibility without re-investigating from scratch.
How do you prove incident containment?
Containment is not alerts going quiet. Containment is being able to show, with evidence, that the relevant files, variants, and related artifacts are not present anywhere in your environment, now or historically. A continuous private file corpus makes that question answerable. Without it, you are guessing.