A wake-up call from Salesforce
The recent Salesforce breach should serve as a wake-up call for every CISO and CTO. In this incident, AI bots armed with stolen credentials stole massive amounts of data using AI bots and stolen credentials to move laterally in ways legacy defenses weren’t prepared to stop. The lesson is clear: attackers are no longer just human adversaries – they’re deploying agentic AI to move with scale, speed, and persistence.
This isn’t an isolated case. Threat actors are now leveraging AI to weaponize the weakest links in enterprise infrastructure, and one of the most vulnerable surfaces is telemetry data in motion. Unlike hardened data lakes and encrypted storage, telemetry pipelines often carry credentials, tokens, PII, and system context in plaintext or poorly secured formats. These streams, replicated across brokers, collectors, and SIEMs, are ripe for AI-powered exploitation.
The stakes are simple: if telemetry remains unguarded, AI will find and weaponize what you missed.
Telemetry in the age of AI: What it is and what it hides
Telemetry – logs, traces, metrics, and events data – has been treated as operational “exhaust” in digital infrastructure for the last 2-3 decades. It flows continuously from SaaS apps, cloud services, microservices, IoT/OT devices, and security tools into SIEMs, observability platforms, and data lakes. But in practice, telemetry is:
- High volume and heterogeneous: pulled from thousands of sources across different ecosystems, raw telemetry comes in a variety of different formats that are very contextual and difficult to parse and normalize
- Loosely governed: less rigorously controlled then data at rest; often duplicated, unprocessed before being moved, and destined for a variety of different tools and destinations
- Widely replicated: stored in caches, queues, and temporary buffers multiple times en route
Critically, telemetry often contains secrets. API keys, OAuth tokens, session IDs, email addresses, and even plaintext passwords leak into logs and traces, Despite OWASP (Open Worldwide Application Security Project) and OTel (OpenTelemetry) guidance to sanitize at the source, most organizations still rely on downstream scrubbing. By then, the sensitive data has already transited multiple hops. This happens because security teams view telemetry as “ops noise” rather than an active attack surface. If a bot scraped your telemetry flow for an hour, what credentials or secrets would it find?
Why this matters now: AI has changed the cost curve
Three developments make telemetry a prime target today:
AI-assisted breaches are real
The recent Salesforce breach showed that attackers no longer rely on manual recon or brute force. With AI bots, adversaries chain stolen credentials with automated discovery to expand their foothold. What once took weeks of trial-and-error can now be scripted and executed in minutes.
AI misuse is scaling faster than expected
“Vibe hacking” would be laughable if it wasn’t a serious threat. Anthropic recently disclosed that they had detected and investigated a malicious actor that had used Claude to generate exploit code, reverse engineer vulnerabilities, and accelerate intrusion workflows. What’s chilling is not just the capability – but the automation of persistence. AI agents don’t get tired, don’t miss details, and can operate continuously across targets.
Secrets in telemetry are the low-hanging fruit
Credential theft remains the #1 initial action in breaches. Now, AI makes it trivial to scrape secrets from sprawling logs, correlate them across systems, and weaponize them against SaaS, cloud, and OT infrastructure. Unlike data at rest, data in motion is transient, poorly governed, and often invisible or to the left of traditional SIEM rules.
The takeaway? Attackers are combining stolen credentials from telemetry with AI automation to multiply their effectiveness.
Where enterprises get burned – common challenges
Most enterprises secure data at rest but leave data in motion exposed. The Salesforce incident highlights this blind spot: the weak link wasn’t encrypted storage but credentials exposed in telemetry pipelines. Common failure patterns include:
- Over-collection mindset:
Shipping everything “just in case”, including sensitive fields like auth headers or query payloads. - Downstream-only reaction:
Scrubbing secrets inside SIEMs – after they’ve crossed multiple hops and have left duplicates in various caches. - Schema drift:
New field names can bypass static masking rules, silently re-exposing secrets. - Broad permissions:
Message brokers and collectors – and AI bots and agents – often run with wide service accounts, becoming perfect targets. - Observability != security:
Telemetry platforms optimize for visibility, not policy enforcement. - No pipeline observability:
Teams monitor telemetry pipelines like plumbing, focusing on throughput but ignoring sensitive-field policy violations or policy gaps. - Incident blind spots: When breaches occur, teams can’t trace which sensitive data moved where – delaying containment and raising compliance risk.
Securing data in motion: Principles & Best Practices
If data in motion is now the crown jewel target, the defense must match. A modern telemetry security strategy requires:
- Minimize at the edge:
- Default-deny sensitive collection. Drop or hash secrets at the source before the first hop.
- Apply OWASP and OpenTelemetry guidance for logging hygiene.
- Policy as code:
- Codify collection, redaction, routing, and retention rules as version-controlled policy.
- Enforce peer review for changes that affect sensitive fields.
- Drift-aware redaction:
- Use AI-driven schema detection to catch new fields and apply auto-masking
- Encrypt every hop:
- mTLS (Mutual Transport Layer Security) between collectors, queues, and processors
- Short-lived credentials and isolated broker permissions
- Sensitivity-aware routing:
- Segment flows: send only detection-relevant logs to SIEM, archive the rest in low-cost storage
- ATT&CK-aligned visibility:
- Map log sources to MITRE ATT&CK techniques; onboard what improves coverage, not just volume.
- Pipeline observability:
- Monitor for unmasked fields, anomalous routing, or unexpected destinations.
- Secret hygiene:
- Combine CI/CD secret scanning with real-time telemetry scanning
- Automate token revocation and rotation when leaks occur
- Simulate the AI adversary:
- Run tabletop exercises assuming an AI bot is scraping your pipelines
- Identify what secrets it would find, and see how fast you can revoke them
DataBahn: Purpose-built for Data-in-motion Security
DataBahn was designed for exactly this use-case: building secure, reliable, resilient, and intelligent telemetry pipelines. Identifying, isolating, and quarantining PII is a feature the platform was built around.
- At the source: Smart Edge and its lightweight agents or phantom collectors allow for the dropping or masking of sensitive fields at the source. It also provides local encryption, anomaly detection, and silent-device monitoring.
- In transit: Cruz learns schemas to detect and prevent drift; automates the masking of PII data; learns what data is sensitive and proactively catches it
This reduces the likelihood of breach, makes it harder for bad actors to access credentials and move laterally, and elevates telemetry from a low-hanging fruit to a secure data exchange.
Conclusion: Telemetry is the new point to defend
The Salesforce breach demonstrated that attackers don’t need to brute-force their way into your systems—they just have to extract what you’ve already leaked within your data networks. Anthropic’s disclosure of Claude misuse highlights that this problem will grow faster than defenders are capable of handling or are prepared for.
The message is clear: AI has collapsed the time between leak and loss. Enterprises must treat telemetry as sensitive, secure it in motion, and monitor pipelines as rigorously as they monitor applications.
DataBahn offers a 30-minute Data-in-Motion Risk Review. In that session, we’ll map your top telemetry sources to ATT&CK, highlight redaction gaps, and propose a 60-day hardening plan tailored to your SIEM and AI roadmap.
.png)
.png)
.png)
.avif)
.avif)
