Stitching the Silos: A Graph-Based Framework for Real-Time Security Context Correlation in Hybrid Cloud-Native Environments

Modern cloud-native infrastructures generate extensive telemetry through OpenTelemetry, yet Security Operations Centers remain isolated from this data. When a security alert fires, analysts manually correlate application logs, firewall syslogs, and NetFlow data across disconnected tools — during an active breach. This paper proposes Security Stitching, a framework built around a Security-Aware OpenTelemetry Collector that addresses two unsolved problems: (1) Shadow Spanning — a Metadata-Stitching Algorithm that correlates legacy Syslog and NetFlow data from uninstrumented network devices with active W3C distributed traces using IP, port, and microsecond timestamps, without hardware changes; (2) On-Demand Request-Context Graphs — signal-triggered attack path graphs built across Users, Services, Databases, and Network Devices; and (3) TraceID-Level Remediation — surgical session termination replacing blunt IP-blocking in shared cloud environments.