diff --git a/src/content/docs/log-explorer/custom-dashboards.mdx b/src/content/docs/log-explorer/custom-dashboards.mdx
index db9bf6e032a06ca..35a372cca7a8866 100644
--- a/src/content/docs/log-explorer/custom-dashboards.mdx
+++ b/src/content/docs/log-explorer/custom-dashboards.mdx
@@ -17,6 +17,10 @@ Dashboards provide a visual interface that displays key metrics and analytics, h
 
 Different metrics serve distinct roles in providing insights into your application's performance. For example, total HTTP requests offer an overview of traffic volume, while average response time helps assess application speed. Additionally, usage metrics such as traffic patterns and user behavior provide insight into how users interact with your application. These metrics together enable you to spot trends, identify problems, and make informed, data-driven decisions.
 
+:::note 
+Data in Custom Dashboards is [sampled](/analytics/graphql-api/sampling/). For access to raw, unsampled data, use the [Log Search](/log-explorer/log-search/).
+:::
+
 ## Create a new dashboard
 
 To create a new dashboard:
diff --git a/src/content/docs/log-explorer/log-search.mdx b/src/content/docs/log-explorer/log-search.mdx
index f68f9a83e38d1f6..156673858d8150b 100644
--- a/src/content/docs/log-explorer/log-search.mdx
+++ b/src/content/docs/log-explorer/log-search.mdx
@@ -9,6 +9,8 @@ import { TabItem, Tabs, Render } from "~/components";
 
 Log Explorer enables you to store and explore your Cloudflare logs directly within the Cloudflare dashboard or API, giving you visibility into your logs without the need to forward them to third-party services. Logs are stored on Cloudflare's global network using the R2 object storage platform and can be queried via the dashboard or SQL API.
 
+The default retention period for Log Explorer is 30 days for Enterprise plans, and 7 days for Pro and Business plans.
+
 ## SQL queries supported
 
 The diagram below displays the example sql grammar for `SELECT` statements as a railroad syntax diagram:
diff --git a/src/content/docs/log-explorer/use-cases/detect-rce.mdx b/src/content/docs/log-explorer/use-cases/detect-rce.mdx
new file mode 100644
index 000000000000000..cb233e76a1b171b
--- /dev/null
+++ b/src/content/docs/log-explorer/use-cases/detect-rce.mdx
@@ -0,0 +1,22 @@
+---
+pcx_content_type: how-to
+title: Detect Remote Code Execution attacks with Custom Dashboards 
+sidebar:
+  order: 1
+  sidebar:
+  label: Detect Remote Code Execution
+---
+
+Monitor for high-risk threats like Remote Code Execution (RCE) by building custom dashboards that combine multiple security signals.
+
+## Approach
+
+Create a custom dashboard that visualizes RCE attack detections surfaced by Cloudflare’s Web Application Firewall (WAF). Enhance visibility by incorporating auxiliary data streams such as:
+
+- Malicious content upload events
+- JA3/JA4 TLS fingerprint anomalies
+- Unusual source IP clusters
+
+## Outcome
+
+This integrated view enables rapid detection of potential compromise scenarios where an attacker may be executing arbitrary commands on exposed hosts. By correlating across these datasets, teams can confidently escalate incidents involving malware propagation or lateral movement—critical for reducing dwell time and mitigating broader system impact.
\ No newline at end of file
diff --git a/src/content/docs/log-explorer/use-cases/index.mdx b/src/content/docs/log-explorer/use-cases/index.mdx
new file mode 100644
index 000000000000000..1778a79e7c50652
--- /dev/null
+++ b/src/content/docs/log-explorer/use-cases/index.mdx
@@ -0,0 +1,9 @@
+---
+pcx_content_type: how-to
+title: Use cases
+sidebar:
+  order: 5
+  group:
+    hideIndex: true
+---
+
diff --git a/src/content/docs/log-explorer/use-cases/unauthorized-access.mdx b/src/content/docs/log-explorer/use-cases/unauthorized-access.mdx
new file mode 100644
index 000000000000000..9a93ea5aa97b656
--- /dev/null
+++ b/src/content/docs/log-explorer/use-cases/unauthorized-access.mdx
@@ -0,0 +1,21 @@
+---
+pcx_content_type: how-to
+title: Investigate Unauthorized Access Attempts with Log Search 
+sidebar:
+  order: 2
+  sidebar:
+  label: Investigate Unauthorized Access Attempts 
+---
+
+Trace the origin and intent of suspicious authentication behavior using raw log data with Log Search.
+
+## Approach
+
+Start with Zero Trust access logs that show unauthorized login attempts. Then correlate those events with HTTP request logs to identify patterns, such as bot-like behavior or repeated access from known bad actors.
+
+## Outcome
+
+This log-level investigation validates that the access attempts are not user error or isolated misconfigurations, but part of a coordinated automated attack. Teams can immediately deploy mitigations such as IP blocking, bot management rules, or adaptive access controls.
+
+
+