NIST AU-2 requires that systems log events sufficient to support analysis of system performance and security posture. Without performance monitoring, latency regressions introduced by a deploy are invisible until they affect enough users to show up in support tickets. P95 response times, transaction durations, and route-level latency data are the signals that distinguish "one slow request" from "our checkout flow is degraded for everyone." This check covers the gap between uptime monitoring (is the app up?) and performance monitoring (is it fast?). A SaaS losing 20% of users at checkout because the payment route is timing out has the same revenue impact as downtime — it just takes longer to surface.
Medium because performance regressions without monitoring degrade user experience and conversion rates, but they rarely cause data loss or security exposure directly.
Enable performance tracing in your existing error tracking tool, or add Vercel Speed Insights for frontend metrics.
If Sentry is already configured, add tracesSampleRate to your server config:
// sentry.server.config.ts
Sentry.init({
dsn: process.env.SENTRY_DSN,
tracesSampleRate: 0.1 // sample 10% of transactions
})
For frontend performance (Core Web Vitals), add Vercel Speed Insights:
npm install @vercel/speed-insights
// app/layout.tsx
import { SpeedInsights } from '@vercel/speed-insights/next'
// Add <SpeedInsights /> inside your root layout's <body>
After enabling, set a Sentry performance alert for P95 latency above your SLO threshold (e.g., 2 seconds).
ID: saas-logging.monitoring.performance-monitoring
Severity: medium
What to look for: Enumerate all relevant files and Look for performance monitoring integration. Check for: Sentry Performance configuration (tracesSampleRate in Sentry config), Vercel Speed Insights (@vercel/speed-insights), Datadog APM configuration, New Relic agent, OpenTelemetry tracing setup (@opentelemetry/sdk-node), or a custom response time tracking middleware that records and emits timing metrics. Also check for @vercel/analytics which includes Web Vitals tracking.
Pass criteria: Application performance is tracked via at least one mechanism: an APM tool (Sentry Performance, Datadog, New Relic), platform analytics (Vercel Speed Insights), or custom timing middleware that records response time per route.
Fail criteria: No performance monitoring detected. No APM library, no platform analytics, no timing middleware.
Skip (N/A) when: Static site with no dynamic routes or API endpoints where performance monitoring is irrelevant.
Detail on fail: "No performance monitoring detected — no APM library (Sentry Performance, Datadog, New Relic), no Vercel Speed Insights, and no custom timing middleware found"
Remediation: Without performance monitoring, you cannot identify which routes are slow, detect regressions after deploys, or set latency-based SLOs. Most error tracking tools include performance monitoring.
For Next.js with Sentry already configured, enable performance:
// sentry.client.config.ts
Sentry.init({
dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
tracesSampleRate: 0.1, // sample 10% of transactions
integrations: [Sentry.replayIntegration()]
})
Alternatively, add Vercel Speed Insights for frontend performance:
npm install @vercel/speed-insights
// app/layout.tsx
import { SpeedInsights } from '@vercel/speed-insights/next'
// Add <SpeedInsights /> to your root layout