Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received from an administrator of a network security device. The configuration information includes information indicative of a quantity of packets to be captured for post attack analysis. Responsive to receipt of the configuration information, a size of a circular buffer is configured based thereon. Multiple packets directed to a network protected by the network security device are received from an external network. The received packets are temporarily buffered within the circular buffer. An analysis is performed to determine whether one of the received packets is potentially associated with a threat or undesired activity (“trigger packet”). Responsive to an affirmative determination, contextual information is captured by extracting information regarding at least a portion of the configured quantity of packets from the circular buffer and storing the contextual information within a log.