In order to detect intrusion, bots, spammers, scammers, and fight Internet crime in general, you need to store and monitor a number of metrics for a certain amount of time, at the individual level (not just aggregates): IP addresses, details about all HTTP requests from all users (and cross-correlate them), including country of origin, timestamp and much more, and perform advanced statistical analysis. The NSA does that all the time, it is actually what they are supposed to do.
How can you perform these tasks, and yet comply with GDPR? GDPR forces you to comply with some regulations to protect privacy. But maintaining security, forces you to comply with some opposite regulations. It seems impossible to be compliant with both. How do you do it?
In essence the GDPR enforces regulations on personally identifying information.
If you de-couple the individual-machine level data from the user's data (name, username etc) then you will be left with the data needed for security analysis and monitoring, but you won't be able to link this data to an actual person. This allows you to continue monitoring your infrastructure whilst adhering to the regulations.