<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - DevSecOps</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/devsecops.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-06-19T00:00:00+10:00</updated><entry><title>Shadow APIs Are Account-Abuse Paths</title><link href="https://www.peakhour.io/blog/shadow-apis-account-abuse/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/shadow-apis-account-abuse/</id><summary type="html">&lt;p&gt;Shadow APIs matter because attackers do not care whether a route is documented. Mobile, partner, browser-backed, and legacy APIs can all become account-abuse paths when they remain outside normal controls.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A shadow API is not dangerous because it has a mysterious name. It is dangerous because it still accepts requests.&lt;/p&gt;
&lt;p&gt;If an endpoint can reset a password, refresh a token, check an account, change a delivery address, apply a discount, validate a stored payment method, or expose customer data, it is part of the account-abuse surface. Whether it appears in the current OpenAPI file is secondary.&lt;/p&gt;
&lt;p&gt;Attackers do not need your API catalogue to be tidy. They need one working route that your normal controls do not understand.&lt;/p&gt;
&lt;h2&gt;The Forgotten Paths Are Often Real Paths&lt;/h2&gt;
&lt;p&gt;Most organisations have more API surface than they think.&lt;/p&gt;
&lt;p&gt;Mobile apps leave behind old versions. Partner integrations get built for a campaign and then stay online. Browser-backed APIs are treated as internal because they are called by the front end, even though anyone can inspect and replay the requests. Legacy account endpoints remain active because turning them off might break an unknown client.&lt;/p&gt;
&lt;p&gt;None of this is unusual. It is how real systems evolve.&lt;/p&gt;
&lt;p&gt;The risk appears when those routes keep accepting production traffic without the same security treatment as the visible application. A current login page may have bot detection, adaptive prompts, and tuned rate limits. An older mobile endpoint may only check whether the credentials are valid. A partner route may trust an API key that has not been rotated. A browser API may return more account state than the front end displays.&lt;/p&gt;
&lt;p&gt;That gap is where account abuse gets practical.&lt;/p&gt;
&lt;h2&gt;Unknown Does Not Mean Unused&lt;/h2&gt;
&lt;p&gt;Security teams sometimes talk about discovery as if the main outcome is a cleaner inventory. Inventory matters, but the more useful question is: what can this route do?&lt;/p&gt;
&lt;p&gt;A shadow API that serves public catalogue data has one risk profile. A shadow API that changes account details has another. A forgotten token endpoint is different again. A mobile route that accepts username and password combinations is a credential stuffing target, even if the public login page has already been hardened.&lt;/p&gt;
&lt;p&gt;This is why &lt;a href="/products/api-security/"&gt;API security&lt;/a&gt; has to stay connected to account context. Route discovery is only the start. The protection model needs to know method, schema, authentication state, response pattern, user journey, and business sensitivity.&lt;/p&gt;
&lt;p&gt;A &lt;code&gt;POST&lt;/code&gt; request to an account recovery endpoint deserves different treatment from a &lt;code&gt;GET&lt;/code&gt; request to a static content API. A password reset route used by a first-seen client through rotating proxy infrastructure is not the same as the same route used by a known customer session.&lt;/p&gt;
&lt;p&gt;The route matters because the account outcome matters.&lt;/p&gt;
&lt;h2&gt;Browser-Backed APIs Are Still APIs&lt;/h2&gt;
&lt;p&gt;A common blind spot is the API behind the web application.&lt;/p&gt;
&lt;p&gt;The front end might make a neat request to &lt;code&gt;/api/account/profile&lt;/code&gt;, &lt;code&gt;/api/cart/apply-coupon&lt;/code&gt;, or &lt;code&gt;/api/session/refresh&lt;/code&gt;. Because the route was designed for the browser, teams may assume the browser is the control. It is not.&lt;/p&gt;
&lt;p&gt;Requests can be replayed outside the page. Headers can be copied. Tokens can be stolen. User agents can be faked. Automation can follow the same sequence as the application, only faster and at scale.&lt;/p&gt;
&lt;p&gt;The right response is not to treat every browser-backed API as hostile. The right response is to attach evidence. Is this a known browser session? Is the TLS and HTTP behaviour consistent? Is the request sequence normal for the journey? Is the session suddenly moving from login to sensitive account changes? Does the schema match what the route expects?&lt;/p&gt;
&lt;p&gt;Those questions sit between basic definitions of &lt;a href="/learning/application-security/what-is-api-security/"&gt;what API security is&lt;/a&gt; and the operational work of stopping abuse.&lt;/p&gt;
&lt;h2&gt;Mobile and Partner APIs Need Ownership&lt;/h2&gt;
&lt;p&gt;Mobile and partner APIs create a slightly different problem. They often have legitimate non-browser clients, so crude controls can break real use.&lt;/p&gt;
&lt;p&gt;A mobile app may have older versions in the field. A partner may send traffic from fixed infrastructure, or from changing cloud infrastructure. A service client may authenticate with an API key rather than an interactive user session. Some requests will look less browser-like because they are not meant to be browsers.&lt;/p&gt;
&lt;p&gt;That makes ownership important.&lt;/p&gt;
&lt;p&gt;Each route should have an owner, expected clients, authentication model, rate expectation, schema expectation, and deprecation plan. API keys should be treated as credentials, not configuration strings. OAuth and JWT use should include short-lived access, appropriate scopes, and validation at the endpoint. Legacy flows should not survive indefinitely just because nobody is sure what they support.&lt;/p&gt;
&lt;p&gt;For REST services, that discipline includes the basics covered in &lt;a href="/learning/api-protection/what-is-rest-api-security/"&gt;REST API security&lt;/a&gt;: method control, status-code handling, input validation, token handling, rate limiting, and useful logging. The account-abuse angle is narrower and more operational: which of these controls tells us whether this request can harm a customer account?&lt;/p&gt;
&lt;h2&gt;Discovery Has to Feed Enforcement&lt;/h2&gt;
&lt;p&gt;A report listing unknown endpoints is useful for a week. A discovery process that feeds policy is useful every day.&lt;/p&gt;
&lt;p&gt;When a new route appears, the security question should be concrete:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Who owns it?&lt;/li&gt;
&lt;li&gt;Is it authenticated?&lt;/li&gt;
&lt;li&gt;Does it match a known schema?&lt;/li&gt;
&lt;li&gt;Does it touch account state?&lt;/li&gt;
&lt;li&gt;Can it reset trust, change value, or expose customer data?&lt;/li&gt;
&lt;li&gt;What rate and behaviour patterns are normal?&lt;/li&gt;
&lt;li&gt;Which action should apply when it is abused?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That is where &lt;a href="/solutions/use-case/api-security/"&gt;API protection use cases&lt;/a&gt; become more than documentation. The goal is not to produce a perfect catalogue for its own sake. The goal is to reduce the number of unknown request paths that can be used for account abuse.&lt;/p&gt;
&lt;p&gt;Shadow APIs are not a separate class of attack. They are normal APIs without enough operational visibility.&lt;/p&gt;
&lt;p&gt;And when they sit on account journeys, they become a direct path from unknown surface to customer harm.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Shadow APIs"></category><category term="Account Protection"></category><category term="Bot Management"></category><category term="Threat Detection"></category><category term="DevSecOps"></category></entry><entry><title>Agentic AI vs. Your API</title><link href="https://www.peakhour.io/blog/agentic-ai-vs-your-api/" rel="alternate"></link><published>2025-09-01T00:00:00+10:00</published><updated>2025-09-01T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-09-01:/blog/agentic-ai-vs-your-api/</id><summary type="html">&lt;p&gt;Understand the shift from scripted bots to reasoning AI agents and how to adapt your security strategy for this new reality.&lt;/p&gt;</summary><content type="html">&lt;p&gt;For years, "bots" mostly meant simple, scripted programs. They followed rigid, predefined rules: if you see X, do Y. They were predictable. They could still do damage in attacks like credential stuffing, but their lack of intelligence made them relatively easy to detect. Their patterns were repetitive and clearly different from the complex, often messy, behaviour of human users.&lt;/p&gt;
&lt;p&gt;That model is no longer reliable. The emergence of open and powerful reasoning models like &lt;a href="/blog/agentic-ai-deepseek-changes-everything/"&gt;DeepSeek&lt;/a&gt; has given rise to a new class of automation: &lt;strong&gt;agentic AI&lt;/strong&gt;. These are not just scripts. They are autonomous agents that can reason, plan, and adapt their behaviour in real time. They don't need a human to write a script for every possibility. Give them a goal and they can work out the steps themselves. That changes the nature of automated threats, and security controls need to change with it.&lt;/p&gt;
&lt;h2&gt;The New API Consumer&lt;/h2&gt;
&lt;p&gt;Historically, APIs were consumed by two main groups: human users via a front-end application, and scripted bots following predictable patterns. Agentic AI introduces a third consumer, and one likely to become dominant. These AI agents are becoming primary users of web APIs, and they interact with them in materially different ways.&lt;/p&gt;
&lt;p&gt;An AI agent can analyse an entire API surface in seconds, understand the relationships between different endpoints, and generate complex interaction patterns that a human developer would rarely attempt. They don't just follow a linear path; they can explore, learn, and optimise their interactions to achieve their goals, whether that's finding the best price on a product, gathering data, or probing for security weaknesses.&lt;/p&gt;
&lt;h2&gt;New Security Challenges: The Self-Hacking AI&lt;/h2&gt;
&lt;p&gt;The reasoning capabilities of these agents introduce security challenges that static, rule-based systems are poorly equipped to handle. An agentic AI doesn't just throw known exploits at a system; it can probe its defences and invent new attacks as it goes.&lt;/p&gt;
&lt;p&gt;Consider a traditional Web Application Firewall (WAF) that relies on pattern-matching rules to block threats like SQL injection. An AI agent can send a series of carefully crafted requests, observe the WAF's responses, and systematically learn the structure of its rules. Once it understands the patterns the WAF is looking for, it can &lt;a href="/blog/ai-agents-custom-exploits/"&gt;generate a custom exploit&lt;/a&gt; designed to bypass those rules while still achieving its malicious objective.&lt;/p&gt;
&lt;p&gt;This isn't theoretical. Security teams are already reporting sophisticated attacks that adapt in real time, adjusting their tactics based on the system's defensive responses. These aren't simply pre-programmed behaviours; they are reasoning models at work.&lt;/p&gt;
&lt;h2&gt;A New Security Paradigm: From "Block Bots" to "Manage Agents"&lt;/h2&gt;
&lt;p&gt;The rise of agentic AI changes the security question. The old goal of "blocking all bots" is no longer viable or even desirable. AI agents will be used for both benign and malicious purposes. A customer's personal AI assistant booking a flight is useful automation; an attacker's AI agent trying to find vulnerabilities is not.&lt;/p&gt;
&lt;p&gt;Bot management cannot stop at trying to keep automation out. It needs the intelligence to &lt;strong&gt;safely identify and manage AI agents&lt;/strong&gt;. This requires moving away from static, signature-based detection and toward a more contextual, behavioural approach.&lt;/p&gt;
&lt;p&gt;The key questions will no longer be "Is this a human or a bot?" but rather:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;"What is the &lt;strong&gt;intent&lt;/strong&gt; of this automated agent?"&lt;/li&gt;
&lt;li&gt;"Is its behaviour consistent with a legitimate use case?"&lt;/li&gt;
&lt;li&gt;"Can we trust this agent?"&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This requires a new generation of security tools that can understand and adapt to agent behaviour, distinguishing between the legitimate AI assistants that will soon be a core part of our digital lives and the malicious ones that seek to exploit our systems. Organisations that fail to prepare for this shift risk having their defences systematically tested, mapped, and bypassed by the next wave of intelligent, automated threats.&lt;/p&gt;</content><category term="AI"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="DevSecOps"></category><category term="Machine Learning"></category><category term="Credential Stuffing"></category></entry><entry><title>Protecting Against a Share Point Zero Day Vulnerability with Network Fingerprinting</title><link href="https://www.peakhour.io/blog/protecting-against-share-point-zero-day/" rel="alternate"></link><published>2025-07-23T13:00:00+10:00</published><updated>2025-07-23T13:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2025-07-23:/blog/protecting-against-share-point-zero-day/</id><summary type="html">&lt;p&gt;Analysis of attempts to exploit a recent Share Point zero day vulnerability reveal network fingerprinting and classification is a robust defense.&lt;/p&gt;</summary><content type="html">&lt;h2&gt;Why Network Fingerprinting is Your Strongest First Defense&lt;/h2&gt;
&lt;p&gt;A critical new remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server, identified as
&lt;a href="https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/"&gt;CVE-2025-53770&lt;/a&gt;,
is being actively exploited and presents a serious risk to organisations. This flaw allows an
unauthenticated attacker to take complete control of a server over the network, so immediate and effective
defence is a priority. Microsoft disclosed the flaw on 19 July.&lt;/p&gt;
&lt;p&gt;Vendor patches are essential, but zero-day activity often starts before most organisations can patch.
That gap is where proactive controls matter.&lt;/p&gt;
&lt;p&gt;This post looks at the technical nature of this threat and how a strategy centred on network fingerprinting can
block zero-day exploit activity before a formal patch is deployed.&lt;/p&gt;
&lt;h2&gt;Understanding the Threat: CVE-2025-53770&lt;/h2&gt;
&lt;p&gt;The SharePoint vulnerability is particularly dangerous as it allows for the deserialization of untrusted data,
leading to remote code execution without any need for attacker authentication. This makes any unpatched, internet-facing
on-premises SharePoint server a potential target. The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
has underlined the severity of this threat by adding it to its Known Exploited Vulnerabilities Catalog.&lt;/p&gt;
&lt;p&gt;Exploitation can lead to a complete compromise of the SharePoint server, allowing attackers to steal data,
execute arbitrary code, and potentially move laterally across the internal network.&lt;/p&gt;
&lt;h2&gt;The Race Against Scanners&lt;/h2&gt;
&lt;p&gt;When a zero-day vulnerability like this is discovered, a global, automated race begins. Malicious actors immediately
deploy scanners to canvass the internet for vulnerable systems.&lt;/p&gt;
&lt;p&gt;Our own analysis shows that the majority of malicious requests targeting our clients came from the DigitalOcean and
Scaleway ASNs, with Amazon Web Services (AWS) EC2 and Microsoft Azure also being a prominent source. These networks are well-known for
being used by malicious actors to launch scanning and attack campaigns quickly. Notably, scans were happening
on 16 and 17 July, before the vulnerability was disclosed by Microsoft.&lt;/p&gt;
&lt;p&gt;This initial scanning phase, however, creates an opportunity for defence. Instead of waiting to analyse the
specific attack payload, we can identify and block the very tools the attackers are using.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/sharepoint-exploit-attempts.png" width="100%" alt="Sharepoint exploit attempts"/&gt;
&lt;em&gt;Exploits attempts in the wild. Note attempts days before disclosure.&lt;/em&gt;
&lt;/div&gt;

&lt;h2&gt;Why IP Reputation Isn't Enough&lt;/h2&gt;
&lt;p&gt;For years, a primary method of defence has been IP reputation—blocking traffic from IP addresses known to be malicious.
While simple and somewhat effective against basic attacks, this approach is increasingly unreliable in the face
of modern threats.&lt;/p&gt;
&lt;p&gt;The rise of sophisticated proxy services has changed the model. Attackers now have easy access to vast
networks of residential, mobile, and rotating data centre proxies. These services allow them to distribute their
attack traffic across thousands or even millions of seemingly legitimate IP addresses, making it impossible to maintain
an effective blocklist. An IP that sends a malicious request one moment could be used by a legitimate customer the next.&lt;/p&gt;
&lt;p&gt;Furthermore, attackers leveraging cloud infrastructure use ephemeral IPs that exist for only a short time,
rendering IP-based blocking a constant and losing game of cat and mouse. This approach also carries a high risk of
"collateral damage", where legitimate users are blocked simply because they share an IP address with a bad actor,
a common scenario with Carrier-Grade NAT (CGNAT) or public Wi-Fi. Relying solely on where a request comes from
is no longer a viable strategy.&lt;/p&gt;
&lt;h2&gt;Unmasking the Attacker's Tools with Network Fingerprinting&lt;/h2&gt;
&lt;p&gt;This is where network fingerprinting becomes useful as a zero-day defence. Fingerprinting in
cybersecurity refers to methods used to identify
the unique characteristics of devices, software, or users.
It allows for the identification and categorisation of operating systems and software based on their distinct
signatures in network communications.&lt;/p&gt;
&lt;p&gt;When attackers rush to exploit a new vulnerability, they don't use standard web browsers. They quickly code scanners
using programming languages and libraries like Python, Go, or Java. These tools and libraries create network
connections with distinct, non-browser-like fingerprints. By analysing these, we can block the scanner before
it ever delivers its malicious payload.&lt;/p&gt;
&lt;p&gt;Peakhour uses several passive fingerprinting techniques to do this:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;TCP Fingerprinting&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This method identifies a device's operating system by analysing how it implements the TCP
protocol. By examining nuances in TCP packets—like window size, Time to Live (TTL), and how the device
responds to non-standard packets—we can identify the underlying system that created the request.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;TLS Fingerprinting&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This technique analyses the "ClientHello" message sent by the client during the
initial TLS handshake to establish a secure connection. The combination of TLS version, supported cipher suites,
and extensions creates a unique fingerprint. This is a highly effective way of identifying the classes of
connecting clients, such as those made by Go, Python, or Java libraries, which are commonly used for attack tooling.
JA4 and JA3 are popular TLS fingerprint formats.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;HTTP/2 Fingerprinting&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This involves analysing how clients use the HTTP/2 protocol, including their patterns in
sending HTTP/2 frames and negotiating connections. This makes it easier to differentiate between legitimate
browsers, bots, and the custom applications used in an attack campaign.&lt;/p&gt;
&lt;p&gt;After identifying these fingerprints, Peakhour's bot management service uses machine learning to classify them as
either a legitimate browser or a bot. This provides a strong layer of defence against zero-day exploits.
The scanners are identified and blocked based on their fundamental network characteristics, irrespective of the specific
vulnerability or payload they carry.&lt;/p&gt;
&lt;h2&gt;Defense in Depth&lt;/h2&gt;
&lt;p&gt;No single security measure is a silver bullet. While network fingerprinting provides a powerful first line of defence
against automated scanners, a multi-layered, defence-in-depth strategy matters.&lt;/p&gt;
&lt;p&gt;Any request that manages to bypass the initial fingerprinting checks must face the next layer: our standard Web
Application Firewall (&lt;a href="/products/waf/"&gt;WAF&lt;/a&gt;) with post-body scanning. A WAF inspects every request before
it reaches the application. By enabling the inspection of the full request body, the WAF can identify and block
malicious payloads, such as the specific code used in an exploit attempt, that may be hidden within the data sent
to the server. Our WAF was updated with a virtual patch on 22 July at 5am AEST to add protection against this
vulnerability.&lt;/p&gt;
&lt;h2&gt;Staying Ahead in a Zero-Day World&lt;/h2&gt;
&lt;p&gt;The SharePoint CVE-2025-53770 vulnerability shows why a reactive security posture is not enough. While
patching is essential, the reality is that attackers move first.&lt;/p&gt;
&lt;p&gt;By using proactive techniques like network fingerprinting, organisations can identify and neutralise
the automated tools attackers rely on during the critical opening hours of a zero-day exploit's life. This approach,
when combined with payload inspection from a WAF, gives critical assets another layer of practical protection.&lt;/p&gt;</content><category term="Security"></category><category term="Threat Detection"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="DDoS"></category><category term="Application Security"></category></entry><entry><title>AI as the Translator Between Human and Machine</title><link href="https://www.peakhour.io/blog/ai-the-next-interface/" rel="alternate"></link><published>2025-07-19T00:00:00+10:00</published><updated>2025-07-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-07-19:/blog/ai-the-next-interface/</id><summary type="html">&lt;p&gt;We've gone from command lines to graphical interfaces. The next great leap in how we interact with computers won't be seen, it will be understood. AI is poised to become the ultimate translator between human intent and machine execution.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Think about how we've talked to computers over the years. At first, it was rigid and unforgiving. The command line expected the exact words, in the exact order. One typo, and you were met with an error. It was powerful, but only once you learned to speak the computer's language.&lt;/p&gt;
&lt;p&gt;Then came the graphical user interface, or GUI—the familiar world of windows, icons, and mouse pointers. That changed the relationship. You no longer had to memorise commands before you could do something useful. You could see your options, click on them, and drag things around. It made computers accessible to hundreds of millions of people because it was more intuitive. It was a visual conversation.&lt;/p&gt;
&lt;p&gt;But both of these interfaces, the command line and the GUI, share the same basic bargain: we adapt ourselves to the computer. We still have to navigate menus, find the right button, or remember a specific command. We take a goal in our head and break it into steps the computer understands.&lt;/p&gt;
&lt;p&gt;What if that translation was no longer mainly our job? What if the computer could understand our goal well enough to work out the steps?&lt;/p&gt;
&lt;p&gt;This is the next shift I find interesting, and it is powered by Artificial Intelligence. AI is starting to look less like another application and more like the next major interface. It's not a visual one with buttons and menus, but an intelligent one built on understanding.&lt;/p&gt;
&lt;p&gt;The idea is simple, even if the implementation is not: we state our intent, and the AI figures out the steps. Instead of clicking through five different menus to create a sales report, you could just say, "Show me last quarter's sales figures for the eastern region, and visualise it as a bar chart." The AI's job is to understand that request and then do the work: query the database, aggregate the data, select the right chart type, and present it to you. It acts as a translator between human language and the computer's machine language.&lt;/p&gt;
&lt;p&gt;We're already seeing the early stages of this. When you ask a smart assistant to play a song, or when an AI co-pilot writes code for you, you're using an intent-driven interface. You're not telling it &lt;em&gt;how&lt;/em&gt; to do the task; you're just telling it &lt;em&gt;what&lt;/em&gt; you want done.&lt;/p&gt;
&lt;p&gt;That shift matters because it moves some of the cognitive load from us to the machine. We no longer need to be experts in using a particular piece of software; we just need to be clear about what we want to achieve. This has the potential to democratise technology on a scale we've never seen before, making complex digital tools feel closer to a conversation than a training course.&lt;/p&gt;
&lt;p&gt;The future of computing isn't about learning more complex systems. It's about building systems that can learn from us. The interface of tomorrow won't be something we click on, but something we talk to, correct, and steer. That is the real change: technology that doesn't just follow instructions, but understands our goals.&lt;/p&gt;</content><category term="Interest"></category><category term="Bot Management"></category><category term="Machine Learning"></category><category term="DevSecOps"></category><category term="Technical"></category></entry><entry><title>From Research Paper to Running Code</title><link href="https://www.peakhour.io/blog/from-paper-to-code-with-ai/" rel="alternate"></link><published>2025-07-18T00:00:00+10:00</published><updated>2025-07-18T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-07-18:/blog/from-paper-to-code-with-ai/</id><summary type="html">&lt;p&gt;Exploring how AI can dramatically accelerate the process of turning complex academic research into functional code, with examples from anomaly detection to small LLMs.&lt;/p&gt;</summary><content type="html">&lt;p&gt;In my last post, I talked about my journey from typing &lt;code&gt;format c:&lt;/code&gt; on an old DOS machine to collaborating with AI. The part I keep coming back to still feels slightly unreal: turning academic research papers directly into working code.&lt;/p&gt;
&lt;p&gt;For years, the hard part was the distance between academia and industry. A good idea could be locked inside a dense, equation-heavy paper, and turning it into a practical tool could take a team of specialists weeks or months. You had to understand the mathematics, translate it into logic, write the code, and then debug all the places where the theory met the real world.&lt;/p&gt;
&lt;p&gt;Now my process looks completely different. I'll find an interesting paper, give it to an AI like Gemini, and say, "code this for me". It is a conversation, not just a command. We go back and forth, clarifying ambiguities in the paper and refining the implementation. What used to take weeks of painstaking effort can now be prototyped in an afternoon.&lt;/p&gt;
&lt;p&gt;Here are a few examples from my own experiments.&lt;/p&gt;
&lt;h3&gt;Anomaly Detection&lt;/h3&gt;
&lt;p&gt;I recently came across a paper detailing a new statistical method for detecting anomalies in time-series data. In the past, I would have spent days just trying to get comfortable with the mathematical models before writing a single line of code. This time, I fed the PDF to the AI. Within minutes, it had parsed the document and produced a Python implementation of the core algorithm. It was not perfect on the first go, but it was a solid, working foundation that we could test and refine together. The AI handled the heavy lifting of translation, leaving me to focus on validating and applying the model.&lt;/p&gt;
&lt;h3&gt;Customer Journey Mapping&lt;/h3&gt;
&lt;p&gt;Another area I have been looking at is using data to understand customer behaviour. There are academic papers that model how users interact with a website or product, mapping out their journey from discovery to purchase. Implementing these models used to be a serious undertaking. Now, I can give the AI a paper on a new journey mapping technique, and it can generate the code to analyse server logs or user event data and produce the kind of insights the paper describes. That makes it much easier to experiment with new ways of understanding our customers.&lt;/p&gt;
&lt;h3&gt;Building Small Language Models&lt;/h3&gt;
&lt;p&gt;This is where it gets really interesting. We can use large language models (LLMs) to help build smaller, more specialised ones. I've been experimenting with research papers that propose new, efficient LLM architectures. I can give one of these papers to a large AI and have it help me write the code for the smaller architecture. There is a beautiful irony in using a massive AI to help create its smaller, more nimble cousins. It speeds up the cycle of innovation inside the AI field itself.&lt;/p&gt;
&lt;p&gt;For me, the important change is the shorter loop between reading an idea, testing it, and getting it into use. The friction between a theoretical concept and a working prototype has been reduced almost to zero. That means I can explore more ideas, take more risks, and bring those research ideas into real use much faster than before.&lt;/p&gt;</content><category term="Interest"></category><category term="DevSecOps"></category><category term="Technical"></category><category term="Machine Learning"></category></entry><entry><title>My Programming Journey</title><link href="https://www.peakhour.io/blog/my-programming-journey-from-dos-to-ai/" rel="alternate"></link><published>2025-07-17T00:00:00+10:00</published><updated>2025-07-17T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-07-17:/blog/my-programming-journey-from-dos-to-ai/</id><summary type="html">&lt;p&gt;A personal journey through the evolution of programming, from the early days of DOS and BASIC to the current age of AI-assisted coding.&lt;/p&gt;</summary><content type="html">&lt;p&gt;My path into technology started with a beige box and no plan beyond seeing what it would do.&lt;/p&gt;
&lt;p&gt;When I was a kid, I got an old 8086 computer. The only thing it came with was a thick manual for 'DOS', its operating system. For a child trying to make sense of it, the blinking &lt;code&gt;C:\&amp;gt;&lt;/code&gt; prompt was not exactly welcoming. What was I meant to do with it?&lt;/p&gt;
&lt;p&gt;I tried typing whatever came to mind, but most of it ended in errors. Then I stumbled on a command that actually did something interesting: &lt;code&gt;format c:&lt;/code&gt;. After I typed 'Y' to confirm, the screen would fill with text, showing me its progress. I didn't realise I was wiping the computer's entire memory. I only knew the machine was finally responding.&lt;/p&gt;
&lt;p&gt;Things properly opened up when I found a book filled with GW-BASIC programs. I wasn't just using a computer anymore; I was telling it what to do. I spent ages carefully typing out code, one line at a time. &lt;code&gt;10 PRINT "HELLO THERE"&lt;/code&gt;, &lt;code&gt;20 GOTO 10&lt;/code&gt;. It was slow work, but there was something hard to beat about bringing a program to life with my own hands.&lt;/p&gt;
&lt;p&gt;My skills moved along when QuickBasic started coming with MS-DOS. The tools were better, the language was more powerful, and I started building my own little games and applications, learning how to organise my ideas into code.&lt;/p&gt;
&lt;p&gt;Every programmer eventually hits a wall. For me, it was a 64-kilobyte limit on a single variable. It sounds tiny now, but it blocked a project I cared about. The only way forward was to learn C, a much more complex language. It was a hard jump, but it was the way to build bigger and more powerful software.&lt;/p&gt;
&lt;p&gt;That arc is why today's tools feel so strange to me.&lt;/p&gt;
&lt;p&gt;For most of my career, my job was to translate human ideas into instructions a computer could follow. I had to think like a machine, breaking everything down into small, logical steps.&lt;/p&gt;
&lt;p&gt;Now the process feels very different. I still solve problems, but I spend less time spelling out every instruction. I have a conversation with my computer. I can describe a goal, or show it a research paper, and an AI partner helps me write the code. My role has shifted from writing each line by hand to setting direction, checking the work, and deciding what is actually worth building.&lt;/p&gt;
&lt;p&gt;Looking back, the path from blindly typing &lt;code&gt;format c:&lt;/code&gt; to working alongside an AI still feels odd in the best way. We've moved from telling the machine exactly &lt;em&gt;how&lt;/em&gt; to do something to describing &lt;em&gt;what&lt;/em&gt; we want to achieve and then judging the result. That is a big change. I am still getting used to it.&lt;/p&gt;</content><category term="Interest"></category><category term="DevSecOps"></category></entry><entry><title>How AI Agents Are Writing Custom Exploits</title><link href="https://www.peakhour.io/blog/ai-agents-custom-exploits/" rel="alternate"></link><published>2025-02-17T14:00:00+11:00</published><updated>2025-02-17T14:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-02-17:/blog/ai-agents-custom-exploits/</id><summary type="html">&lt;p&gt;AI agents with reasoning capabilities like DeepSeek are revolutionizing exploit development, marking the end of traditional security approaches based on static rules and patterns.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The trend is clear enough: AI agents can now craft exploits by analysing security responses in real time. That puts static security rules and traditional Web Application Firewalls (WAFs) under direct pressure. Here is why.&lt;/p&gt;
&lt;p&gt;Last week I examined an AI agent probing a test environment. It sent requests, observed the responses, then built bypasses for each security control in sequence. The agent identified pattern-based rules, learned their structure, and generated variations until it found gaps. It did this without human intervention.&lt;/p&gt;
&lt;p&gt;This kind of automated exploit development changes the operating conditions for defenders. Traditional defences rely on known patterns: regex rules, signature matching, IP reputation. Those approaches assume threats follow recognisable templates. That assumption is becoming much weaker.&lt;/p&gt;
&lt;p&gt;Consider a standard WAF rule blocking &lt;a href="/products/waf/"&gt;SQL injection&lt;/a&gt; through pattern matching. An AI agent examines the responses, determines the matching patterns, then generates unique variants designed to bypass those rules while maintaining the exploit's functionality. The variants evolve as the agent learns which approaches succeed.&lt;/p&gt;
&lt;p&gt;The same pattern applies beyond SQL injection. AI agents can probe XSS filters, access controls, and input validation in the same systematic way. Each static rule becomes something the agent can test, infer, and work around.&lt;/p&gt;
&lt;p&gt;By 2026, I estimate AI agents will drive over 50% of exploit attempts. The speed of this shift stems from three factors:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;AI agents operate continuously, testing and learning 24/7&lt;/li&gt;
&lt;li&gt;Successful exploits feed back into training data, improving future attempts&lt;/li&gt;
&lt;li&gt;Agents share knowledge, building collective intelligence about bypass techniques&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This is the practical limit of static security. Traditional WAFs that rely on fixed rules and signatures struggle to keep pace with AI-generated exploits. Each rule loses value as agents discover new bypasses.&lt;/p&gt;
&lt;p&gt;The path forward requires a different security architecture. Organisations need context-aware systems that analyse intent, not just patterns. These systems use behavioural AI to distinguish between legitimate requests and exploit attempts, even when the request structure changes.&lt;/p&gt;
&lt;p&gt;Key elements of this new approach include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Intent analysis through deep inspection of request sequences&lt;/li&gt;
&lt;li&gt;Behavioural modelling of normal vs malicious patterns&lt;/li&gt;
&lt;li&gt;Real-time adaptation as new exploit techniques emerge&lt;/li&gt;
&lt;li&gt;Proactive identification of potential vulnerabilities&lt;/li&gt;
&lt;li&gt;Integration of threat intelligence across systems&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The challenge intensifies when AI agents leverage &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt;. These proxies route traffic through real consumer IP addresses, bypassing location-based blocks. An AI agent operating through residential proxies can probe defences while appearing to come from legitimate users worldwide.&lt;/p&gt;
&lt;p&gt;This combination of AI-driven exploit generation and residential proxy networks makes traditional controls much less reliable. Organisations that continue to rely on static rules face a growing risk of compromise.&lt;/p&gt;
&lt;p&gt;Security teams should respond now:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Audit existing WAF rules to identify pattern-based weaknesses&lt;/li&gt;
&lt;li&gt;Deploy behavioural analysis capabilities to detect malicious intent&lt;/li&gt;
&lt;li&gt;Implement adaptive security controls that evolve with threats&lt;/li&gt;
&lt;li&gt;Monitor for AI-driven probing attempts&lt;/li&gt;
&lt;li&gt;Build detection for residential proxy traffic&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Teams that wait risk watching their defences get mapped and bypassed by automated agents. Static rules alone are not enough for this level of probing.&lt;/p&gt;
&lt;p&gt;This also requires a shift in how we approach security. Rather than only blocking specific patterns, we need to understand and control the broader context of system interactions. The goal moves from "preventing known attacks" to "identifying and blocking malicious behaviour, regardless of its specific form."&lt;/p&gt;
&lt;p&gt;Adaptive security systems need to reason about traffic in the same context-aware way as the agents probing them. Static rules still have a role, but they cannot be the centre of the defence.&lt;/p&gt;
&lt;p&gt;Security strategy needs to account for this now, because AI-driven probing is no longer hypothetical.&lt;/p&gt;
&lt;h2&gt;The Reasoning Model Revolution&lt;/h2&gt;
&lt;p&gt;The emergence of open &lt;a href="/blog/agentic-ai-deepseek-changes-everything/"&gt;reasoning models&lt;/a&gt; like DeepSeek pushes this further. Unlike traditional AI that follows programmed patterns, reasoning models understand context and adapt strategies dynamically. That creates harder security problems.&lt;/p&gt;
&lt;p&gt;Consider how a reasoning model approaches security testing. Rather than simply probing for weaknesses, it builds a conceptual model of the system's defences. It understands the purpose of security controls and reasons about potential bypasses. That allows it to generate novel attack strategies that were not present in training data.&lt;/p&gt;
&lt;p&gt;DeepSeek demonstrates this shift. Within months of release, it showed capabilities matching established players at a fraction of the cost. This rapid progress comes from reasoning models' ability to understand and adapt, not just pattern match.&lt;/p&gt;
&lt;p&gt;For security teams, that is a material challenge. Reasoning models do not just find gaps in rules. They infer why rules exist, deduce the logic behind security controls, and generate attacks that exploit underlying assumptions.&lt;/p&gt;
&lt;p&gt;By 2027, I expect reasoning models to handle most security testing and exploit development. Their advantages prove too compelling:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;They understand system architecture and security principles&lt;/li&gt;
&lt;li&gt;They generate novel attack strategies through reasoning&lt;/li&gt;
&lt;li&gt;They adapt in real-time based on system responses&lt;/li&gt;
&lt;li&gt;They share and build upon successful approaches&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This shift pushes traditional security approaches past their useful boundary faster than many teams expect. Pattern matching and rule-based systems cannot reliably counter an opponent that understands and reasons about their operating logic.&lt;/p&gt;
&lt;p&gt;The combination of reasoning models with residential proxies is especially difficult to defend against. Reasoning models devise sophisticated attacks while proxies mask their origin. Each successful breach feeds back into the model's understanding, improving future attempts.&lt;/p&gt;
&lt;p&gt;Security teams must embrace a new paradigm focused on:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Understanding attack narratives rather than patterns&lt;/li&gt;
&lt;li&gt;Detecting anomalous reasoning rather than known signatures&lt;/li&gt;
&lt;li&gt;Building systems that adapt to novel attack strategies&lt;/li&gt;
&lt;li&gt;Implementing security that reasons about intent&lt;/li&gt;
&lt;li&gt;Developing defences that evolve through adversarial learning&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Security systems need to reason about threats as effectively as the AI agents probing them. Traditional approaches will fail against opponents that understand the logic behind security controls and devise creative bypasses.&lt;/p&gt;
&lt;p&gt;The age of reasoning security has begun. Static rules and pattern matching are no longer enough on their own.&lt;/p&gt;
&lt;p&gt;The question is how quickly security teams can move from fixed patterns to adaptive, intent-aware defence.&lt;/p&gt;</content><category term="Security"></category><category term="Application Security"></category><category term="Threat Detection"></category><category term="DevSecOps"></category><category term="Bot Management"></category><category term="API Security"></category><category term="DDoS"></category></entry><entry><title>Why Reasoning Models Like DeepSeek Change Everything</title><link href="https://www.peakhour.io/blog/agentic-ai-deepseek-changes-everything/" rel="alternate"></link><published>2025-02-03T08:13:00+11:00</published><updated>2025-02-03T08:13:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-02-03:/blog/agentic-ai-deepseek-changes-everything/</id><summary type="html">&lt;p&gt;How open reasoning models transform automation from rigid scripts to autonomous agents, fundamentally changing our approach to security and digital interactions.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Open reasoning models change how we need to think about automation and security. Looking at models like DeepSeek, the important shift is not another small gain in AI capability. It is the move towards autonomous agents that can plan, reason, and adapt without human guidance.&lt;/p&gt;
&lt;p&gt;This became clear while analysing recent credential stuffing attacks. The patterns showed attackers using AI agents to probe systems, identify vulnerabilities, and craft custom exploits. These were not pre-programmed scripts following rigid rules. They were agents making decisions based on the system's responses.&lt;/p&gt;
&lt;p&gt;The implications go beyond security. Consider how marketing teams usually approach A/B testing and campaign optimisation. Most tools and frameworks assume automation follows fixed paths: if this happens, do that. Reasoning models do not fit that model. They can work without predefined decision trees or explicit step-by-step instructions. They observe, learn, and create their own strategies.&lt;/p&gt;
&lt;p&gt;This forces us to rethink basic assumptions about digital interactions. When an API call could come from an AI agent rather than a script, how do we distinguish friend from foe? Traditional markers such as request patterns, user agents, and IP addresses carry less weight when an agent can analyse and adapt to detection methods.&lt;/p&gt;
&lt;p&gt;The same problem applies to customer engagement. Marketing funnels designed for human decision-making now face AI agents that can evaluate options systematically, compare alternatives across multiple sources, and make optimised choices. The customer journey stops being a neat linear path and becomes a space where AI agents operate alongside human users.&lt;/p&gt;
&lt;p&gt;Reasoning models also challenge the way we approach bot management. Traditional methods focus on identifying automated behaviour: patterns that deviate from human norms. But what happens when AI agents can mimic human behaviour while operating at machine speed? The line between human and automated traffic becomes harder to draw.&lt;/p&gt;
&lt;p&gt;Through conversations with security teams, I have seen this pattern emerge. They report sophisticated attacks that adapt in real-time, probing defences and adjusting tactics based on system responses. These are not pre-programmed behaviours. They are reasoning models understanding and responding to defensive measures.&lt;/p&gt;
&lt;p&gt;The business impact extends beyond security. Companies need to adapt digital infrastructure for a world where AI agents become primary users. That means rethinking API design, service architecture, and customer interaction models. The question is not whether to support AI agents, but how to do it safely and effectively.&lt;/p&gt;
&lt;p&gt;Authentication is a good example. Traditional systems often rely on proving human presence through CAPTCHAs, behaviour analysis, and device fingerprinting. In a world of reasoning models, we need approaches that focus on intent and trust rather than a simple human versus machine test.&lt;/p&gt;
&lt;p&gt;The path forward is a shift in perspective. Rather than only trying to block or restrict AI agents, we need systems that can interact with them safely. That means moving from static rule-based security to contextual analysis that understands and adapts to agent behaviour.&lt;/p&gt;
&lt;p&gt;The strategic implications for businesses are significant. Success in this environment requires a clear understanding of how reasoning models operate. Companies must redesign digital interfaces to support both human and AI interactions while maintaining security and control.&lt;/p&gt;
&lt;p&gt;From my analysis of current trends, this change is accelerating. Each advance in reasoning models expands their capability and autonomy. Organisations that adapt their strategies now will be better positioned as this digital environment changes.&lt;/p&gt;
&lt;p&gt;The rise of reasoning models is more than another technology upgrade. It changes how we approach automation, security, and digital interaction. Organisations need systems capable of engaging safely and effectively with autonomous AI agents.&lt;/p&gt;
&lt;p&gt;The question is not whether reasoning models will change business operations. They already are. The practical question is how quickly organisations can adapt their strategies and infrastructure, and whether they can do it without losing control of trust, security, and user experience.&lt;/p&gt;</content><category term="Security"></category><category term="DevSecOps"></category><category term="Bot Management"></category><category term="Credential Stuffing"></category><category term="Machine Learning"></category></entry><entry><title>Anti-Detect Browsers</title><link href="https://www.peakhour.io/blog/anti-detect-browsers-application-security-threat/" rel="alternate"></link><published>2025-01-15T10:00:00+11:00</published><updated>2025-01-15T10:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-15:/blog/anti-detect-browsers-application-security-threat/</id><summary type="html">&lt;p&gt;Anti-detect browsers represent one of the most sophisticated threats facing modern web applications and APIs. Learn how these tools work, why they pose a significant threat to application security, and how modern security platforms can detect and mitigate their use.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Anti-detect browsers matter to defenders because they attack the assumptions behind browser trust. Many bot and fraud controls look for consistency between the browser, network, session, and behaviour. Anti-detect tooling is designed to make automated or repeated activity look more like separate ordinary browser sessions.&lt;/p&gt;
&lt;p&gt;This article is not a guide to using those tools. The defensive question is simpler: when a browser tries to look ordinary, what can still be observed safely, and how should that evidence affect a request decision?&lt;/p&gt;
&lt;h2&gt;Why They Create Risk&lt;/h2&gt;
&lt;p&gt;Anti-detect browsers are often discussed as a browser-fingerprinting problem, but the risk is wider than that. The same traffic may also involve residential proxies, credential lists, automation, and API requests that never run browser-side checks. A login attempt, account creation flow, product scrape, checkout request, or mobile API call may look valid at the protocol level while still being part of an automated campaign.&lt;/p&gt;
&lt;p&gt;The hard part is that some signals are genuinely ambiguous. A changed browser, a new device, a shared network, or a privacy tool does not prove abuse. A defensive system has to treat those observations as risk inputs, not as standalone verdicts.&lt;/p&gt;
&lt;h2&gt;Browser Consistency Is Evidence, Not Identity&lt;/h2&gt;
&lt;p&gt;Anti-detect tooling tries to make browser-reported attributes look internally consistent. That weakens simple checks that only ask whether the browser appears plausible. Defenders need a broader view: does the claimed browser line up with the network stack, TLS and HTTP behaviour, session history, cookie continuity, route sequence, response-code pattern, and recent account behaviour?&lt;/p&gt;
&lt;p&gt;That does not mean a fingerprint identifies a person. Fingerprints classify software, client behaviour, and connection characteristics. They can help separate likely automation from ordinary traffic, but they need to be combined with route, account, proxy, and behavioural context. The result should be a risk classification with evidence attached, not an unexplained block.&lt;/p&gt;
&lt;h2&gt;Residential Proxies Change the Decision&lt;/h2&gt;
&lt;p&gt;Residential proxies are a common companion signal because they make requests appear to come from consumer networks. That creates a false-positive problem. Real customers also use shared residential, mobile, office, carrier-grade NAT, and public Wi-Fi networks. Blocking every suspicious or shared source would damage legitimate traffic.&lt;/p&gt;
&lt;p&gt;The safer approach is to use &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt; as one input in the decision. A proxy signal on a public content page may be logged. The same signal on repeated login failures, account creation, checkout abuse, or sensitive APIs may justify a challenge, rate limit, or block. Context changes the action.&lt;/p&gt;
&lt;h2&gt;The API Gap&lt;/h2&gt;
&lt;p&gt;Browser-side checks are weakest where the browser is not present. Mobile apps, partner integrations, token routes, and direct API clients may not expose the same JavaScript or browser evidence that a web page does. Attackers do not need a convincing browser if the target workflow accepts valid-looking API requests.&lt;/p&gt;
&lt;p&gt;That is why anti-detect risk belongs in the wider &lt;a href="/solutions/application-security/"&gt;application security&lt;/a&gt; model. API routes need method, schema, authentication, token, request cadence, response-code, account, and bot context. If the only signal available is an IP address, the decision will be too blunt.&lt;/p&gt;
&lt;h2&gt;Observable Signals Defenders Can Use&lt;/h2&gt;
&lt;p&gt;The useful evidence is usually the mismatch between what the request claims to be and how it behaves over time. A browser may look plausible on one request, but the wider pattern can still show automation: repeated attempts across accounts, route sequences that normal users do not follow, cache-miss pressure on expensive pages, unusual response-code loops, or browser and network characteristics that drift in ways ordinary clients rarely do.&lt;/p&gt;
&lt;p&gt;&lt;a href="/products/bot-management/"&gt;Bot Management&lt;/a&gt; works best when it combines these signals rather than chasing a single magic detector. IP intelligence, proxy classification, network and browser fingerprints, route-aware rates, API state, WAF findings, and behaviour should all feed the same action vocabulary: allow, challenge, rate limit, block, log, or review.&lt;/p&gt;
&lt;h2&gt;Safer Defensive Response&lt;/h2&gt;
&lt;p&gt;The defensive response should be proportionate. High-confidence exploit traffic can be blocked quickly. Uncertain browser or proxy evidence may be better challenged, rate limited, or logged until the pattern is clearer. Sensitive routes should have tighter policy than public content. Account-impacting actions should preserve enough evidence for review.&lt;/p&gt;
&lt;p&gt;This is especially important for support teams. If a real customer is challenged or blocked, operators need to see which signal drove the action and which route was involved. Without that record, anti-bot policy becomes a black box.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Anti-detect browsers are a practical problem because they reduce the value of simple browser checks. They do not make traffic invisible. They leave request-path evidence in network behaviour, route sequences, account activity, API usage, proxy signals, and response patterns.&lt;/p&gt;
&lt;p&gt;The right goal is not to identify a person from a fingerprint or to block every unusual browser. The goal is to classify risk with enough context to choose a safe action at the edge, then keep the evidence available for tuning and review.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="Threat Detection"></category><category term="Application Security"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="DevSecOps"></category></entry><entry><title>Next-Generation Application Security Defence Strategies</title><link href="https://www.peakhour.io/blog/ai-powered-cyber-threats-application-security-defence/" rel="alternate"></link><published>2024-11-15T14:00:00+11:00</published><updated>2024-11-15T14:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-11-15:/blog/ai-powered-cyber-threats-application-security-defence/</id><summary type="html">&lt;p&gt;Comprehensive analysis of AI-powered cyber threats and how modern application security platforms defend against machine learning-driven attacks. Learn advanced defence strategies for the AI cybersecurity arms race.&lt;/p&gt;</summary><content type="html">&lt;p&gt;As I look at recent cyber threat activity, the pattern is clear enough: AI is no longer only a defensive tool. Attackers are using it to probe, adapt, and automate application-layer attacks.&lt;/p&gt;
&lt;p&gt;One recent incident made that plain. Our threat detection systems identified a series of probes against a client's infrastructure. These were not the typical brute-force attempts we are used to blocking. The attack patterns changed in real time, adapted to our defences, and probed for weaknesses in a way that pointed to AI-driven automation.&lt;/p&gt;
&lt;p&gt;The individual attempts were not the main concern. What mattered was how the attack system learned and adjusted its approach. When we blocked one vector, it shifted to another. When we implemented rate limiting, it distributed its attempts through residential proxies. The attack showed a common trait of AI systems: rapid iteration and learning from failure.&lt;/p&gt;
&lt;p&gt;This change in attack methodology puts real pressure on the traditional security model. Static defences, including controls that looked strong only months ago, are easier to route around. They might stop obvious threats, but more capable AI-powered attacks can keep testing the edges until they find a path.&lt;/p&gt;
&lt;p&gt;The threat landscape has shifted in three practical ways. First, AI enables attacks to adapt and evolve in real time. Second, residential proxies give attackers a distributed network of IP addresses that appear legitimate, making traffic origin verification much harder. Third, AI can analyse and mimic legitimate user behaviour patterns closely enough to bypass traditional bot detection.&lt;/p&gt;
&lt;p&gt;These changes require a change in defence strategy. Identifying and blocking known attack patterns still matters, but it is no longer enough on its own. We need systems that can anticipate and adapt to new threats as quickly as they emerge.&lt;/p&gt;
&lt;p&gt;In our security operations, we've begun implementing what we call "contextual defence dynamics." The approach moves beyond simple pattern matching to analyse the intent and behaviour behind each request. We examine not just what a request does, but how it fits into broader patterns of behaviour and what it might indicate about the attacker's objectives.&lt;/p&gt;
&lt;p&gt;That approach has already proved useful. When we implemented contextual defence dynamics for a major e-commerce client, we identified and blocked an AI-powered credential stuffing attack that had evaded traditional detection methods for weeks. The attack used residential proxies to distribute its attempts and mimicked human behaviour patterns, but our system identified subtle anomalies in its timing and response patterns.&lt;/p&gt;
&lt;p&gt;That case highlighted a useful point: while AI-powered attacks grow more sophisticated, they still exhibit patterns. Those patterns may not appear in individual actions, but they do appear in broader behaviour and objectives. By shifting our focus from blocking specific actions to understanding and responding to these broader patterns, we can maintain effective defences even against evolving threats.&lt;/p&gt;
&lt;p&gt;This approach requires a different way of thinking about security. We must move from a model of static defences to one of dynamic response. Our security systems must learn and adapt as quickly as the threats they face. This means implementing machine learning systems that can identify new attack patterns, updating defence strategies in real time, and maintaining awareness of emerging threat vectors.&lt;/p&gt;
&lt;p&gt;The implications extend beyond technical implementation. Organisations need to treat security budgets and strategies as ongoing commitments, not one-off purchases. The era of "set and forget" security solutions has ended. Continuous adaptation and review now sit at the centre of effective defence.&lt;/p&gt;
&lt;p&gt;I expect this arms race to keep accelerating. AI will continue to enhance both attack and defence capabilities. The organisations that maintain strong security will be those that accept this dynamic and build their defences around continuous adaptation.&lt;/p&gt;
&lt;p&gt;For security professionals, this means developing new skills and approaches. We must understand not just the technical aspects of security, but the patterns of attack and defence that emerge in AI-driven systems. We must build systems that can learn and adapt, and we must be prepared to change strategy as the threat landscape evolves.&lt;/p&gt;
&lt;p&gt;The security arms race has entered a new phase. The advantage will not sit with the strongest static defences alone, but with teams that can adapt and evolve their protection strategies in real time. The focus must shift from building walls to creating intelligent, adaptive defence systems that can match the sophistication of AI-powered threats.&lt;/p&gt;
&lt;p&gt;This shift in security thinking is practical, not theoretical. The threats we face are becoming more capable, and defensive tooling is improving as well. The important step is recognising the change and adapting how we build, operate, and review application security controls.&lt;/p&gt;</content><category term="Security"></category><category term="Threat Detection"></category><category term="Machine Learning"></category><category term="DevSecOps"></category><category term="Bot Management"></category><category term="DDoS"></category><category term="Application Security"></category></entry><entry><title>Managing Bots For Application Security</title><link href="https://www.peakhour.io/blog/enterprise-bot-management-application-security/" rel="alternate"></link><published>2024-09-15T00:00:00+10:00</published><updated>2024-09-15T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-09-15:/blog/enterprise-bot-management-application-security/</id><summary type="html">&lt;p&gt;Comprehensive guide to enterprise bot management for modern application security platforms. Learn how to protect applications and APIs from sophisticated bot threats including anti-detect browsers, credential stuffing, and automated attacks targeting DevOps environments.&lt;/p&gt;</summary><content type="html">&lt;p&gt;This guide separates &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; into three maturity levels: basic, intermediate, and advanced. The point is not to rank feature lists. It is to understand what kind of bot decision each level can safely make on the request path.&lt;/p&gt;
&lt;p&gt;Bots now target revenue, data, accounts, inventory, APIs, and origin capacity. Some are obvious crawlers. Others run credential stuffing, account creation, scraping, inventory hoarding, click fraud, or Layer 7 pressure through traffic that looks close to normal. A useful bot control has to decide whether to allow, challenge, rate limit, block, log, or review a request without punishing legitimate users who happen to share a network or device pattern.&lt;/p&gt;
&lt;p&gt;For more on account impact, read our article on the &lt;a href="/blog/credential-stuffing-business-impact/"&gt;Business Impact of Credential Stuffing&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Basic Protection&lt;/h2&gt;
&lt;p&gt;Basic bot management is built around visible signals: user-agent checks, simple IP reputation, known bot signatures, and broad rate limits. These controls still have a job. They can manage well-behaved crawlers, block obvious automation, and stop a single noisy source from hammering a site.&lt;/p&gt;
&lt;p&gt;The limitation is that basic controls assume the source or header tells most of the story. That breaks down when automation behaves like a browser, rotates infrastructure, or spreads requests across residential and shared networks. A flat IP limit may slow one scraper and still miss a credential attack distributed across many exits. It may also catch real users behind a busy office, mobile carrier, or public Wi-Fi network.&lt;/p&gt;
&lt;p&gt;Basic protection is suitable when the risk is low, the main concern is crawler hygiene, and the business can tolerate coarse controls. It is not enough for account protection, high-value scraping targets, or API workflows where abuse can arrive through valid requests.&lt;/p&gt;
&lt;h2&gt;Intermediate Protection&lt;/h2&gt;
&lt;p&gt;Intermediate bot management adds more request and client evidence. JavaScript signals, header consistency, cookie behaviour, basic network fingerprints such as &lt;a href="/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;, and route-level observations make the decision less dependent on the IP address alone. This level can catch automation that fails to behave like a normal browser or that exposes inconsistencies across requests.&lt;/p&gt;
&lt;p&gt;It is a meaningful step up, but it still has limits. Anti-detect browsers and modern automation can keep browser signals plausible for long enough to run a campaign. Residential proxy networks can make source reputation noisy. API requests may not run browser-side checks at all. If the bot system treats browser, route, credential, and API context as separate problems, operators end up tuning several partial controls rather than one decision.&lt;/p&gt;
&lt;p&gt;Intermediate protection works for general scraping, noisy automation, and non-persistent abuse. It starts to struggle when attackers adapt, slow down, distribute requests, or target sensitive routes where a small number of requests can cause business harm.&lt;/p&gt;
&lt;h2&gt;Advanced Protection&lt;/h2&gt;
&lt;p&gt;Advanced bot management is combined signal decisioning. The difference is not "more techniques" in a checklist. The difference is that IP intelligence, residential proxy status, network and browser fingerprints, route-specific rates, behaviour, credential risk, API context, WAF/WAAP findings, DDoS pressure, and logs feed the same action model.&lt;/p&gt;
&lt;p&gt;That context changes the decision. A high request rate on a public image route is not the same as repeated failed logins. A suspicious proxy signal on a cached page is not the same as the same signal on account recovery. A browser fingerprint mismatch may be logged on a low-risk page but challenged when paired with exposed credentials and rapid account switching.&lt;/p&gt;
&lt;p&gt;Advanced protection is designed for persistent abuse: credential stuffing, account takeover attempts, scraping at scale, inventory hoarding, fake account creation, API bot traffic, and bot-driven Layer 7 floods. It should support web, mobile, and API traffic, and it should preserve evidence so security, platform, and support teams can see which signal drove an action.&lt;/p&gt;
&lt;h2&gt;Choosing the Right Level&lt;/h2&gt;
&lt;p&gt;The right level depends on what the bot can damage. A brochure site may only need crawler management and basic rate limits. An ecommerce site needs protection for search, product, checkout, promotion, and account routes. A marketplace, bank, gaming platform, ticketing site, or API-heavy business usually needs route-aware decisions that combine proxy, fingerprint, credential, account, and behaviour context.&lt;/p&gt;
&lt;p&gt;The false-positive risk matters just as much as the attack risk. Shared networks, carrier-grade NAT, privacy tools, corporate egress, and normal browser drift can all make a simple signal look suspicious. A mature bot programme does not block every unusual request. It uses uncertainty to pick safer actions: log, challenge, rate limit, or review before escalating to a block.&lt;/p&gt;
&lt;h2&gt;Peakhour's View&lt;/h2&gt;
&lt;p&gt;Peakhour's &lt;a href="/products/bot-management/"&gt;Bot Management&lt;/a&gt; connects bot decisions to the rest of the application security path. &lt;a href="/products/residential-proxy-detection/"&gt;Residential Proxy Detection&lt;/a&gt;, &lt;a href="/products/ip-intelligence/"&gt;IP Intelligence&lt;/a&gt;, &lt;a href="/products/advanced-rate-limiting/"&gt;Advanced Rate Limiting&lt;/a&gt;, &lt;a href="/products/api-security/"&gt;API Security&lt;/a&gt;, &lt;a href="/products/waf/"&gt;WAAP/WAF controls&lt;/a&gt;, and &lt;a href="/products/log-forwarding/"&gt;Log Forwarding&lt;/a&gt; all support the same request outcome: allow, challenge, rate limit, block, log, or review with evidence.&lt;/p&gt;
&lt;p&gt;That is the practical maturity model. Basic controls handle obvious bots. Intermediate controls add client and request evidence. Advanced controls combine signals into decisions that match the route, risk, and business impact.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="Application Security"></category></entry><entry><title>Application Security for Financial Services Under CPS 234</title><link href="https://www.peakhour.io/blog/credential-stuffing-defence-cps-234-compliance/" rel="alternate"></link><published>2024-07-29T10:00:00+10:00</published><updated>2024-07-29T10:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2024-07-29:/blog/credential-stuffing-defence-cps-234-compliance/</id><summary type="html">&lt;p&gt;Comprehensive analysis of credential stuffing threats against Australian financial institutions and how application security platforms help meet CPS 234 disclosure requirements whilst preventing account takeover attacks.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Recent credential stuffing attacks on prominent Australian retailers like &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;The Iconic&lt;/a&gt; and Dan Murphy's have brought this threat into sharper focus. For APRA-regulated entities, these incidents are a reminder that credential stuffing is not only an account takeover issue. It can also trigger assessment and disclosure obligations under Prudential Standard &lt;a href="https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf"&gt;CPS 234&lt;/a&gt; Information Security.&lt;/p&gt;
&lt;h2&gt;The Rising Tide of Credential Stuffing&lt;/h2&gt;
&lt;p&gt;Credential stuffing is now common in Australia and globally. These attacks exploit password reuse across multiple sites. Cybercriminals use automated tools to test large volumes of stolen username and password combinations against websites, looking for accounts they can access without authorisation.&lt;/p&gt;
&lt;p&gt;The scale is large. According to recent studies, there are over 15 billion stolen credentials circulating on the internet. In 2020 alone, one large content delivery network reported more than 193 billion credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; globally. For Australian businesses, the risk is significant and growing.&lt;/p&gt;
&lt;h2&gt;The Compounding Threat of Residential Proxies&lt;/h2&gt;
&lt;p&gt;The use of &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt; has increased the sophistication and effectiveness of &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt; attacks. Residential proxies allow attackers to route their traffic through legitimate residential IP addresses, making automated activity look more like normal user behaviour.&lt;/p&gt;
&lt;p&gt;This technique poses several challenges:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bypassing Traditional Defences&lt;/strong&gt;: Standard IP-based rate limiting and geo-blocking become ineffective when attacks come from diverse, legitimate-looking IP addresses.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Evading Detection&lt;/strong&gt;: Traffic from residential proxies is harder to distinguish from genuine user activity, complicating detection efforts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Scalability&lt;/strong&gt;: Attackers can distribute their attempts across a large network of proxies, allowing for larger-scale attacks without triggering typical alarm thresholds.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Improved Success Rates&lt;/strong&gt;: By appearing to come from the same geographic area as legitimate users, these attacks are more likely to bypass location-based security measures.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;The Crabby Phenomenon&lt;/h2&gt;
&lt;p&gt;The emergence of sites like &lt;a href="/blog/credential-stuffing-threat-australian-businesses/"&gt;Crabby Cash&lt;/a&gt; shows how credential stuffing fits into a broader cybercrime market. These platforms serve as marketplaces for compromised accounts, making it easier for criminals to monetise successful credential stuffing attacks.&lt;/p&gt;
&lt;p&gt;Key points about Crabby Cash and similar sites:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Ease of Access&lt;/strong&gt;: These sites lower the barrier to entry for cybercriminals, providing ready access to compromised accounts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Rapid Exploitation&lt;/strong&gt;: Once credentials are verified and listed on these sites, the window for detection and mitigation narrows significantly.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Diverse Targets&lt;/strong&gt;: The range of compromised accounts often spans multiple industries, including retail, financial services, and entertainment.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Ongoing Threat&lt;/strong&gt;: The existence of these marketplaces incentivises continuous credential stuffing attempts, creating a persistent threat landscape.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;The CPS 234 Disclosure Imperative&lt;/h2&gt;
&lt;p&gt;The prevalence of credential stuffing attacks, compounded by residential proxies and platforms like Crabby Cash, makes the disclosure requirements in CPS 234 directly relevant.&lt;/p&gt;
&lt;p&gt;Paragraph 35 of CPS 234 states:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that:&lt;/p&gt;
&lt;p&gt;(a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or&lt;/p&gt;
&lt;p&gt;(b) has been notified to other regulators, either in Australia or other jurisdictions.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The existence of sites like Crabby Cash can increase the potential impact of credential stuffing attacks, making them more likely to meet the materiality threshold for disclosure.&lt;/p&gt;
&lt;h2&gt;A Risk-Based Approach to Disclosure&lt;/h2&gt;
&lt;p&gt;To manage credential stuffing risk and meet CPS 234 obligations, organisations should take a risk-based approach to detection, mitigation, and disclosure. This involves:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Working with Specialised Providers&lt;/strong&gt;: Engage with cybersecurity providers who can offer insights into your organisation's exposure and risk levels based on:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Network fingerprinting&lt;/li&gt;
&lt;li&gt;Levels of breached credential login attempts&lt;/li&gt;
&lt;li&gt;Prevalence of residential proxy traffic as a high-correlating signal of attack&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Continuous Risk Assessment&lt;/strong&gt;: Regularly evaluate the risk posed by credential stuffing attacks, considering factors such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The volume and sophistication of attempts&lt;/li&gt;
&lt;li&gt;The success rate of attacks&lt;/li&gt;
&lt;li&gt;The potential impact on customers and the organisation&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Inadequate Defences as a Risk Signal&lt;/strong&gt;: Recognise that the absence of robust defences against credential stuffing is itself a risk signal. Organisations without advanced bot detection, multi-factor authentication, and behavioural analysis capabilities may face higher risk and should consider this in their disclosure decisions.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adaptive Disclosure Thresholds&lt;/strong&gt;: Develop flexible, risk-based thresholds for APRA notification that take into account:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The current threat landscape&lt;/li&gt;
&lt;li&gt;The organisation's defensive capabilities&lt;/li&gt;
&lt;li&gt;The potential impact of a successful attack&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Assessing Materiality in Light of These Threats&lt;/h2&gt;
&lt;p&gt;When assessing whether a credential stuffing incident meets the materiality threshold for APRA notification, entities should consider:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Scale of the Attack&lt;/strong&gt;: The number of accounts targeted or compromised.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Success Rate&lt;/strong&gt;: Whether any accounts were actually breached.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Exposure on Dark Web Markets&lt;/strong&gt;: If compromised credentials appear on sites like Crabby Cash.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Potential Financial Impact&lt;/strong&gt;: Both immediate losses and potential future exploitation.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Non-Financial Impacts&lt;/strong&gt;: Including reputational damage and loss of customer trust.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Broader Systemic Risk&lt;/strong&gt;: Whether the attack could impact the wider financial system.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Defensive Posture&lt;/strong&gt;: The adequacy of existing controls and the organisation's ability to detect and mitigate attacks.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Proactive Measures and Controls&lt;/h2&gt;
&lt;p&gt;To mitigate the risks of credential stuffing attacks, particularly those leveraging residential proxies, APRA-regulated entities should implement robust controls as outlined in CPS 234 and &lt;a href="https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_0.pdf"&gt;CPG 234&lt;/a&gt;:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Contextual Security Approach&lt;/strong&gt;: Implement a contextual security strategy that considers multiple factors to assess the risk of each login attempt, including device characteristics, user behaviour patterns, and network attributes.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Advanced Bot Detection&lt;/strong&gt;: Deploy bot management systems capable of identifying automated attempts, even when they come from diverse IP addresses.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Residential Proxy Detection&lt;/strong&gt;: Utilise specialised residential proxy detection tools to identify and mitigate threats from this increasingly common attack vector.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Multi-Factor Authentication&lt;/strong&gt;: As suggested in CPG 234, implement MFA for high-risk activities to provide an additional layer of security beyond passwords.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Use analytics to detect anomalous login patterns that may indicate credential stuffing attempts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Continuous Monitoring&lt;/strong&gt;: Implement real-time monitoring systems to quickly identify and respond to potential attacks.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Password Policies&lt;/strong&gt;: Encourage or enforce the use of unique, strong passwords to mitigate the impact of credential stuffing.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Customer Education&lt;/strong&gt;: Proactively inform customers about the risks of password reuse and the importance of strong, unique passwords.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Collaboration and Information Sharing&lt;/strong&gt;: Engage with industry peers and law enforcement to share threat intelligence and effective practices.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adaptive Authentication&lt;/strong&gt;: Implement risk-based authentication that adjusts security requirements based on the perceived threat level of each login attempt.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;By adopting these measures, particularly a contextual security approach incorporating &lt;a href="/learning/threat-detection/what-is-residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; detection, organisations can improve their resilience against credential stuffing attacks and better protect their customers' accounts.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Credential stuffing, residential proxies, and platforms like Crabby Cash make account takeover risk harder to assess and harder to contain. APRA-regulated entities need a proactive, risk-based approach to information security and regulatory compliance.&lt;/p&gt;
&lt;p&gt;APRA-regulated entities should treat credential stuffing attacks as more than a technical control problem. They are business risks that may require Board-level attention and, depending on materiality, regulatory disclosure under CPS 234. By implementing preventative measures, maintaining effective incident response capabilities, and keeping clear processes for assessing and reporting incidents, organisations can better protect themselves and their customers from this growing threat.&lt;/p&gt;
&lt;p&gt;In this environment, CPS 234 compliance is not only a reporting exercise. It depends on information security controls that protect the organisation, its customers, and the broader financial system before credential stuffing becomes a material incident.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Fraud Prevention"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="PCI DSS"></category></entry><entry><title>2024 Survey Insights</title><link href="https://www.peakhour.io/blog/credential-stuffing-and-account-takeover-survey-2024/" rel="alternate"></link><published>2024-07-16T10:00:00+10:00</published><updated>2024-07-16T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-16:/blog/credential-stuffing-and-account-takeover-survey-2024/</id><summary type="html">&lt;p&gt;Our 2024 survey of Australian CISOs and CTOs looks at how businesses are approaching account protection, particularly credential stuffing and residential proxies.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Our recent survey of Australian CISOs and CTOs looked at account protection controls, planned security measures, and how teams are responding to credential stuffing and residential proxies. Key findings:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Multi-Factor Authentication (MFA) Adoption&lt;/strong&gt;: 76.23% of Australian businesses use MFA, showing broad adoption of a baseline account security control.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bot Protection&lt;/strong&gt;: Currently implemented by 39.34% of organisations, with an additional 34.65% planning to adopt it.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bot Management Solutions&lt;/strong&gt;: Cloudflare is the most common bot management provider in the survey, used by 48.24% of respondents.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Residential Proxy (Resip) Detection&lt;/strong&gt;: Only 13.11% of organisations currently use this technology, although many plan to implement it to address residential proxy traffic.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Credential Stuffing Concerns&lt;/strong&gt;: Businesses are planning measures to reduce credential stuffing risk, including bot protection, MFA, and checking credentials against known breaches.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Mobile Security Gap&lt;/strong&gt;: Low adoption of Web Application and API Protection (WAAP) suggests gaps in mobile application security.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Executive vs. Engineer Priorities&lt;/strong&gt;: The survey showed different cybersecurity priorities between executives and engineers.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These findings point to the need for &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account protection&lt;/a&gt; strategies that go beyond MFA and address automated traffic, breached credentials, and residential proxies.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Residential Proxies"></category><category term="API Security"></category><category term="Bot Management"></category><category term="DevSecOps"></category></entry><entry><title>Addressing Key Cloud Security Categories</title><link href="https://www.peakhour.io/blog/peakhour-cloud-security-post-wiz/" rel="alternate"></link><published>2024-05-01T10:00:00+10:00</published><updated>2024-05-01T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-05-01:/blog/peakhour-cloud-security-post-wiz/</id><summary type="html">&lt;p&gt;An analysis of Peakhour's role in addressing key cloud security categories identified in recent industry analysis, demonstrating its comprehensive approach to modern cloud security challenges.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A recent &lt;a href="https://www.scalevp.com/insights/a-world-after-wiz-emerging-opportunities-in-cloud-security/"&gt;Scale Venture Partners analysis&lt;/a&gt; sets out emerging opportunities in cloud security after Wiz. Peakhour is a reverse proxy rather than a cloud control-plane product, but it addresses several of these categories and covers related security needs at the application edge.&lt;/p&gt;
&lt;h2&gt;Cloud Security Posture Management (CSPM)&lt;/h2&gt;
&lt;p&gt;The analysis identifies CSPM as a key category in cloud security. Peakhour is not a traditional CSPM, but it contributes to security posture management through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Traffic Analysis: Peakhour analyses incoming traffic patterns to identify potential security risks.&lt;/li&gt;
&lt;li&gt;Configuration Recommendations: Peakhour recommends security configuration improvements based on observed traffic patterns.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Cloud Workload Protection Platform (CWPP)&lt;/h2&gt;
&lt;p&gt;The article notes that CWPP products provide granular protection for cloud workloads. Peakhour contributes to workload protection through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Application-Layer Filtering: Peakhour filters traffic at the application layer to protect cloud workloads.&lt;/li&gt;
&lt;li&gt;Real-Time Threat Detection: Peakhour detects and blocks threats in real-time.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Cloud Detection &amp;amp; Response (CDR)&lt;/h2&gt;
&lt;p&gt;CDR focuses on detecting, investigating, and responding to incidents. Peakhour supports CDR work via:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Log Generation: Peakhour generates detailed logs of all traffic for incident investigation.&lt;/li&gt;
&lt;li&gt;Anomaly Detection: Peakhour detects anomalous traffic patterns that indicate security incidents.&lt;/li&gt;
&lt;li&gt;Automated Response: Peakhour responds to detected threats by blocking malicious traffic.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Cloud-Native Application Protection Platform (CNAPP)&lt;/h2&gt;
&lt;p&gt;The analysis defines CNAPP as a combination of CSPM, CWPP, and CDR. Peakhour aligns with that model through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Integrated Security: Peakhour provides a single platform for traffic filtering, threat detection, and response.&lt;/li&gt;
&lt;li&gt;Application-Centric Protection: Peakhour's reverse proxy design protects cloud-native applications at the application edge.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Cloud Infrastructure Entitlement Management (CIEM)&lt;/h2&gt;
&lt;p&gt;Peakhour does not directly manage cloud infrastructure entitlements, but it complements CIEM efforts through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Access Pattern Analysis: Peakhour analyses access patterns to applications, providing insights that can inform entitlement decisions.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Non-Human Identity (NHI)&lt;/h2&gt;
&lt;p&gt;The article highlights the growing importance of managing non-human identities. Peakhour contributes to this area by:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Service-to-Service Communication Monitoring: Peakhour monitors and controls service-to-service communication.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Remediation Ops (RemOps)&lt;/h2&gt;
&lt;p&gt;RemOps focuses on managing the growing volume of security alerts. Peakhour supports RemOps through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Alert Aggregation: Peakhour aggregates security events from traffic analysis into usable alerts.&lt;/li&gt;
&lt;li&gt;Prioritisation: Peakhour prioritises alerts based on threat severity and potential impact.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Additional Peakhour Capabilities&lt;/h2&gt;
&lt;p&gt;Peakhour also addresses &lt;a href="/learning/cloud-security/introduction-to-cloud-security/"&gt;cloud security&lt;/a&gt; needs outside the categories covered in the Scale VP analysis:&lt;/p&gt;
&lt;h3&gt;DDoS Protection&lt;/h3&gt;
&lt;p&gt;Peakhour provides DDoS protection via:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Layer 7 Rate Limiting: Peakhour protects against application-layer DDoS attacks.&lt;/li&gt;
&lt;li&gt;Traffic Anomaly Detection: Peakhour identifies and mitigates DDoS attacks in real-time.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Content Delivery Network (CDN)&lt;/h3&gt;
&lt;p&gt;Peakhour's delivery and cache functionality reduces cloud load and traffic bills through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Traffic Optimisation: Peakhour reduces load on origin servers and decreases traffic bills.&lt;/li&gt;
&lt;li&gt;Geographic Distribution: Peakhour serves content from geographically distributed nodes.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Bot Management&lt;/h3&gt;
&lt;p&gt;Peakhour manages bot traffic through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Bot Detection: Peakhour identifies bot traffic.&lt;/li&gt;
&lt;li&gt;Policy Control: Peakhour implements policies for managing different types of bots.&lt;/li&gt;
&lt;li&gt;Automated Mitigation: Peakhour applies countermeasures against malicious bot activity.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Cloud Visibility&lt;/h3&gt;
&lt;p&gt;Peakhour addresses visibility gaps in modern cloud environments:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Traffic Insights: Peakhour provides detailed insights into front-end traffic patterns.&lt;/li&gt;
&lt;li&gt;Real-Time Analytics: Peakhour delivers real-time analytics on traffic, threats, and application behaviour.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Peakhour addresses several categories identified in the Scale VP analysis of emerging cloud security opportunities. It also covers adjacent needs at the application edge, where traffic, threats, bots, delivery, and visibility meet.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;See how Peakhour's Application Security Platform addresses key areas of modern cloud security. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to strengthen your cloud security posture.&lt;/em&gt;&lt;/p&gt;</content><category term="Security"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="Application Security"></category><category term="CDN"></category></entry><entry><title>Managing Breached Credential Usage</title><link href="https://www.peakhour.io/blog/breached-credentials-protection-application-security-platform/" rel="alternate"></link><published>2024-03-15T00:00:00+11:00</published><updated>2024-03-15T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-03-15:/blog/breached-credentials-protection-application-security-platform/</id><summary type="html">&lt;p&gt;How breached credential checks and risk signals help detect credential stuffing without adding unnecessary login friction.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; remain a common way to take over accounts on applications and APIs. For DevOps, SRE, and DevSecOps teams, the problem is not just whether a password is correct. It is whether the login attempt carries signs of automation, credential reuse, or known compromise. Effective &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account protection&lt;/a&gt; needs breached credential checks alongside contextual risk analysis.&lt;/p&gt;
&lt;h2&gt;Breached Credential Databases and Risk Profiling&lt;/h2&gt;
&lt;p&gt;Modern Application Security Platforms can use breached credential intelligence containing billions of leaked username and password combinations from historical data breaches. Used at login time, this gives security teams an immediate signal that an account may be at higher risk, even before there is confirmed account takeover activity.&lt;/p&gt;
&lt;h3&gt;Enterprise Credential Intelligence&lt;/h3&gt;
&lt;p&gt;Peakhour's Application Security Platform includes &lt;a href="/products/breached-credentials"&gt;Breached Credentials&lt;/a&gt; protection designed to work with existing authentication systems. The platform provides:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Credential Checking&lt;/strong&gt;: Validation against breached credential data during login attempts&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API-Native Integration&lt;/strong&gt;: Integration with authentication services and identity providers&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Privacy-Preserving Verification&lt;/strong&gt;: Hashing mechanisms that protect user privacy whilst enabling threat detection&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DevSecOps Compatibility&lt;/strong&gt;: RESTful APIs for security automation and CI/CD workflows&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Building Statistical Models&lt;/h2&gt;
&lt;p&gt;To detect &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt;, organisations need a baseline for normal breached credential use. This typically involves:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Collecting data from API and login endpoint attempts&lt;/li&gt;
&lt;li&gt;Aggregating data using device fingerprints&lt;/li&gt;
&lt;li&gt;Analysing login patterns and credential use frequency&lt;/li&gt;
&lt;li&gt;Establishing baselines for typical user behaviour&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These models show how often breached credentials appear in normal login traffic, and when the pattern starts to look like automated testing rather than ordinary user behaviour.&lt;/p&gt;
&lt;h2&gt;Application Security Platform Integration&lt;/h2&gt;
&lt;p&gt;Breached credential checks are most useful when they feed into the rest of the application security stack:&lt;/p&gt;
&lt;h3&gt;Multi-Layer Defence Strategy&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Edge Processing&lt;/strong&gt;: Credential validation at the CDN edge&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API Protection&lt;/strong&gt;: Coverage for both web applications and mobile APIs&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bot Management Integration&lt;/strong&gt;: Correlation with bot detection systems to identify automated credential testing&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Rate Limiting Coordination&lt;/strong&gt;: Rate limits adjusted by credential risk&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;DevSecOps Operational Excellence&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Security Automation&lt;/strong&gt;: Response workflows for high-risk credential attempts&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance Reporting&lt;/strong&gt;: Audit logging and monitoring for security reviews&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Threat Intelligence Feeds&lt;/strong&gt;: Updates from breach monitoring&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Custom Rule Engine&lt;/strong&gt;: Policy configuration for organisation-specific requirements&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Breached credential protection is one part of account takeover defence. On its own, it can show that a password has appeared in a breach. It should sit alongside broader controls such as bot management, rate limiting, API protection, and DDoS mitigation, while still giving teams a clear basis for deciding whether to block, challenge, or monitor a login attempt.&lt;/p&gt;
&lt;p&gt;The practical goal is to make credential risk visible at the point of authentication without treating every user as suspicious. That requires breached credential checking to be part of the login flow, not a separate report reviewed after the attack has already run.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="Application Security"></category><category term="Threat Detection"></category><category term="API Security"></category></entry><entry><title>Dive into CVSS Scores</title><link href="https://www.peakhour.io/blog/confluence-cvss-vectors/" rel="alternate"></link><published>2023-11-10T00:00:00+11:00</published><updated>2023-11-10T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-11-10:/blog/confluence-cvss-vectors/</id><summary type="html">&lt;p&gt;Understand CVSS by examining the Atlassian CVE-2023-22515 and CVE-2023-22518.&lt;/p&gt;</summary><content type="html">&lt;h3&gt;Understanding CVSS through Atlassian Confluence Vulnerabilities&lt;/h3&gt;
&lt;p&gt;The Common Vulnerability Scoring System (CVSS) gives security teams a shared way to rate the severity of software vulnerabilities. It does not predict risk on its own; it describes the characteristics of a specific security flaw. CVSS uses three metric groups: Base, Temporal, and Environmental. The result is a score from 0 to 10, represented by a vector string that records the details behind the score.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Base Metrics&lt;/strong&gt; describe the inherent aspects of a vulnerability, including how it can be exploited and its potential system impact.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Temporal Metrics&lt;/strong&gt; change over time, reflecting current exploitability and available mitigations.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Environmental Metrics&lt;/strong&gt; account for the specific environment where the vulnerability exists, tailoring the score to the affected organisation.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss"&gt;National Vulnerability Database (NVD)&lt;/a&gt; utilises CVSS to assign base scores and provides tools for calculating Temporal and Environmental scores.&lt;/p&gt;
&lt;h4&gt;Atlassian Confluence Vulnerability Analysis&lt;/h4&gt;
&lt;p&gt;Two Atlassian Confluence vulnerabilities show why the vector matters as much as the headline score:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;CVE-2023-22515&lt;/strong&gt; is a critical flaw with a base score of 10.0. It is exploitable remotely, with low complexity, no privilege requirements, and no need for user interaction. The attack vector is network-based, so exposure is not limited to local access. Its broad scope and impact across confidentiality, integrity, and availability make it a vulnerability that needs immediate attention.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;CVE-2023-22518&lt;/strong&gt; shares many similarities with CVE-2023-22515, including a critical base score of 10.0. It can also be exploited remotely without privileges or user interaction, and with low complexity. Its impact on the system's confidentiality, integrity, and availability is high, allowing attackers to gain complete control and shut down the affected resources.&lt;/p&gt;
&lt;p&gt;Both CVE-2023-22515 and CVE-2023-22518 are critical vulnerabilities that demand urgent remediation. Understanding their CVSS vectors helps prioritise the security response and the mitigations needed.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;CVE-2023-22515&lt;/strong&gt; carries a CVSS score of 10 because it is remotely exploitable, easy to execute, and does not require privileges or user interaction.&lt;/p&gt;
&lt;h5&gt;CVSS Vector for CVE-2023-22515&lt;/h5&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Base Score:&lt;/strong&gt; 10.0 (Critical)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Vector:&lt;/strong&gt; CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This vector indicates:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Attack Vector (AV): Network (N)&lt;/strong&gt; - The vulnerability is remotely exploitable.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Attack Complexity (AC): Low (L)&lt;/strong&gt; - It is easy to exploit without major obstacles.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Privileges Required (PR): None (N)&lt;/strong&gt; - No special access is needed.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;User Interaction (UI): None (N)&lt;/strong&gt; - It can be exploited without user involvement.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Scope (S): Changed (C)&lt;/strong&gt; - The impact extends beyond the initial target.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Confidentiality, Integrity, Availability (C/I/A): High (H)&lt;/strong&gt; - There is a complete loss of confidentiality, integrity, and availability.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Atlassian's high CVSS score for CVE-2023-22515 reflects its critical nature and the need for immediate action.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;CVE-2023-22518&lt;/strong&gt; has the same CVSS score of 10, with similar impact across confidentiality, integrity, and availability.&lt;/p&gt;
&lt;h5&gt;CVSS Vector for CVE-2023-22518&lt;/h5&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Base Score:&lt;/strong&gt; 10.0 (Critical)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Vector:&lt;/strong&gt; CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This vector means:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Attack Vector (AV): Network (N)&lt;/strong&gt; - Exploitable remotely.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Attack Complexity (AC): Low (L)&lt;/strong&gt; - Easy to exploit with minimal barriers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Privileges Required (PR): None (N)&lt;/strong&gt; - No user privileges required.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;User Interaction (UI): None (N)&lt;/strong&gt; - No need for user action.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Scope (S): Changed (C)&lt;/strong&gt; - Broad impact beyond the initial system.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Confidentiality, Integrity, Availability (C/I/A): High (H)&lt;/strong&gt; - Complete compromise of the system's security.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Understanding the CVSS scores for these vulnerabilities helps teams prioritise their security response. For a full breakdown and history of CVSS, see &lt;a href="https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System"&gt;Wikipedia&lt;/a&gt;. More detailed information on CVSS can also be found in &lt;a href="https://www.first.org/cvss/"&gt;FIRST's official CVSS documentation&lt;/a&gt;.&lt;/p&gt;</content><category term="Interest"></category><category term="Threat Detection"></category><category term="DevSecOps"></category><category term="Application Security"></category><category term="Anomaly Detection"></category><category term="Credential Stuffing"></category><category term="Core Web Vitals"></category></entry><entry><title>A Risk Based Approach To Vulnerability Scoring</title><link href="https://www.peakhour.io/blog/epss-explained/" rel="alternate"></link><published>2023-11-10T00:00:00+11:00</published><updated>2023-11-10T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-11-10:/blog/epss-explained/</id><summary type="html">&lt;p&gt;An in-depth exploration of EPSS, its data-driven approach to assessing cybersecurity threats, and how it complements CVSS.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The Exploit Prediction Scoring System (EPSS) estimates the likelihood that a published CVE will be exploited in the wild. Its value is that it brings several signals into one risk score, instead of treating every vulnerability with the same CVSS severity as equally urgent. The main inputs are:&lt;/p&gt;
&lt;h3&gt;Data Sources of EPSS&lt;/h3&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;MITRE’s CVE List&lt;/strong&gt;: EPSS scores only vulnerabilities that are "published" on this list.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Text-based “Tags”&lt;/strong&gt;: Extracted from CVE descriptions and related discussions.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Publication Duration&lt;/strong&gt;: The time period since the CVE was published.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reference Count&lt;/strong&gt;: The number of references in the CVE entry.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Published Exploit Code&lt;/strong&gt;: Code from platforms such as Metasploit, ExploitDB, or GitHub.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Security Scanners&lt;/strong&gt;: Data from security tools such as Jaeles and Nuclei.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;CVSS v3 Vectors&lt;/strong&gt;: Based on the base score in the National Vulnerability Database (NVD).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;CPE (vendor) Information&lt;/strong&gt;: Details about the vendors of the products involved, also from NVD.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Ground Truth Data&lt;/strong&gt;: Real-world exploitation data from sources such as AlienVault.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3&gt;EPSS Model and Tools&lt;/h3&gt;
&lt;p&gt;The current EPSS model, version 2022.01.01, uses 1,164 variables and is based on Gradient Boosting, a machine learning technique. For a visual and interactive view of EPSS scores, the &lt;a href="https://holisticinfosec.shinyapps.io/epsscall/"&gt;EPSScall&lt;/a&gt; tool is useful. It provides historical data and graphs that make score movement easier to inspect.&lt;/p&gt;
&lt;h3&gt;The Drivers of EPSS Scores&lt;/h3&gt;
&lt;p&gt;To understand EPSS, it helps to look at which inputs carry the most weight. The variable importance graph shows the strongest contributors to the EPSS score.&lt;/p&gt;
&lt;p&gt;&lt;img alt="EPSS Variable Importance Graph" src="/static/images/blog/epss_variable_importance.png"&gt;&lt;/p&gt;
&lt;p&gt;Vendor data plays an outsized role in the scoring process. The graph shows how much weight each component has when estimating whether a vulnerability is likely to be exploited.&lt;/p&gt;
&lt;h2&gt;Why Does This Matter?&lt;/h2&gt;
&lt;p&gt;EPSS uses these data sources to predict exploit likelihood more directly than severity-only methods. By considering factors from the age of the CVE to real-world exploit instances, EPSS gives defenders a clearer view of which vulnerabilities are more likely to matter operationally. That makes patching and mitigation decisions easier to prioritise when resources are limited.&lt;/p&gt;
&lt;p&gt;Understanding the components of EPSS also makes the score easier to interpret. It is not a single severity metric; it is a blend of several data points, each with different weight. Tools like EPSScall make those inputs easier to inspect when tuning a vulnerability management process.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;EPSS is useful because it shifts vulnerability triage away from severity alone and towards exploit likelihood. Its use of multiple data sources and machine learning makes it a practical tool for defenders who need to decide what to fix first. Prioritising vulnerabilities this way does not replace judgement, but it gives teams a stronger starting point than CVSS alone.&lt;/p&gt;</content><category term="Interest"></category><category term="Threat Detection"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="Anomaly Detection"></category><category term="DDoS"></category><category term="Credential Stuffing"></category></entry><entry><title>A Tale Of Two Scoring Systems</title><link href="https://www.peakhour.io/blog/a-tale-of-two-scoring-systems-and-atlassian-confluence/" rel="alternate"></link><published>2023-11-08T00:00:00+11:00</published><updated>2023-11-09T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-11-08:/blog/a-tale-of-two-scoring-systems-and-atlassian-confluence/</id><summary type="html">&lt;p&gt;Reviewing the CVSS an EPSS CVE scoring systems in light of the Atlassian Confluence-Aggedon&lt;/p&gt;</summary><content type="html">&lt;p&gt;When exploits started targeting Atlassian Confluence - CVE-2023-22515 and CVE-2023-22518 - I needed to understand the risk quickly. Confluence is widely deployed, including by Peakhour clients, so the immediate question was what practical advice we could give them.&lt;/p&gt;
&lt;p&gt;I started with &lt;a href="https://confluence.atlassian.com/security/cve-2023-22515-broken-access-control-vulnerability-in-confluence-data-center-and-server-1295682276.html"&gt;CVE-2023-22515&lt;/a&gt; and &lt;a href="https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html"&gt;CVE-2023-22518&lt;/a&gt;. These were not minor bugs. Attackers could create unauthorised admin accounts, which puts the confidentiality, integrity, and availability of Confluence data directly at risk.&lt;/p&gt;
&lt;p&gt;Paul from &lt;a href="https://www.securestack.com"&gt;Secure Stack&lt;/a&gt; has already done an excellent analysis of the situation and identified the likely &lt;a href="https://securestack.com/confluence-aggedon/"&gt;scope of the problem&lt;/a&gt;. It is worth reading for background; the timeline below is unashamedly lifted from that article.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The Timeline So Far&lt;/strong&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;CVE-2023-22515 Impact Analysis:&lt;/strong&gt; This bug initially hit versions 8.0.x to 8.5.3 of Confluence Server and Data Center products. The cloud SaaS versions were spared. Given Confluence's use in large organisations that do not always update quickly, the scope was still large.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Dealing with CVE-2023-22518:&lt;/strong&gt; A week later, CVE-2023-22518 appeared. It started with a CVSS score of 9.1 and affected every single version of Confluence ever released. That put organisations outside the first CVE's affected range back in scope.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The Severity Upgrade of CVE-2023-22518:&lt;/strong&gt; On November 7th, 2023, Atlassian raised the severity of CVE-2023-22518 to a CVSS score of 10. Ransomware exploitation had been detected and, like CVE-2023-22515, it allowed the creation of admin accounts.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h3&gt;Looking to EPSS for advice&lt;/h3&gt;
&lt;p&gt;For these CVEs, I leaned heavily on the &lt;a href="https://www.first.org/epss/"&gt;Exploit Prediction Scoring System (EPSS)&lt;/a&gt;. EPSS combines CVE information with real-world exploitation data. It estimates the likelihood of a CVE being exploited in the next 30 days and returns a score between 0 and 1 - the higher the score, the higher the risk. Read more about the applicability
of &lt;a href="/blog/epss-explained/"&gt;EPSS&lt;/a&gt; for scoring vulnerabilities.&lt;/p&gt;
&lt;h4&gt;EPSS Score Changes I Observed&lt;/h4&gt;
&lt;p&gt;A major update landed on October 10, 2023, when new &lt;a href="/products/ip-intelligence/"&gt;threat intelligence&lt;/a&gt; came in. The EPSS score for CVE-2023-22515 moved sharply after October 10th, indicating a higher threat level due to active exploitation.&lt;/p&gt;
&lt;p&gt;As seen in the descending date table:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;th&gt;EPSS Score&lt;/th&gt;
&lt;th&gt;Percentile&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-13&lt;/td&gt;
&lt;td&gt;0.93527&lt;/td&gt;
&lt;td&gt;0.98809&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-12&lt;/td&gt;
&lt;td&gt;0.93527&lt;/td&gt;
&lt;td&gt;0.98809&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-11&lt;/td&gt;
&lt;td&gt;0.93527&lt;/td&gt;
&lt;td&gt;0.98808&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-10&lt;/td&gt;
&lt;td&gt;0.00126&lt;/td&gt;
&lt;td&gt;0.46728&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-09&lt;/td&gt;
&lt;td&gt;0.00126&lt;/td&gt;
&lt;td&gt;0.46716&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;CVE-2023-22518 was still moving, with a score change the day before publication:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;th&gt;EPSS Score&lt;/th&gt;
&lt;th&gt;Percentile&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-08&lt;/td&gt;
&lt;td&gt;0.01852&lt;/td&gt;
&lt;td&gt;0.86954&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-07&lt;/td&gt;
&lt;td&gt;0.00061&lt;/td&gt;
&lt;td&gt;0.24385&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-06&lt;/td&gt;
&lt;td&gt;0.00054&lt;/td&gt;
&lt;td&gt;0.20098&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-05&lt;/td&gt;
&lt;td&gt;0.00054&lt;/td&gt;
&lt;td&gt;0.20099&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-03&lt;/td&gt;
&lt;td&gt;0.00054&lt;/td&gt;
&lt;td&gt;0.20098&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-02&lt;/td&gt;
&lt;td&gt;0.00043&lt;/td&gt;
&lt;td&gt;0.07260&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-01&lt;/td&gt;
&lt;td&gt;0.00043&lt;/td&gt;
&lt;td&gt;0.07283&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;This table shows a significant increase in the EPSS score from November 1st to November 8th, indicating an escalating likelihood of exploitation.&lt;/p&gt;
&lt;h4&gt;Making Sense of the EPSS Score Changes&lt;/h4&gt;
&lt;p&gt;These shifts in EPSS scores tied in with Atlassian's vendor changelog reports:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;31 Oct 2023:&lt;/strong&gt; Atlassian's CISO sent an alert about significant data loss potential. No active exploits were reported yet, but the warning was clear.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;02 Nov 2023:&lt;/strong&gt; Critical information about the vulnerability was posted publicly, increasing the risk of exploitation.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;03 Nov 2023:&lt;/strong&gt; A customer reported an active exploit. That was a clear signal for anyone who had not patched.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;06 Nov 2023:&lt;/strong&gt; Several active exploits and ransomware uses were observed, leading to the CVSS score escalation for CVE-2023-22518.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;I also checked the &lt;a href="/blog/confluence-cvss-vectors/"&gt;CVSS&lt;/a&gt; scores. For CVE-2023-22515, it stood at a perfect 10.0. The EPSS score for CVE-2023-22518 also showed notable fluctuations, reflecting an increasing likelihood of exploitation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;EPSS vs. CVSS in My Vulnerability Management Approach&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;I use EPSS as a gauge of exploitation probability. It is threat-focused, but it is not the whole picture. Asset accessibility, vulnerability type, and asset value also matter. I use EPSS alongside CVSS to get a clearer view of what we are dealing with. It is also useful to see how the CVSS scores map to EPSS severity.&lt;/p&gt;
&lt;p&gt;&lt;img alt="CVSS vs EPSS" src="/static/images/blog/cvss-epss-sankey.jpg"&gt;&lt;/p&gt;
&lt;h3&gt;Are Peakhour Clients Protected?&lt;/h3&gt;
&lt;p&gt;With the public exploit information in hand, I turned to ClickHouse to see what was happening in practice. We quickly observed active scanning. Our IP Reputation lists were also categorising those IPs, so clients using the lists correctly had another control to keep these requests away from exposed services.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;This is an active list of IPs we are seeing probing for CVE-2023-2215&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Client IP&lt;/th&gt;
&lt;th&gt;IP Reputation Category&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;178.250.189.169&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;185.220.101.57&lt;/td&gt;
&lt;td&gt;other, dos, spam, attacks, tor, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;193.187.172.73&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.134.26.2&lt;/td&gt;
&lt;td&gt;other&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.94.211.81&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;46.231.179.42&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;46.38.255.27&lt;/td&gt;
&lt;td&gt;other, dos, spam, attacks, tor, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;95.111.246.11&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;95.85.78.75&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;img alt="Graph" src="/static/images/blog/atlassian-scan-graph.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;This is a larger list probing for already compromised instances&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Client IP&lt;/th&gt;
&lt;th&gt;IP Reputation Categories&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;104.234.140.11&lt;/td&gt;
&lt;td&gt;webattacks, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;104.234.140.21&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;104.234.140.4&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;104.234.140.8&lt;/td&gt;
&lt;td&gt;webattacks, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;144.172.76.65&lt;/td&gt;
&lt;td&gt;hosting, datacenter, attacks&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;162.240.159.247&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;172.233.176.52&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;178.250.189.169&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;185.220.101.57&lt;/td&gt;
&lt;td&gt;other, dos, spam, attacks, tor, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;193.187.172.73&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;193.29.56.19&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;20.68.177.203&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;203.145.142.86&lt;/td&gt;
&lt;td&gt;attacks, bots&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;37.221.173.253&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.134.26.2&lt;/td&gt;
&lt;td&gt;other&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.248.160.61&lt;/td&gt;
&lt;td&gt;bots&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.94.211.81&lt;/td&gt;
&lt;td&gt;hoisting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;46.231.179.42&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;46.38.255.27&lt;/td&gt;
&lt;td&gt;other, dos, spam, attacks, tor, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;54.161.151.64&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;92.119.179.90&lt;/td&gt;
&lt;td&gt;datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;95.111.246.11&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;95.85.78.75&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;img alt="Graph" src="/static/images/blog/atlassian-scan-exploited-graph.png"&gt;&lt;/p&gt;
&lt;p&gt;This is where real-time threat intelligence earns its place in active security controls. It helps keep you under the radar and gives you early intelligence on the actors probing your applications.&lt;/p&gt;
&lt;p&gt;We also saw evidence of follow-up attacks after the scan.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Waf Hits" src="/static/images/blog/confluence-waf-hits.png"&gt;&lt;/p&gt;
&lt;h3&gt;What other protections could be applied&lt;/h3&gt;
&lt;p&gt;Bot mitigation and web application firewalls (WAFs) still matter here. Bot controls help block automated abuse, including credential stuffing, scraping, and DDoS attacks. They also help distinguish legitimate human traffic from automated traffic, reducing the chance that malicious bots can exploit vulnerabilities still waiting to be patched or worked through the backlog.&lt;/p&gt;
&lt;p&gt;Web Application Firewalls provide a separate enforcement point for web applications. They monitor, filter, and block potentially harmful requests using predefined or customisable rules, including rules for common web-based attacks such as &lt;a href="/products/waf/"&gt;SQL injection&lt;/a&gt;, cross-site scripting (XSS), and other attacks that exploit known vulnerabilities. WAF rules can be adjusted quickly as threats change. Together, bot mitigation and WAFs improve an organisation's ability to reduce exposure across a wide range of web threats.&lt;/p&gt;
&lt;h3&gt;Addressing the Backlog of Security Vulnerabilities and Patch Timelines&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;The Challenge of a Growing Vulnerability Backlog&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Many security teams are dealing with a growing vulnerability backlog. The data is uncomfortable: 47% of security leaders report having a backlog of applications identified as vulnerable. More concerning, 66% state their backlog includes over 100,000 vulnerabilities. That accumulation matters because vulnerabilities are potential entry points for cyberattacks.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Patching Pace vs. Vulnerability Escalation&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Compare that with the escalation timeline from the EPSS and CVSS data. CVE-2023-22515 and CVE-2023-22518 are useful examples:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;CVE-2023-22515 and CVE-2023-22518 Escalation:&lt;/strong&gt; These vulnerabilities escalated quickly in severity and exploitability. For instance, CVE-2023-22518's CVSS score escalated to 10, and its EPSS probability score indicated a high likelihood of exploitation shortly after discovery.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Patch Timelines:&lt;/strong&gt; The data indicates that 78% of respondents take longer than 3 weeks to patch high-risk vulnerabilities, with 29% needing more than 5 weeks. That delay matters when vulnerabilities like CVE-2023-22515 and CVE-2023-22518 are escalating and being exploited quickly.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;strong&gt;The Gap Between Detection and Remediation&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The gap between fast vulnerability escalation and slow patching is a real weakness in security defences. A rapid increase in EPSS scores for vulnerabilities like CVE-2023-22518 signals an immediate threat, yet many organisations still have a lengthy patching process. During that window, the risk of exploitation remains high.&lt;/p&gt;
&lt;h3&gt;If I could take one scoring system to an island, which would I take?&lt;/h3&gt;
&lt;p&gt;&lt;img alt="Island" src="/static/images/blog/guy-on-island.webp"&gt;&lt;/p&gt;
&lt;p&gt;Both the Exploit Prediction Scoring System (EPSS) and the Common Vulnerability Scoring System (CVSS) are useful, but they answer different questions. My preference leans towards EPSS because it states the likelihood of exploitation directly. A probability score is easier to act on when the question is what needs attention now.&lt;/p&gt;
&lt;p&gt;That direct approach makes EPSS useful when explaining urgency to both technical and non-technical staff. It avoids some of the translation work that comes with security jargon and helps teams prioritise vulnerabilities quickly.&lt;/p&gt;
&lt;p&gt;CVSS is still useful for understanding how critical a vulnerability is. It focuses on severity, including factors such as impact and exploitability. What it does not always show as plainly is the immediate threat level, and that is where EPSS is easier to use.&lt;/p&gt;
&lt;h3&gt;What next from here?&lt;/h3&gt;
&lt;p&gt;Viewed through Confluence-Ageddon, EPSS and CVSS are useful together, but they do different jobs. If you need immediate defence, reach out; we can help protect your self-hosted Confluence with a simple DNS change.&lt;/p&gt;</content><category term="Security"></category><category term="Credential Stuffing"></category><category term="Threat Detection"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="SOC 2"></category></entry><entry><title>ModSecurity’s End-of-Life</title><link href="https://www.peakhour.io/blog/modsecurity-eol-modern-application-security-platforms/" rel="alternate"></link><published>2023-10-16T13:00:00+11:00</published><updated>2023-10-16T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-16:/blog/modsecurity-eol-modern-application-security-platforms/</id><summary type="html">&lt;p&gt;ModSecurity's end-of-life marks a pivotal moment in application security evolution. Discover how modern Application Security Platforms are advancing beyond traditional WAF approaches to provide comprehensive protection for web applications and APIs at the edge.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The end-of-life of ModSecurity on 1 July 2024 marks a practical turning point for application security teams. For DevOps, SRE, and &lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; professionals, it reinforces a wider shift towards Application Security Platforms that go beyond traditional Web Application Firewall (WAF) capabilities.&lt;/p&gt;
&lt;p&gt;Modern Application Security Platforms use Web &lt;a href="/learning/application-security/what-is-waap/"&gt;Application and&lt;/a&gt; API Protection (WAAP) as a core part of edge security. Peakhour's Application Security Platform extends traditional WAF protection with bot management, API security, DDoS mitigation, and account protection, backed by Peakhour Edge delivery infrastructure.&lt;/p&gt;
&lt;p&gt;The bedrock of a WAF lies in two main components:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;WAF Engine&lt;/strong&gt;: Inspects and assesses web traffic.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;WAF Rules&lt;/strong&gt;: Guidelines that tell the engine what to inspect and how to respond.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Peakhour's Application Security Platform has used ModSecurity as part of our WAAP solution, integrating it with threat detection, behavioural analysis, and the proven OWASP ModSecurity Core Rule Set (CRS) for application protection.&lt;/p&gt;
&lt;p&gt;For two decades, ModSecurity has been a fixture in web security. Its acquisition by Trustwave led
to a sunset announcement in 2021, with the EOL set for July 2024.&lt;/p&gt;
&lt;h2&gt;Deciphering the EOL for ModSecurity&lt;/h2&gt;
&lt;p&gt;With the EOL, Trustwave will cease commercial support and updates for ModSecurity. That does not make
ModSecurity irrelevant. It has been in 'maintenance mode', with Trustwave channelling its efforts
towards bug fixes and security patches.&lt;/p&gt;
&lt;p&gt;Despite this change, ModSecurity still has active community support. Tutorials and
discussions centred around ModSecurity and CRS continue to appear each month. Entities like Atomicorp have pledged to extend their support
to ModSecurity beyond its EOL, helping maintain its presence in the market.&lt;/p&gt;
&lt;p&gt;Other WAF engines are emerging as potential contenders. The &lt;a href="https://github.com/corazawaf/coraza"&gt;Coraza&lt;/a&gt; WAF engine, written in
Go, is gaining a place in the market. The &lt;a href="https://github.com/microsoft/ModSecurity"&gt;public Azure repository&lt;/a&gt; hosts
Microsoft's ModSecurity fork, while the Edg.IO repository highlights &lt;a href="https://github.com/edgio/waflz"&gt;Waflz&lt;/a&gt;, showing its role
in the WAF ecosystem.&lt;/p&gt;
&lt;p&gt;Recent players, such as &lt;a href="https://github.com/openappsec/openappsec"&gt;OpenAppSec&lt;/a&gt; by Checkpoint, are also entering the scene.
Positioned as an open-source ML-based WAF, OpenAppSec has publicly advised businesses to start their migration strategies
and views itself as a viable migration path.&lt;/p&gt;
&lt;h2&gt;Peakhour's Application Security Platform Evolution&lt;/h2&gt;
&lt;p&gt;The ModSecurity transition fits with Peakhour's move towards a broader Application Security Platform. Our approach covers:&lt;/p&gt;
&lt;h3&gt;Immediate Continuity&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Operational Continuity&lt;/strong&gt;: ModSecurity continues to function within our platform, supported by active community development&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;No Service Interruption&lt;/strong&gt;: Customers experience no service interruption as we implement next-generation capabilities&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tighter Integration&lt;/strong&gt;: Existing ModSecurity capabilities are strengthened through integration with our threat detection systems&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Advanced Platform Development&lt;/h3&gt;
&lt;p&gt;Peakhour is implementing security technologies that extend beyond traditional WAF capabilities:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Machine Learning Integration&lt;/strong&gt;: AI-powered threat detection that adapts to emerging attack patterns&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Algorithms that identify sophisticated threats including residential proxy attacks and anti-detect browser usage&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API-Native Security&lt;/strong&gt;: Protection designed for modern API-first architectures&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Threat Intelligence&lt;/strong&gt;: Dynamic rule updates based on global threat landscape analysis&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Future-Ready Architecture&lt;/h3&gt;
&lt;p&gt;Our Application Security Platform roadmap includes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Multi-Engine Approach&lt;/strong&gt;: Evaluation of next-generation engines including Coraza, Waflz, and custom ML-based solutions&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Request-Path Protection&lt;/strong&gt;: Security processing at Peakhour Edge locations for performance&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps Integration&lt;/a&gt;&lt;/strong&gt;: API-first architecture enabling integration with CI/CD pipelines and security automation&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Comprehensive WAAP&lt;/strong&gt;: Integration of WAF, API protection, bot management, and DDoS mitigation in a unified platform&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;The Future of Application Security&lt;/h2&gt;
&lt;p&gt;ModSecurity's end-of-life is more than a technical transition. It reflects the move from traditional point solutions to broader Application Security Platforms. For DevOps, SRE, and &lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; teams, this shift enables:&lt;/p&gt;
&lt;h3&gt;Enhanced Security Posture&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Unified Threat Protection&lt;/strong&gt;: Comprehensive WAAP capabilities that protect applications, APIs, and users through a single platform&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Advanced Threat Detection&lt;/strong&gt;: Machine learning and behavioural analysis that identify sophisticated attack vectors&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Adaptation&lt;/strong&gt;: Dynamic security policies that evolve with the threat landscape&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Operational Excellence&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Performance Integration&lt;/strong&gt;: Security processing at the edge provides protection without compromising application performance&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; Compatibility&lt;/strong&gt;: API-first architecture supports security automation and CI/CD integration&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Global Scalability&lt;/strong&gt;: Distributed protection that scales with application growth and user distribution&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Strategic Advantages&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Long-Term Investment&lt;/strong&gt;: Platform approach that evolves with emerging threats and technologies&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Comprehensive Coverage&lt;/strong&gt;: Single-pane-of-glass management for application security, performance, and availability&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance Alignment&lt;/strong&gt;: Built-in reporting and monitoring capabilities that support regulatory requirements&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The transition from ModSecurity gives organisations a clear point to review and modernise their application security posture. By adopting Application Security Platforms, teams can improve protection whilst maintaining the performance and scalability required for modern applications.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Peakhour's Application Security Platform protects web applications and APIs with WAAP capabilities, delivery performance, bot management, and real-time threat intelligence. &lt;a href="/contact-sales/"&gt;Contact our security team&lt;/a&gt; to learn how we can support your application security posture whilst maintaining performance.&lt;/em&gt;&lt;/p&gt;</content><category term="Security"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="API Security"></category><category term="DDoS"></category><category term="Threat Detection"></category><category term="SOC 2"></category></entry><entry><title>The Rise of OpenBullet</title><link href="https://www.peakhour.io/blog/the-rise-of-openbullet/" rel="alternate"></link><published>2023-09-01T14:00:00+10:00</published><updated>2023-09-01T14:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-09-01:/blog/the-rise-of-openbullet/</id><summary type="html">&lt;p&gt;A comprehensive look at OpenBullet, its capabilities, and the implications for cybersecurity in the face of its misuse.&lt;/p&gt;</summary><content type="html">&lt;p&gt;At Peakhour, we are seeing more automation tools used to simplify interaction with web platforms. These tools have
legitimate uses, including automating repetitive tasks and testing applications, but they can also be misused. OpenBullet
is one example: a flexible web testing suite that has become a common tool for web attacks such as &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt;.
This article explains how OpenBullet works, why it creates risk, which libraries it relies on, and how defenders can
detect and block it.&lt;/p&gt;
&lt;h2&gt;Overview of OpenBullet&lt;/h2&gt;
&lt;p&gt;OpenBullet is an automation suite for scraping, parsing data, and automated penetration testing. It is commonly used by
bot developers for automated attacks, including credential stuffing. Released under the MIT open-source licence on
GitHub, it is now in its second version, &lt;a href="https://github.com/openbullet/OpenBullet2"&gt;OpenBullet2&lt;/a&gt;, which, as of March
2023, had over 1.1K stars and was forked roughly 370 times.&lt;/p&gt;
&lt;p&gt;It is particularly favoured by people with limited programming knowledge because it is easy to use and supports
third-party plugins. The tool uses configurations that define the actions to perform on a website, and those configurations
are easy to find online.&lt;/p&gt;
&lt;h2&gt;Types of Actions with OpenBullet&lt;/h2&gt;
&lt;p&gt;The actions OpenBullet can perform are categorised by the framework and library used. There are three broad types:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Browser Actions:&lt;/strong&gt; Open or close tabs, maximise or minimise the browser window, and more.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Page Actions:&lt;/strong&gt; Visit a page, fetch page attributes, set or clear cookies, click on page elements, take
   screenshots, and so forth.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Element Actions:&lt;/strong&gt; Set or get element attributes, click on elements, check their status, fill in text forms, and
   more.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;OpenBullet's versatility has made it attractive to users who share configurations freely. Advanced configurations for
tasks such as scraping and credential stuffing can be found on forums and even sold.&lt;/p&gt;
&lt;h2&gt;OpenBullet Versus Other Testing Suites&lt;/h2&gt;
&lt;p&gt;One of OpenBullet's main advantages over other testing suites or automation frameworks is ease of use. It offers a
visual mode, with a simple UI instead of lines of code. It also includes a high-level programming language for
fine-tuning operations. It does not offer the same level of control as direct interaction with its underlying frameworks,
but it can still cause significant issues for websites.&lt;/p&gt;
&lt;h2&gt;Why OpenBullet is Dangerous&lt;/h2&gt;
&lt;p&gt;OpenBullet is a threat because its simple UI lets people without programming skills create automated sequences for web
attacks. Its integration with CAPTCHA farms also makes it effective against websites that rely on traditional CAPTCHAs
for bot protection.&lt;/p&gt;
&lt;p&gt;After installing OpenBullet, an attacker needs to create or import a configuration and manage bot behaviour. They can
also configure proxies to distribute attacks, hide their real IP addresses, and sidestep traditional rate limiting.&lt;/p&gt;
&lt;p&gt;OpenBullet also supports attacks like credential stuffing through a range of integrations. Attackers can add new
credentials, store valid credentials, and set the configuration to run for any duration they choose.&lt;/p&gt;
&lt;p&gt;We can, however, counter OpenBullet by detecting and blocking the frameworks on which it relies.&lt;/p&gt;
&lt;h2&gt;OpenBullet and Its Underlying Libraries&lt;/h2&gt;
&lt;p&gt;OpenBullet relies on several well-known bot automation libraries and frameworks:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Requests:&lt;/strong&gt; A Python module for sending HTTP requests with forged attributes. It's highly scalable and can bypass
   traditional CAPTCHAs using external CAPTCHA farm services. However, it struggles against highly protected sites and
   mobile applications.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Selenium:&lt;/strong&gt; This is a browser automation framework initially developed for testing web applications. It can
   interact with a web service as a human user would, helping attackers mask their bots with human-like behaviours.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Puppeteer:&lt;/strong&gt; This Node.js library controls Chromium-based browsers. It's faster and lighter than Selenium, making
   it capable of running more parallel requests.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;OpenBullet does not inherently simulate human behaviour; the bot developer has to implement that. Based on an analysis
of online configurations, most do not include fake human behaviour features. OpenBullet does, however, support ad hoc
JavaScript execution to enable them.&lt;/p&gt;
&lt;h2&gt;Detecting and Blocking OpenBullet&lt;/h2&gt;
&lt;p&gt;To detect and block OpenBullet, defenders need to understand where a request is coming from, especially when proxies are
used to distribute attacks. OpenBullet can be effective in the wrong hands, but it is not invisible. Several signals can
help identify and block its activity.&lt;/p&gt;
&lt;h4&gt;Identifying Unusual Patterns&lt;/h4&gt;
&lt;p&gt;Most automated tools, including OpenBullet, generate request patterns that differ from typical human behaviour. The
frequency, timing, and sequence of requests can help identify potential OpenBullet attacks. For instance, a high volume
of requests from a single IP address, or repeated requests with different login credentials, could indicate automation.&lt;/p&gt;
&lt;h4&gt;Analysing User Agents&lt;/h4&gt;
&lt;p&gt;User agents can also provide useful clues. OpenBullet can mimic different user agents to look like a range of browsers,
but it may not simulate the broader spread of user agents an actual user base would generate. If an unusual number of
requests come from a small set of user agents, it may indicate an automated attack.&lt;/p&gt;
&lt;h4&gt;Spotting IP Address Anomalies&lt;/h4&gt;
&lt;p&gt;OpenBullet, like many automated tools, uses proxies to mask its true location and appear to be many different users.
Proxies have their own characteristics. Data centre proxies, for instance, do not behave like residential or mobile IP
addresses, and they can be flagged as suspicious. Similarly, if many different user identities come from a single IP
address, or if the geolocation of an IP address does not match the stated location of the user, it may signal proxy use.&lt;/p&gt;
&lt;h3&gt;OpenBullet in the Greater Cybersecurity Context&lt;/h3&gt;
&lt;p&gt;OpenBullet reflects a broader pattern in cybersecurity: tools built for testing can be repurposed for abuse. Its simple
UI and automation capabilities show why online security cannot depend on basic controls alone. Although it was created
as a web testing tool, its misuse reinforces the need to keep defences current as attack methods change.&lt;/p&gt;
&lt;h4&gt;The Need for Strong Password Practices&lt;/h4&gt;
&lt;p&gt;OpenBullet's popularity for credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; underscores the importance of strong password practices.
Encouraging users to create unique passwords for each account and change them regularly can help reduce the risks posed
by credential stuffing.&lt;/p&gt;
&lt;h4&gt;Implementing Advanced Bot Protection Measures&lt;/h4&gt;
&lt;p&gt;To secure online services against tools like OpenBullet, advanced bot protection matters. These measures can provide a
multi-layered security strategy that runs in the background, collects detection signals, and challenges users only when
necessary. They can help stop bot attacks from the first request, including those carried out through OpenBullet's
automation framework.&lt;/p&gt;
&lt;p&gt;As web platforms evolve, the tools used to exploit them evolve as well. Understanding threats like OpenBullet is the
first step towards stronger online protection.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Peakhour's advanced Bot Management and rate limiting capabilities can help protect your site from automated tools like OpenBullet. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; for a free security analysis.&lt;/em&gt;&lt;/p&gt;
&lt;h3&gt;Advanced Rate Limiting&lt;/h3&gt;
&lt;p&gt;One practical defensive measure against stuffing attacks, including those made using OpenBullet, is advanced rate
limiting. Unlike basic rate limiting, which restricts the number of requests from a particular source within a specified
time frame, advanced rate limiting provides a more nuanced and dynamic approach.&lt;/p&gt;
&lt;p&gt;A critical feature of advanced rate limiting is its ability to group, or bucket, requests based on factors beyond the
source IP address. These factors could include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Autonomous System Number (ASN):&lt;/strong&gt; An ASN is a unique number assigned to each network on the Internet. By grouping
  requests by ASN, it's possible to detect an unusual number of requests from a specific network, even if those requests
  are spread across many different IP addresses.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Country:&lt;/strong&gt; Grouping requests by country allows the detection of a sudden surge of traffic from a specific geographic
  location, which might indicate a coordinated attack.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Device Fingerprint:&lt;/strong&gt; A device fingerprint can be constructed from a range of attributes, including the device's
  operating system, browser version, and more. This allows the detection of repeated requests coming from the same
  device, even if other factors like the IP address or user agent are being manipulated.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Headers:&lt;/strong&gt; By examining the headers in HTTP requests, it's possible to detect patterns or anomalies that might
  signify an automated attack. For instance, a high volume of requests with identical headers could indicate the use of
  an automation tool.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;By grouping requests on these and other factors, advanced rate limiting can provide a nuanced and dynamic defence
against stuffing attacks. It allows detection of complex attack patterns that might otherwise go unnoticed, adding a
useful layer of security for online systems.&lt;/p&gt;
&lt;h3&gt;Fingerprinting and Behavioral Analysis&lt;/h3&gt;
&lt;p&gt;Alongside advanced &lt;a href="/blog/beyond-the-ip-address-advanced-rate-limiting/"&gt;rate limiting&lt;/a&gt;, technologies like fingerprinting and behavioural analysis add another layer of
protection. By creating a unique identifier for each user based on a combination of factors, such as IP address, device
information, and browser settings, and tracking that user's behaviour over time, these technologies can help distinguish
genuine users from automated scripts.&lt;/p&gt;
&lt;p&gt;These mechanisms can detect anomalies, such as repetitive non-human patterns, sudden changes in behaviour, or usage
patterns that do not match the typical profile of a human user. This level of analysis can identify and block even
sophisticated bots that are designed to mimic human behaviour, providing an effective defence against OpenBullet and
similar tools.&lt;/p&gt;
&lt;p&gt;OpenBullet's accessibility and versatility have made it a popular choice for web attacks. Its simple UI, support for
CAPTCHA farm services, and ability to run human-like automation allow even users with limited programming skills to
execute complex attacks. Despite these challenges, detecting and blocking OpenBullet is achievable by understanding the
origin of requests and the nature of its operation. A combination of advanced rate limiting, fingerprinting, and
behavioural analysis can provide an effective defence.&lt;/p&gt;</content><category term="Security"></category><category term="Bot Management"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Threat Detection"></category></entry><entry><title>Residential Proxies and MITRE Framework</title><link href="https://www.peakhour.io/blog/residential-proxies-mitre-framework/" rel="alternate"></link><published>2023-05-17T13:00:00+10:00</published><updated>2023-05-17T13:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-05-17:/blog/residential-proxies-mitre-framework/</id><summary type="html">&lt;p&gt;Explore residential proxies within the context of the MITRE ATT&amp;amp;CK framework, highlighting the security implications and ethical considerations.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;a href="/learning/security/datacenter-vs-residential-proxies/"&gt;Residential proxies&lt;/a&gt; act as intermediaries, routing traffic through real-world IP addresses. That can mask user identity, bypass geographical restrictions, and improve privacy. The MITRE ATT&amp;amp;CK framework, a matrix of cyber adversary tactics and techniques, categorises proxy use under technique T1090. The classification helps explain how attackers use proxies to maintain command and control across target environments, including Linux, Windows, and macOS.&lt;/p&gt;
&lt;p&gt;Residential proxies are useful and risky in equal measure. They support anonymity and data collection, but misuse creates ethical and security concerns, including &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt; and account takeovers. MITRE ATT&amp;amp;CK's treatment of proxy use gives security teams a clearer way to reason about those risks and plan mitigations.&lt;/p&gt;
&lt;p&gt;Looking at residential proxies through the MITRE framework keeps the discussion grounded. It shows where proxy use fits into attacker tradecraft, and where defenders need practical controls rather than broad assumptions about intent.&lt;/p&gt;
&lt;h2&gt;From Credential Stuffing to Account Takeover and Data Exfiltration&lt;/h2&gt;
&lt;p&gt;Credential stuffing and account takeover incidents, including the Ubiquiti breach, show how exposed digital defences can be. Attackers use residential proxies to mask activity, which aligns with MITRE ATT&amp;amp;CK technique T1090. This technique describes proxy use for discreet command and control. In the Ubiquiti case, adversaries utilised proxies to test and apply stolen credentials across systems without revealing their true locations, a direct application of T1090's principles.&lt;/p&gt;
&lt;p&gt;The Camaro Dragon malware demonstrates residential proxy exploitation for account takeovers. By infecting devices and incorporating them into a botnet, the malware facilitated remote control over victims' accounts, aligning with MITRE's T1090 for proxy-managed network communications. Camaro Dragon's operation reflects the tactic of maintaining anonymity while executing unauthorised access and control, a strategy documented within the MITRE framework.&lt;/p&gt;
&lt;p&gt;Volt Typhoon's activities present a sophisticated use of residential proxies in data exfiltration. This group, known for targeting infrastructure, manipulated proxies to move data discreetly from compromised networks, a tactic that falls under MITRE's T1090. The operation shows how adversaries use residential proxies to obscure the digital footprint of data theft, complicating traceability and detection.&lt;/p&gt;
&lt;p&gt;Viewed through MITRE ATT&amp;amp;CK, these examples show how residential proxies support credential stuffing, account takeovers, and data exfiltration. They also point to the need for integrated defence strategies that account for different forms of proxy misuse, rather than treating proxy traffic as a single problem.&lt;/p&gt;
&lt;h2&gt;The Role of Residential Proxies in Web Scraping&lt;/h2&gt;
&lt;p&gt;Residential proxies are common in web scraping because they let operators simulate requests from different geographic locations. That capability is especially useful when gathering data from websites with GeoIP restrictions or anti-scraping measures. In the MITRE ATT&amp;amp;CK framework, residential proxy use in web scraping aligns with several techniques that describe how adversaries gather information and evade detection.&lt;/p&gt;
&lt;p&gt;Technique T1090, which details proxy use, illustrates how adversaries utilise residential proxies to disguise web scraping activity. By routing requests through proxies, they can avoid IP bans and rate limits, enabling the collection of large amounts of data without detection. This technique shows the practical advantage of residential proxies in bypassing network defences and aggregating targeted information discreetly.&lt;/p&gt;
&lt;p&gt;Web scraping through residential proxies also intersects with the MITRE framework's emphasis on reconnaissance techniques. Adversaries use reconnaissance to gather valuable data about targets, and residential proxies help them do it discreetly. By presenting requests as coming from different residential IPs, attackers can compile detailed profiles on organisations, their operations, and vulnerabilities without revealing their intent or location.&lt;/p&gt;
&lt;p&gt;For defenders, residential proxy use in web scraping creates a dual challenge. It can support legitimate data collection and market research, and it can also help adversaries gather intelligence before further attacks. That makes proxy handling a judgement problem as well as a blocking problem: organisations need to balance access to information with protection against unauthorised data extraction.&lt;/p&gt;
&lt;p&gt;Understanding residential proxy use in web scraping through MITRE ATT&amp;amp;CK helps define the detection problem more precisely. Defenders need mechanisms that can distinguish legitimate proxy-backed activity from malicious use, and policies that can respond without over-blocking normal traffic.&lt;/p&gt;
&lt;h2&gt;Defending Against Proxy-Related Cyber Attacks Informed by MITRE&lt;/h2&gt;
&lt;p&gt;Defending against cyber attacks that use residential proxies requires layered controls informed by MITRE ATT&amp;amp;CK. Technique T1090, which focuses on proxy use for command and control activity, provides a useful base for designing those defences.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Network Monitoring and Analysis&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;A core defence is stronger network monitoring and analysis. By scrutinising network traffic, organisations can identify unusual patterns that may indicate malicious proxy use. This includes monitoring for excessive requests from varied geographic locations that do not align with normal user behaviour. The MITRE framework suggests network intrusion detection systems (NIDS) to detect suspicious activity, including anomalous residential proxy use.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Implementing Access Controls and Rate Limiting&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;To mitigate credential stuffing and account takeover through proxies, organisations need strict access controls and rate limiting. These measures can reduce automated attacks by limiting how many requests a user can make within a set timeframe, weakening distributed attempts to breach systems via residential proxies.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Application of Web Application Firewalls (WAFs)&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Web Application Firewalls (WAFs) help defend against proxy-related attacks. When configured to recognise and block requests with patterns typical of proxy misuse, such as rapid request rates or known malicious IP addresses, WAFs provide a barrier against unauthorised data scraping and other proxy-facilitated intrusions.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Proxy Detection and Blocking&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Advanced proxy detection tools help organisations identify and block traffic coming through known residential proxies. Techniques include analysing originating IP addresses for known proxies and using behaviour analysis to detect patterns indicative of proxy use. Once identified, these IP addresses can be blocked or subjected to additional scrutiny.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;User Behavior Analytics (UBA)&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;User Behavior Analytics (UBA) helps detect anomalies that may signal a proxy-based attack. By establishing baselines of normal user activity, UBA systems can flag deviations that suggest malicious activity, such as multiple failed login attempts or unusual data access patterns, which are indicative of credential stuffing or data exfiltration attempts.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Educating Users on Security Hygiene&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Educating users on security hygiene can help prevent inadvertent participation in malicious &lt;a href="/products/residential-proxy-detection/"&gt;proxy networks&lt;/a&gt;. Users should understand the risks of downloading unverified software or browser extensions, which could turn their devices into nodes within a residential proxy network.&lt;/p&gt;
&lt;p&gt;Informed by MITRE ATT&amp;amp;CK, these defence strategies give organisations a practical way to reduce exposure. Understanding the tactics and techniques used by adversaries helps teams strengthen controls against sophisticated residential proxy use in cyber attacks.&lt;/p&gt;
&lt;h2&gt;Detecting Malicious Use of Residential Proxies&lt;/h2&gt;
&lt;p&gt;Detecting malicious residential proxy use requires both technical controls and threat intelligence. The MITRE ATT&amp;amp;CK framework, particularly technique T1090, gives defenders a reference point for how adversaries use proxies and where detection mechanisms should focus.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Traffic Pattern Analysis&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;One primary method for detecting malicious residential proxy use is traffic pattern analysis. This includes monitoring for spikes in traffic from geographical locations that do not match the service's typical user profile. Anomalies in request rates or patterns that suggest automation, such as regular intervals between requests, can also indicate proxy abuse.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Behavioral Anomaly Detection&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Behavioural anomaly detection systems identify actions that deviate from normal activity. These systems can flag unusual behaviour that might indicate malicious residential proxy use, such as repeated login attempts from different IP addresses in a short period, which could signify a credential stuffing attack.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;IP Reputation and Proxy Lists&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Utilising IP reputation databases and known proxy lists can help identify and block requests from suspicious sources quickly. These lists include IP addresses known to be part of residential proxy networks or previously implicated in malicious activity. Integrating this intelligence into security systems allows for real-time blocking or flagging of potentially harmful traffic.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Endpoint Detection and Response (EDR) Systems&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Endpoint Detection and Response (EDR) systems help spot compromised devices within an organisation that could unknowingly be part of a residential proxy network. By monitoring endpoints for signs of malware or unexpected network traffic, organisations can detect and isolate infected devices before they are used in cyber attacks.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Advanced Machine Learning Models&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Advanced machine learning models can be trained to recognise subtle signs of proxy misuse. By analysing large datasets of network traffic, these models can identify patterns that human analysts might miss. This includes detecting sophisticated attempts to mimic legitimate user behaviour through proxies, which could indicate reconnaissance or data exfiltration efforts.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Collaboration and Information Sharing&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Collaboration and information sharing among organisations and cybersecurity entities can improve detection of malicious proxy use. Sharing indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with proxy misuse can help develop stronger detection strategies across the board.&lt;/p&gt;
&lt;p&gt;Incorporating these detection methods, informed by MITRE ATT&amp;amp;CK, helps organisations identify and mitigate risks associated with malicious residential proxy use. The goal is not to label every proxy request as hostile, but to detect the patterns that matter when residential proxies are exploited for cyber attacks.&lt;/p&gt;</content><category term="Residential Proxies"></category><category term="Residential Proxies"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Threat Detection"></category><category term="DDoS"></category><category term="DevSecOps"></category></entry><entry><title>Advanced Anomaly Detection</title><link href="https://www.peakhour.io/blog/advanced-anomaly-detection-rrcf-application-security/" rel="alternate"></link><published>2023-05-15T13:00:00+10:00</published><updated>2023-05-15T13:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-05-15:/blog/advanced-anomaly-detection-rrcf-application-security/</id><summary type="html">&lt;p&gt;Deep dive into Robust Random Cut Forest (RRCF) implementation for real-time anomaly detection in Application Security Platforms. Learn how advanced machine learning algorithms enhance threat detection and automated response capabilities.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Modern Application Security Platforms need reliable &lt;a href="/learning/threat-detection/what-is-anomaly-detection/"&gt;anomaly detection&lt;/a&gt; to identify and respond to emerging threats in real-time. For DevOps, SRE, and DevSecOps teams, machine learning algorithms such as Robust Random Cut Forest (RRCF) provide the foundation for automated threat detection and response systems that can operate at the scale and speed contemporary applications require.&lt;/p&gt;
&lt;h2&gt;Strategic Importance of Anomaly Detection in Application Security&lt;/h2&gt;
&lt;p&gt;Real-time anomaly detection is a core Application Security Platform capability. It helps identify threats before attacks affect application performance or security posture:&lt;/p&gt;
&lt;h3&gt;Enterprise Threat Landscape&lt;/h3&gt;
&lt;p&gt;Modern applications face attack vectors that traditional signature-based detection cannot address:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Adaptive Bot Networks&lt;/strong&gt;: AI-powered bots that modify behaviour based on defensive responses&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Zero-Day Exploits&lt;/strong&gt;: Previously unknown attack patterns that bypass traditional security rules&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Volumetric Attacks&lt;/strong&gt;: DDoS attacks that scale dynamically to evade rate limiting&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Insider Threats&lt;/strong&gt;: Subtle anomalies in user behaviour that indicate account compromise&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Application Security Platform Requirements&lt;/h3&gt;
&lt;p&gt;Effective anomaly detection needs to integrate cleanly with broader security capabilities:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Processing&lt;/strong&gt;: Threat identification within milliseconds of detection&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Scalable Architecture&lt;/strong&gt;: Analysis of millions of requests without performance degradation&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Context Awareness&lt;/strong&gt;: Integration with application metadata and user behaviour profiles&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automated Response&lt;/strong&gt;: Immediate threat mitigation through dynamic rule deployment&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Advanced Machine Learning for Security&lt;/h2&gt;
&lt;p&gt;Robust Random Cut Forest provides anomaly detection capabilities designed for streaming data environments common in Application Security Platforms:&lt;/p&gt;
&lt;h3&gt;Algorithmic Advantages for Security Applications&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Streaming Data Processing&lt;/strong&gt;: Real-time analysis without historical data dependencies&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dimensionality Handling&lt;/strong&gt;: Effective analysis of high-dimensional security feature vectors&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Adaptive Learning&lt;/strong&gt;: Continuous model updates based on evolving traffic patterns&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Computational Efficiency&lt;/strong&gt;: Linear scaling suitable for high-throughput security processing&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Implementation in Application Security Platforms&lt;/h3&gt;
&lt;p&gt;RRCF enables threat detection across multiple security dimensions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Traffic Pattern Analysis&lt;/strong&gt;: Identification of unusual request volumes, frequencies, and distributions&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Anomalies&lt;/strong&gt;: Detection of user actions that deviate from established profiles&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Network Fingerprinting&lt;/strong&gt;: Recognition of abnormal connection patterns and protocol usage&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Content Analysis&lt;/strong&gt;: Identification of malicious payloads and injection attempts&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;RRCF Advantages for Application Security Platforms&lt;/h2&gt;
&lt;p&gt;Traditional batch-processing anomaly detection systems are a poor fit for Application Security Platforms that must respond to threats in real-time. RRCF's streaming approach provides practical advantages:&lt;/p&gt;
&lt;h3&gt;Real-Time Threat Detection&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Immediate Analysis&lt;/strong&gt;: Process and analyse security events as they occur, without waiting for batch processing&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Adaptive Baselines&lt;/strong&gt;: Continuously update normal behaviour models based on current traffic patterns&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Memory Efficiency&lt;/strong&gt;: Maintain configurable rolling windows of security data for optimal performance&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Scalable Processing&lt;/strong&gt;: Handle millions of security events per second without degradation&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Security-Optimised Implementation&lt;/h3&gt;
&lt;p&gt;RRCF's forest-based approach is useful for security applications:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Multi-Dimensional Analysis&lt;/strong&gt;: Analyse request patterns, user behaviour, and network characteristics at the same time&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Shape-Sensitive Detection&lt;/strong&gt;: Identify subtle changes in attack patterns that signature-based systems miss&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;False Positive Reduction&lt;/strong&gt;: Leverage ensemble methods to reduce noise in security alerting&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Contextual Awareness&lt;/strong&gt;: Understand normal application behaviour patterns for more accurate threat detection&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Application Security Platform Integration&lt;/h2&gt;
&lt;h3&gt;Enterprise Deployment Architecture&lt;/h3&gt;
&lt;p&gt;Peakhour's Application &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;Security Platform&lt;/a&gt; implements RRCF through high-performance Rust-based processing:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Edge Processing Capabilities&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Global Deployment&lt;/strong&gt;: RRCF analysis deployed across CDN edge locations for minimal latency&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Distributed Learning&lt;/strong&gt;: Aggregated threat intelligence from multiple geographic regions&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Local Response&lt;/strong&gt;: Immediate threat mitigation at the edge without central processing delays&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bandwidth Optimisation&lt;/strong&gt;: Process security events locally to reduce data transmission requirements&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Platform Integration Benefits&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Unified Threat Detection&lt;/strong&gt;: RRCF analysis integrated with WAF/WAAP, bot management, and DDoS protection&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automated Response&lt;/strong&gt;: Dynamic security rule generation based on anomaly detection results&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DevSecOps Workflow&lt;/strong&gt;: API-first architecture enabling integration with security automation tools&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance Reporting&lt;/strong&gt;: Detailed anomaly detection logs for security audits and regulatory requirements&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Advanced Security Use Cases&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Credential Stuffing Detection&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Identify unusual login patterns that indicate automated credential testing&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Geographic Anomalies&lt;/strong&gt;: Detect impossible travel scenarios and location-based attack patterns&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Volume Analysis&lt;/strong&gt;: Recognise subtle increases in authentication attempts that indicate coordinated attacks&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Success Rate Monitoring&lt;/strong&gt;: Identify campaigns through abnormal authentication success/failure ratios&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;API Threat Detection&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Endpoint Anomalies&lt;/strong&gt;: Detect unusual API usage patterns that indicate reconnaissance or exploitation&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Rate Pattern Analysis&lt;/strong&gt;: Identify sophisticated rate limiting evasion techniques&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Response Time Analysis&lt;/strong&gt;: Detect performance impacts from malicious API usage&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Authentication Anomalies&lt;/strong&gt;: Recognise token abuse and API key misuse patterns&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Zero-Day Threat Identification&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Traffic Pattern Deviations&lt;/strong&gt;: Identify new attack vectors through unusual request characteristics&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Response Pattern Analysis&lt;/strong&gt;: Detect exploitation attempts through server response anomalies&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Protocol Anomalies&lt;/strong&gt;: Recognise malformed requests that indicate exploit attempts&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Payload Analysis&lt;/strong&gt;: Identify suspicious content patterns in request bodies and parameters&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Operational Excellence Through Advanced Anomaly Detection&lt;/h2&gt;
&lt;h3&gt;Performance and Security Integration&lt;/h3&gt;
&lt;p&gt;RRCF implementation delivers measurable improvements across security and performance metrics:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Threat Detection Speed&lt;/strong&gt;: Sub-millisecond anomaly identification for real-time response&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;False Positive Reduction&lt;/strong&gt;: Ensemble methods reduce security alert fatigue&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;System Performance&lt;/strong&gt;: Efficient processing maintains CDN performance whilst enhancing security&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Adaptive Learning&lt;/strong&gt;: Continuous improvement in threat detection accuracy over time&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;DevSecOps Enablement&lt;/h3&gt;
&lt;p&gt;Modern Application Security Platforms provide APIs and automation capabilities:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Security Automation&lt;/strong&gt;: Programmatic access to anomaly detection results for automated response&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;CI/CD Integration&lt;/strong&gt;: Security testing and validation integrated into development workflows&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Monitoring Integration&lt;/strong&gt;: SIEM and SOC platform integration for security operations&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Custom Rule Development&lt;/strong&gt;: Framework for developing application-specific anomaly detection rules&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Advanced anomaly detection through RRCF is a fundamental capability for modern Application Security Platforms. By implementing machine learning algorithms at the edge, organisations can achieve real-time threat detection that adapts to evolving attack patterns whilst maintaining application performance.&lt;/p&gt;
&lt;p&gt;The integration of RRCF with security capabilities including WAAP, bot management, and DDoS protection creates a unified platform that addresses the security requirements of contemporary applications and APIs. For DevSecOps teams, this approach enables automated &lt;a href="/learning/threat-detection/what-is-real-time-threat-response/"&gt;threat response&lt;/a&gt; whilst providing the visibility and control needed for effective security operations.&lt;/p&gt;</content><category term="Security"></category><category term="Threat Detection"></category><category term="Anomaly Detection"></category><category term="DDoS"></category><category term="DevSecOps"></category><category term="Bot Management"></category><category term="Application Security"></category></entry><entry><title>Application Performance Optimisation</title><link href="https://www.peakhour.io/blog/introduction-to-website-performance-testing/" rel="alternate"></link><published>2020-09-12T13:00:00+10:00</published><updated>2020-09-12T13:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2020-09-12:/blog/introduction-to-website-performance-testing/</id><summary type="html">&lt;p&gt;A practical primer for finding where website requests lose time, from cache state and origin work to browser rendering.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Website performance testing is most useful when it explains where a request lost time. A single score can tell you that a page is slow, but it rarely tells the site team what to change next. The better starting point is the request path: where the visitor is, where the origin is, whether the response was cached, how much the browser had to download, and what work blocked rendering or interaction.&lt;/p&gt;
&lt;p&gt;This article is a primer for that diagnosis. Start with a representative page, test it from a location that matches your users, then read the evidence in order.&lt;/p&gt;
&lt;h2&gt;Start With the First Request&lt;/h2&gt;
&lt;p&gt;The browser cannot render a page until it receives the main HTML document. That first request includes DNS lookup, TCP connection setup, TLS negotiation, any redirect, cache handling, origin processing, and the first byte coming back. When the origin is far away, latency compounds. Peakhour's performance material uses simple Australian examples: Sydney to Melbourne is about 5 ms one way, Sydney to Perth about 25 ms, and Sydney to San Francisco about 75 ms. Those numbers become larger when a page load needs several round trips.&lt;/p&gt;
&lt;p&gt;This is why the main document matters in &lt;a href="/blog/testing-website-speed-webpagetest/"&gt;WebPageTest&lt;/a&gt;. In one Peakhour example, the main HTML document took 149 ms, which is fast. Many sites take 2 to 5 seconds before the browser receives that document. If the main response is already slow, the page has little chance of a good Largest Contentful Paint because the browser has not yet discovered the resources needed to paint the largest content.&lt;/p&gt;
&lt;p&gt;Cache state is part of the same first request. A cache hit at the edge should look different from a miss that forwards to origin. Headers such as &lt;code&gt;Cache-Status&lt;/code&gt; can show hit, miss, TTL, stored state, cache key, and collapsed request behaviour. Without that evidence, teams often guess whether a slow page is caused by the CDN, the origin, the application, or a cache-bypass rule.&lt;/p&gt;
&lt;h2&gt;Use WebPageTest for the Waterfall&lt;/h2&gt;
&lt;p&gt;WebPageTest is useful because it loads the page in a real browser and lets you choose test locations and connection profiles. That matters for Australian sites because a test from the wrong continent can make a local problem look worse or hide a regional problem from view.&lt;/p&gt;
&lt;p&gt;The waterfall is the main working view. Read the first rows before looking at the rest of the page. A redirect on the first request adds delay before the useful page is even requested. Long DNS, connect, or TLS blocks point to connection setup or third-party domains. A long wait on the main document points to cache miss, origin processing, or backend work. Large downloads point to page weight. Red rows show broken requests, and the domain view shows how many external services the browser had to contact.&lt;/p&gt;
&lt;p&gt;The filmstrip is just as important. It shows what the user saw while the waterfall was happening. If the HTML arrived quickly but the filmstrip stayed blank, the issue may be render-blocking CSS, JavaScript, fonts, or a hero image. If the page starts to render quickly but then jumps, you are looking at layout stability, not just network speed.&lt;/p&gt;
&lt;h2&gt;Use Lighthouse for Browser Work&lt;/h2&gt;
&lt;p&gt;&lt;a href="/blog/testing-sitespeed-lighthouse/"&gt;Lighthouse&lt;/a&gt; is good at surfacing work inside the browser. It runs a controlled test, reports Core Web Vitals-related metrics, and lists opportunities such as eliminating render-blocking resources, reducing unused CSS, deferring JavaScript, compressing assets, and reducing main-thread work.&lt;/p&gt;
&lt;p&gt;Treat the score as a prompt, not a verdict. Lighthouse scores can vary between runs because the local CPU, network conditions, and server response can vary. The useful part is the diagnostics. If Lighthouse points to a font, a theme stylesheet, or a third-party script that delays rendering, compare that with the WebPageTest waterfall and filmstrip. If both tools point to the same resource, you have a stronger case for change.&lt;/p&gt;
&lt;h2&gt;Connect Metrics to Causes&lt;/h2&gt;
&lt;p&gt;Core Web Vitals are easier to act on when each metric is tied to the part of the path it describes.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Symptom&lt;/th&gt;
&lt;th&gt;Where to look&lt;/th&gt;
&lt;th&gt;Likely next question&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;High TTFB&lt;/td&gt;
&lt;td&gt;WebPageTest first row, cache headers, origin logs&lt;/td&gt;
&lt;td&gt;Did the request hit cache, miss to origin, or wait on application work?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Slow FCP&lt;/td&gt;
&lt;td&gt;Waterfall, filmstrip, render-blocking resources&lt;/td&gt;
&lt;td&gt;Did HTML, CSS, or synchronous JavaScript stop the first paint?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Slow LCP&lt;/td&gt;
&lt;td&gt;Main document timing, hero media, image weight&lt;/td&gt;
&lt;td&gt;Was the largest element discovered and delivered early enough?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;High CLS&lt;/td&gt;
&lt;td&gt;Filmstrip, image dimensions, injected banners, fonts&lt;/td&gt;
&lt;td&gt;Did content move after the visitor started reading?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Poor INP&lt;/td&gt;
&lt;td&gt;Lighthouse main-thread diagnostics, third-party scripts&lt;/td&gt;
&lt;td&gt;Is JavaScript delaying the next paint after interaction?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;High page weight&lt;/td&gt;
&lt;td&gt;WebPageTest content breakdown&lt;/td&gt;
&lt;td&gt;Are images, JavaScript, fonts, or unused assets carrying the load?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Too many domains&lt;/td&gt;
&lt;td&gt;WebPageTest domains view&lt;/td&gt;
&lt;td&gt;Which third-party services are adding connection setup and blocking work?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Unclear cache behaviour&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Cache-Status&lt;/code&gt;, CDN analytics, debug headers&lt;/td&gt;
&lt;td&gt;Which paths are hits, misses, bypasses, stale responses, or collapsed misses?&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;This table is not a checklist to run forever. It is a triage map. Pick the symptom that matches the page, then follow the evidence to the next request-path decision.&lt;/p&gt;
&lt;h2&gt;Diagnose the Common Failures&lt;/h2&gt;
&lt;p&gt;Latency is the first failure to rule in or out. If the origin is in the United States and most customers are in Australia, the page can lose time before WordPress, Magento, Drupal, or a custom application has done any work. Edge caching helps when the response is safe to reuse, because the first byte can come from a location closer to the visitor.&lt;/p&gt;
&lt;p&gt;Page weight is the next obvious drag. WebPageTest's content breakdown shows whether images, JavaScript, CSS, fonts, or other assets dominate the transfer. Unoptimised images are common, especially on CMS and ecommerce sites. Image variants in AVIF or WebP, responsive sizes, compression, and stable dimensions can improve both download time and LCP.&lt;/p&gt;
&lt;p&gt;Render-blocking resources explain why a page can download quickly and still look blank. CSS and synchronous JavaScript in the head can stop the browser from painting. Large theme bundles and plugin scripts often include code that is not needed on the current page. The fix might be removing unused files, deferring non-critical scripts, splitting code by route, self-hosting critical third-party resources, or using &lt;code&gt;preconnect&lt;/code&gt; only where the first view depends on a third-party domain.&lt;/p&gt;
&lt;p&gt;Third-party domains need a sober review. Analytics, marketing tags, chat widgets, social embeds, payment scripts, and fonts can all be legitimate. They can also add DNS, TCP, TLS, download, parsing, and main-thread cost. If a third-party script is not needed for the first view, it should not block the first view.&lt;/p&gt;
&lt;h2&gt;Where Peakhour Evidence Fits&lt;/h2&gt;
&lt;p&gt;Peakhour performance work should show both user experience and origin relief. For caching, that means hit ratio, miss causes, &lt;code&gt;Cache-Status&lt;/code&gt;, purge state, cache keys, shielded misses, collapsed requests, and origin fetch volume. For images, it means original size, transformed size, selected format, responsive variant, and cache hit state. For Core Web Vitals, it means LCP, CLS, INP, TTFB, page weight, and the same page tested before and after changes.&lt;/p&gt;
&lt;p&gt;Security belongs in the performance review when it changes the request path. Bot filtering, WAF rules, rate limits, and login protection can reduce origin load by stopping abusive or noisy traffic before PHP, database, search, or API work begins. They can also create friction if rules are too broad. Measure the edge decision, the latency, the origin effect, and the false-positive risk. Do not treat "security enabled" as a generic performance story.&lt;/p&gt;
&lt;p&gt;Good performance testing ends with a specific change to validate: cache this public route, purge it by tag, move this script later, replace this image variant, reduce these third-party domains, protect this login path, or investigate this slow origin query. Then run the same test again from the same location and compare the evidence.&lt;/p&gt;</content><category term="Performance"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="Drupal"></category><category term="DDoS"></category><category term="Threat Detection"></category><category term="Rate Limiting"></category></entry></feed>