{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreib5kbdyec2rycoal5clpyvieoxiwsgw4myeza24xfmprkskqyl3mu",
"uri": "at://did:plc:qllwm7os6w6f6hxue4mcr7mz/app.bsky.feed.post/3mf2teq5fzga2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreiae7nphz7gw2x5wbecqxmzrlvowwiwkubypryph67wfjuj6nxekr4"
},
"mimeType": "image/webp",
"size": 112142
},
"description": "Most attack detection still treats applications like interchangeable boxes: requests come in, signatures are matched, packets are inspected, and decisions are made in isolation. That approach worked when attacks were noisy, infrastructure‑level, and largely the same across apps. Today’s attacks are quieter, more targeted, and deeply tied to how an application actually works. The weakest point is no longer the network edge. It is the logic inside the app. To detect those attacks, you need more th",
"path": "/why-business-context-is-the-missing-link-in-app-level-attack-detection/",
"publishedAt": "2026-02-17T15:00:12.000Z",
"site": "https://blog.arcjet.com",
"textContent": "Most attack detection still treats applications like interchangeable boxes: requests come in, signatures are matched, packets are inspected, and decisions are made in isolation. That approach worked when attacks were noisy, infrastructure‑level, and largely the same across apps. Today’s attacks are quieter, more targeted, and deeply tied to how an application actually works. The weakest point is no longer the network edge. It is the logic inside the app. To detect those attacks, you need more than signature-based detection of previously seen exploits. You need context.\n\n## **From packet inspection to application reality**\n\nTraditional detection systems focus on what a request looks like at a protocol level. Headers, payloads, IP reputation, known exploit patterns. This is useful, but it only answers a narrow question: does this request resemble something malicious we have seen before?\n\nWhat it does not answer is whether the request makes sense for your application.\n\nA login attempt, a checkout request, an API call to generate a report can all look perfectly valid in isolation. The danger often comes from how, when, and why they are made.\n\nThis is where packet inspection reaches its limit. It has no understanding of intent, sequence, or impact on your business logic.\n\n## **What business‑logic attacks actually look like**\n\nBusiness‑logic attacks exploit the rules of your application rather than a vulnerability in the framework or server.\n\nExamples include:\n\n * Abusing free trial flows by repeatedly creating accounts\n * Enumerating resources through valid but unexpected request patterns\n * Automating checkout or inventory endpoints to gain unfair advantage\n * Bypassing rate limits by distributing behavior across identities\n * Slowly probing edge cases in workflows to extract data\n\n\n\nNone of these require malformed requests or known exploit signatures. In many cases, every request is technically correct. The attack only becomes visible when you zoom out and understand how requests relate to each other and to the application’s intended behavior.\n\n## **Why context matters more than signatures**\n\nSignatures don’t change much. Your application does.\n\nEvery app has its own rhythm: the flows users follow, the endpoints that naturally get called together, the actions that happen constantly, and the ones that should be rare. There are expensive operations, sensitive moments, and patterns that make perfect sense in one product but would be suspicious in another.\n\nThat’s the challenge with traditional detection. Without any understanding of your business logic, security systems are forced to make guesses. They either clamp down too hard and frustrate real users, or stay too loose and let abuse slip through.\n\nContext-aware detection changes the question entirely. Instead of asking, “does this match a known attack signature,” it asks something much more useful:\n\n“Does this behavior make sense for this application, right now?”\n\nThat shift is what makes detection sharper, safer, and far more aligned with how your software actually works.\n\n## **Context is built from behavior, not rules alone**\n\nBusiness context isn’t a single signal you can capture in isolation, it’s something you build gradually, over time, by layering multiple sources of understanding together:\n\n * Request history across sessions and identities\n * Application‑level semantics, such as routes and actions\n * Filters that encode what matters to your business\n * Observed patterns of normal and abnormal usage\n\n\n\nWith this foundation, detection models can start to reason about intent and progression, not just isolated requests.\n\nBecause the truth is: one request might be harmless. But a hundred similar requests, spaced just right, aimed at a specific flow? That can tell a very different story.\n\n## **How Arcjet approaches context‑aware detection**\n\nArcjet is built on a simple principle: application-level attacks require application-level understanding.\n\nInstead of relying solely on generic network signals, Arcjet brings together the signals that actually reflect what’s happening inside your product:\n\n * Business context from your app and routes\n * Request history to understand behavior over time\n * Filters that let you define what matters and what does not\n\n\n\nBecause Arcjet runs close to your application, it can see how requests map to real operations. It can distinguish between a user retrying a form and a script probing for limits. Between a burst of traffic from a promotion and a coordinated abuse attempt.\n\nThis approach makes detection both more accurate and more adaptable, which means, as your application evolves, so does the context used to protect it.\n\n## **Closing the gap in attack detection**\n\nMost security tooling still assumes that attacks announce themselves through recognizable patterns. Increasingly, they do not.\n\nThe real signal lives in how an application is used, misused, and slowly pushed beyond its intended boundaries.\n\nBusiness context is the missing link. Without it, detection systems are blind to the most common and costly forms of abuse. With it, security becomes less about blocking traffic and more about protecting how your application actually works.\n\nThat is where app‑level attack detection is headed, and it is the foundation Arcjet is built on.",
"title": "Why Business Context Is the Missing Link in App-Level Attack Detection",
"updatedAt": "2026-02-17T15:00:12.000Z"
}