How We Detect and Foil Malicious Network Activity
This is an introduction for everyone, not just engineers. It explains, in plain language, how we keep watch over our services and what happens when someone hostile shows up. For the alert-by-alert response procedures, see the Alert Lookup Index.
The idea in one sentence
We filter the obvious junk at the wall, plant decoys that only an attacker would trip, watch for the pattern of an attack rather than single events, check each suspect against outside reputation data, connect events into a story, and alert a human with enough context to act, then block the source and rotate anything exposed.
Think of it as concentric rings, from the street outside to the vault inside. Each ring is cheap on its own. The strength is in the layering: anything that slips past one ring meets the next.
The seven layers, in plain language
1. The wall and the bouncer (perimeter filtering)
Cloudflare sits in front of everything. It blocks obviously bad traffic, known attack patterns, abusive bots, and bad reputations, before any of it reaches our servers. Most hostile noise on the internet dies here, and we never have to think about it.
2. The decoys (honeypots)
We run fake services that look like real login pages or databases but lead nowhere. No legitimate person ever has a reason to touch them. So the moment anyone interacts with one, that is a near-certain attacker, and we know it instantly. It is a tripwire with almost no false alarms.
3. The watchful eyes (behaviour detection)
Our Ghost Mode detector reads the traffic logs looking for the shape of an attack rather than one bad request: someone walking through dozens of URLs hunting for an admin page, hammering a login, or probing several of our different domains from one address. One probe is noise. A pattern is intent.
4. The background check (reputation enrichment)
When a suspicious address shows up, we ask outside services about it. GreyNoise tells us whether it is just an internet-wide scanner everyone sees. AbuseIPDB tells us whether others have reported it for attacks. Shodan tells us what kind of host it is. That turns a bare address into a judgement: routine background radiation, or someone worth worrying about.
5. Connecting the dots (correlation)
The real value is tying events together. If the same actor pokes one domain, then another, then a third, that is not random. That is someone mapping the whole estate deliberately, and we raise its severity accordingly.
6. The dispatcher (alerting and triage)
Findings are pushed to your phone through ntfy, ranked by urgency, so a genuine attack pages you loudly while routine activity stays quiet. Master Control sits on top of that: it reads each alert in the context of what is actually happening and, importantly, re-checks before it cries wolf, so a flaky probe does not wake you at three in the morning.
7. The response (foiling it)
When something is real, the playbook is simple: block the address, or its whole network, at Cloudflare; and if a honeypot caught a credential that resembles a real one, rotate that credential everywhere immediately. Preserve the logs for the record.
Why it is built this way
No single tool catches everything, and no single tool is meant to. A scanner that walks past the wall meets a decoy. An attacker who avoids the decoys still shows a pattern in the logs. A patient actor who moves slowly still gets tied together by correlation across domains. Layering is what turns a set of cheap, fallible checks into a defence that is hard to walk through quietly.
Where to go next
- Alert Lookup Index — every alert that can reach your phone, what it means, and exactly what to do when it arrives.
The diagrams on this page are machine-generated and carry embedded C2PA Content Credentials identifying them as SanMarcSoft AI-generated content.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.