Reconnaissance Starts Before the Attack Does
Before any credential is touched, attackers map your API surface — harvesting paths, probing parameter ranges, testing error responses to find undocumented and shadow API endpoints. By the time the credential stuffing or BOLA campaign begins, your API inventory is already in their hands. Per-endpoint behavioral baselines surface the recon phase while you can still act on it.
Four Categories of Traffic Anomaly
Path Harvesting & Shadow API Discovery
Systematically probing endpoint paths — /api/v1/admin, /api/v2/internal, /debug/env — to find undocumented or shadow API endpoints that your public documentation doesn't list. OWASP API9 (Improper Inventory Management) is almost always preceded by this kind of path enumeration. Normal users don't hit 404s in systematic patterns. The path access distribution makes enumeration campaigns visible.
Automated Scraping
Bots that extract product data, pricing, or user lists at scale. Request timing is mechanically regular (±10ms variance vs human ±400ms), endpoint coverage is comprehensive, and session patterns lack the organic randomness of real users. The behavioral engine distinguishes bots from humans.
Volume Spikes
Sudden traffic surges that precede DDoS, scraping campaigns, or bulk abuse attempts. Per-endpoint baselines differentiate legitimate traffic growth (gradual, distributed) from attack traffic (sudden, concentrated, with narrow parameter ranges).
Error Rate Spikes
Sudden increases in 400 / 401 / 403 / 404 error rates signal parameter fuzzing, authentication probing, and access control testing. A normal endpoint running at 0.5% error rate jumping to 40% is a clear recon signal — Hirefathom alerts before the actual attack begins.
Per-Endpoint Fingerprints, Not Global Rules
Global rate limits fail because they apply the same threshold to all endpoints. A login endpoint that normally gets 100 req/min shouldn't have the same threshold as a product catalog endpoint that gets 50,000 req/min. Hirefathom builds a separate baseline for every endpoint.
Endpoint-Level Profiles
Each endpoint builds its own traffic profile: request rate, error rate, parameter distributions, source IP diversity, timing variance. Thresholds are derived from the endpoint's own history, not from a global policy.
Temporal Patterns
Traffic naturally varies by time of day and day of week. The baseline model accounts for these patterns, so a legitimate Monday morning spike doesn't trigger false positives while a 3am Sunday volume surge does.
Continuous Adaptation
As your API evolves and traffic patterns shift, baselines update automatically. New features that change traffic patterns don't generate false positive storms — the model adapts while still catching anomalies outside normal evolution bounds.