Most attack detection still treats applications like interchangeable boxes: requests come in, signatures are matched, packets are inspected, and decisions are made in isolation.
Most attack detection still treats applications like interchangeable boxes: requests come in, signatures are matched, packets are inspected, and decisions are made in isolation. That approach worked when attacks were noisy, infrastructure‑level, and largely the same across apps. Today’s attacks are quieter, more targeted, and deeply tied to how an application actually works. The weakest point is no longer the network edge. It is the logic inside the app. To detect those attacks, you need more than signature-based detection of previously seen exploits. You need context.
Traditional detection systems focus on what a request looks like at a protocol level. Headers, payloads, IP reputation, known exploit patterns. This is useful, but it only answers a narrow question: does this request resemble something malicious we have seen before?
What it does not answer is whether the request makes sense for your application.
A login attempt, a checkout request, an API call to generate a report can all look perfectly valid in isolation. The danger often comes from how, when, and why they are made.
This is where packet inspection reaches its limit. It has no understanding of intent, sequence, or impact on your business logic.
Business‑logic attacks exploit the rules of your application rather than a vulnerability in the framework or server.
Examples include:
None of these require malformed requests or known exploit signatures. In many cases, every request is technically correct. The attack only becomes visible when you zoom out and understand how requests relate to each other and to the application’s intended behavior.
Signatures don’t change much. Your application does.
Every app has its own rhythm: the flows users follow, the endpoints that naturally get called together, the actions that happen constantly, and the ones that should be rare. There are expensive operations, sensitive moments, and patterns that make perfect sense in one product but would be suspicious in another.
That’s the challenge with traditional detection. Without any understanding of your business logic, security systems are forced to make guesses. They either clamp down too hard and frustrate real users, or stay too loose and let abuse slip through.
Context-aware detection changes the question entirely. Instead of asking, “does this match a known attack signature,” it asks something much more useful:
“Does this behavior make sense for this application, right now?”
That shift is what makes detection sharper, safer, and far more aligned with how your software actually works.
Business context isn’t a single signal you can capture in isolation, it’s something you build gradually, over time, by layering multiple sources of understanding together:
With this foundation, detection models can start to reason about intent and progression, not just isolated requests.
Because the truth is: one request might be harmless. But a hundred similar requests, spaced just right, aimed at a specific flow? That can tell a very different story.
Arcjet is built on a simple principle: application-level attacks require application-level understanding.
Instead of relying solely on generic network signals, Arcjet brings together the signals that actually reflect what’s happening inside your product:
Because Arcjet runs close to your application, it can see how requests map to real operations. It can distinguish between a user retrying a form and a script probing for limits. Between a burst of traffic from a promotion and a coordinated abuse attempt.
This approach makes detection both more accurate and more adaptable, which means, as your application evolves, so does the context used to protect it.
Most security tooling still assumes that attacks announce themselves through recognizable patterns. Increasingly, they do not.
The real signal lives in how an application is used, misused, and slowly pushed beyond its intended boundaries.
Business context is the missing link. Without it, detection systems are blind to the most common and costly forms of abuse. With it, security becomes less about blocking traffic and more about protecting how your application actually works.
That is where app‑level attack detection is headed, and it is the foundation Arcjet is built on.
Get the full posts by email every week.
