X
May 19, 2025
Customers using Application Detection and Response (ADR) technology blocked a remarkable number of attacks over the past month. For the second time since we began writing this monthly report, we’ve seen a massive escalation of attacks against a small number of applications, and all of the attacks were blocked.
Every month, in this ADR Report, Contrast Labs looks over the data we’ve collected and reports the detection and response trends we see across our apps and those of our customers. We anonymize and average the attacks so that readers can see what and where adversaries are focused.
Here are the most notable findings from April 2025:
One company that usually gets about a thousand attacks per day got more than 2 million in one day. That’s a remarkable spike, even larger than we usually see when a company is targeted. The company stopped all of the attacks by using Contrast Application Detection and Response (ADR). It created an IP denylist rule and a virtual patch that stopped the attacks and addressed the vulnerability. The attacks came from an IP well-known for brute-force attacks. So, most likely, right after the attacks began, the company used ADR to spot those attacks. Then, it used built-in attack blocking, IP denylist and virtual patch features to stop these attacks. This bought the company time to fix the underlying vulnerability, because the attacks are now being blocked (if they haven’t fixed it already).
Path-traversal attacks more than doubled month to month. Since we measure real attacks on applications and we’re instrumented into applications, we are counting the average number of attacks per application per month. Path traversal attacks jumped from 14 per app to 34 per app.
These attacks attempt to access files or directories outside of the intended application scope by manipulating file paths — often using sequences like “../” to “traverse” up the directory structure. If successful, a path traversal attack can expose sensitive files like configuration data, credentials or source code. In some cases, it can be used to create new malicious files or even overwrite critical code. Because ADR operates within the application, it can detect and block these attempts in real time — before attackers gain access to anything they shouldn't.
Take a look at this image to see the types of viable attacks that Contrast ADR identified and stopped. While we calculate the average number of attacks across all applications, only the applications containing specific vulnerabilities are counted as being attacked. So if you’re vulnerable, you will see much higher rates than the ones in this table.
This month’s data shows more than just trends — it shows how organizations are using ADR to actively defend themselves. When one customer faced millions of attacks in a single day, ADR helped them detect the threat instantly, block the source with an IP denylist and apply a virtual patch to neutralize the vulnerability — all before any damage was done. Other customers saw a sharp rise in path traversal attacks, but ADR caught and stopped them in real time, preventing unauthorized file access. Across the board, customers are using ADR not just to see what’s happening inside their applications, but to act on it. That’s the power of real-time security built into the software itself.
