July ADR Report: Concentrated, targeted attacks and a 2-million-attack surge, all stopped in real-time

July’s Application Detection and Response data revealed two standout events: a concentrated malicious campaign using multiple attack types against one organization, and an unprecedented spike that hit another organization with more than 2 million attacks in a single month. In both cases, ADR blocked every attempt in real time.

Each month, Contrast Labs analyzes anonymized runtime data from ADR customers to uncover the trends shaping the application-layer threat landscape. July’s findings show that attackers can, and do, focus their efforts intensely on a single organization, often using multiple exploit techniques in a single campaign to try to break through defenses.

Massive Volume, Multiple Tactics, All Blocked by ADR

In July, one organization became the focus of a coordinated, high-intensity campaign that delivered a sustained wave of untrusted deserialization, path traversal, and SQL injection attacks. These were not just probes; each attack reached an actual vulnerability in the application. In every case, ADR detected the exploit attempt in real time and blocked it before the attacker could succeed. Another organization saw a different kind of surge, more than 2 million attacks in a single month, underscoring how quickly threat activity can spike against a single target.

These results underscore the value of having embedded threat sensors inside running applications. Unlike external perimeter tools, ADR sees attacks at the moment they hit the application and stops them, before they can be exploited. This not only protects production systems but also buys development teams valuable time to address underlying vulnerabilities without the unneeded pressure of a crisis.

Top Attack Types in July

While the targeted campaign was the month’s standout incident, broader attack telemetry revealed the most common techniques seen across the ADR customer base:

1. Path Traversal
   
2. Command Injection
   
3. Reflected Cross-Site Scripting (XSS)
   
4. SQL Injection
   

Path Traversal once again topped the list, demonstrating how frequently attackers attempt to manipulate file paths to access sensitive data or execute malicious code. ADR’s runtime detection and blocking prevented these attempts from succeeding, stopping the exploitation chain before it could cause damage.

Although these attacks might feel familiar, that’s precisely the point: Path Traversal, SQL Injection, Command Injection, and XSS are “classic” techniques that have been around for decades. All four appeared in the very first OWASP Top 10 back in 2003, and they remain attractive to adversaries today. The calculus for attackers is simple: balance likelihood with payoff. Command Injection is less likely to succeed in modern environments, but when it does, the reward is complete host takeover. Path Traversal is a close second in terms of potential impact, often exposing sensitive data and, in some cases, enabling complete system compromise. SQL Injection and XSS are more common in practice, and while their payoff is generally lower than the others, they still deliver enough value to keep them in heavy rotation.

Why Embedded Threat Sensors Matter

When attackers shift focus, whether to a single company or a specific vulnerability type, security teams need immediate visibility and automated blocking to keep pace. ADR’s in-application sensors give SOC and AppSec teams:

• Prioritization of alerts through dynamic contextual risk ratings
• Real-time detection of active exploits, not just theoretical vulnerabilities
  
  
• Automated blocking to neutralize threats without manual intervention
  
  
• Actionable context to help the SOC respond appropriately and for AppSec and  developers to resolve vulnerabilities efficiently
  
  

In July, this capability meant millions of attacks were detected and stopped, keeping critical applications and data safe.