X
June 24, 2025
One important Application Detection and Response feature is helping customers intercept real threats in real time, shielding apps while developers patch the underlying flaws.
Additionally, in line with global attack trends, Contrast is seeing spikes in attacks against retail, and ADR is actively intercepting them.
Each month in the ADR Report, Contrast Labs analyzes attack and response patterns across our platform and customer environments. We aggregate and anonymize the data to reveal where attackers concentrate their efforts.
Here’s what stood out in May 2025:
We saw a jump in the number of times customers used ADR's virtual patch feature. In May, customers using the feature blocked more than two million attacks, higher than in any other month we’ve tracked.
Contrast’s virtual patching feature allows teams to block specific attack patterns at runtime, without waiting for a full code fix. While it's often a fallback measure for unusual or non-standard vulnerabilities that don’t fit traditional detection rules, it plays a valuable role in live defense. Unlike WAFs, which inspect raw traffic and can miss attacks due to encoding, encryption, payload length, compression, complex data structures, or protocol mismatches, Contrast sees the data exactly as the application does, fully decoded and in context. This eliminates the “impedance mismatch” that plagues perimeter tools, making Contrast a more reliable and precise place to enforce custom security rules. Because contrast operates in-process, it avoids the single point of failure that comes with centralized WAFs. ADR virtual patches can be applied surgically to the apps that need them, by language, framework, or specific applications or APIs.
Since a WAF failed to stop the attacks due to encoding tricks or protocol complexity (impedance mismatch), customers are turning to Contrast’s virtual patches for better reliability, especially if Contrast flagged the exploit and the WAF didn’t.
A small number of customers, in particular, used this feature to block a majority of the 2 million attacks. In any given month, if an attacker focuses (and likely uses a bot or AI), attacks on an app can jump from one or two to thousands or millions. Those companies that opt for virtual patching not only prevent the attack, but also avoid the CPU, memory and I/O spent on malicious traffic.
Contrast data from May shows spikes in attacks on organizations operating in the retail sector. While there is no consistent rise, there are days when the number of attacks skyrockets.
Several publications have reported that cybercriminals are increasingly targeting retail. According to Politico, the attacks are “often carried out by ransomware gangs looking for a payout.”
While organizations like United Natural Foods Inc. (UNFI) — a North American grocery wholesaler and major distributor to Whole Foods Market — have been disrupted, they have not said whether the attacks are coming in through the application layer. Nonetheless, Contrast data shows apps and APIs remain a growing target.
The top attack types on retail in May were method tampering, regular expression denial of service (ReDoS) and cross-site scripting (XSS).
These trends highlight why real-time defense matters. When attacks spike, whether it’s a zero day or a retail-targeted increase, ADR gives teams a way to act immediately without the disruption caused by inaccurate perimeter rules. The surge in virtual patch usage shows that security teams aren’t just watching, they’re adapting. They’re closing gaps quickly, even when fixes aren’t ready. For CISOs, it signals that traditional defenses are no longer enough. Runtime protection and real-time response aren’t just nice to have; they’re becoming essential parts of a modern security strategy.
To see Contrast ADR in action, check out the demo.
