Monthly ADR Report: Attacks up month to month, but especially one app

In a startling finding, Contrast Security Application Detection and Response stopped tens of thousands of attacks that made it past perimeter defenses on a single application in mid-January 2025. 

Every month, in this ADR Report, Contrast Labs reports the attack trends we see across our apps and those of our customers. We anonymize and average the attacks so that readers can see what and where adversaries are focused. 

Data for the past month revealed two notable findings. 

Insight No. 1: 16K attacks on 1 app

Days after its release, one customer’s .NET application faced almost 16,000 attacks that sneaked past perimeter defenses before they were blocked by Contrast ADR, a key component of the organization’s layered defense strategy. If breached, this would have a significant impact on the business. Since we don’t disclose detailed information about our customers, we can’t go more in-depth than that at this time. 

Insight No. 2: Perimeter-evading attacks surged

Second, overall attacks that get past perimeter defenses are up significantly month to month. Each application and application programming interface (API) we monitor and defend faced 59 attacks on average, up from 45 the month before. The sharpest increases in type of attacks were cross-site scripting (XSS),  SQL injection and method tampering (aka HTTP verb tampering) attacks. 

Context

We’ll get to more of the attack data in a moment. We want to start with some context to explain how we use the word “attack.” We are talking only about attacks that are confirmed to reach their intended vulnerability and are about to launch the exploit, not “the noise of the internet” type attacks that would never have turned into a noteworthy breach. Contrast tunes out the noise, filtering out the false positives. 

Contrast’s attack data is measured directly from real-world running applications and APIs. Our attacks aren’t measured in millions, billions or even trillions, because that’s part of the problem: too much noise. Because Contrast Security instruments the code, we’re not reporting on signatures or theoretical attacks, only what’s actually a dangerous anomaly.

To better explain, take a look at this graphic, which accounts for one month of data per application. For each application, organizations see hundreds of millions of calls to potentially dangerous functions. From these calls, "security-relevant observations" are isolated for closer examination.  For some organizations, that’s where alert fatigue begins. Then, there are thousands of non-viable attacks that get past a web application firewall (WAF), also leading to false positives. But, what Contrast identifies are the actual, viable attacks that reach a vulnerability. On average, the security operations center (SOC) should be worried about and focus on just a few a month, treating them as incidents.  

Last month —  December 2024 — Contrast saw 480 million calls to potentially dangerous functions per application. When you look at the attacks Contrast ADR identified, you can see an average of 45 reached each individual application or API. Just about 3 of those, on average, became incidents that needed to be investigated. What this graph shows is the importance of knowing exactly what to investigate to avoid alert fatigue. 

The next image breaks down the types of viable attacks that Contrast ADR identified and stopped. For the sake of comparing month-to-month averages, we have not included the tens of thousands of attacks on that one single application we discussed in the beginning of this article. 

Two takeaways this month. 

1. One .NET application saw tens of thousands of attacks in just a few days. Within weeks of its public launch, the app saw tens of thousands of attacks. When an attacker focuses on an application, probes it and finds a vulnerability, they are relentless. There’s a high likelihood that the attacks were generated by a bot, by AI or by both. Because Contrast ADR sensors detected the attacks, none was successful. 
2. Without question, attacks are up month to month. While one month does not make a trend, it does give credence to our prediction that application attacks will rise this year. AI has allowed attackers to more easily launch attacks on the application layer. AI-powered bots can scan applications for vulnerabilities faster and more efficiently than traditional methods and can then auto-generate payloads for SQL injection, XSS and server-side request forgery (SSRF) attacks based on those discovered vulnerabilities. That’s likely what we saw in January. Of course, ADR stopped the attacks for our customers. 

We’ll have to see if the attacks continue to increase next month. 

Contact Contrast Security if you’d like to see what’s really happening in your application layer. 

Read more: 

• Contrast blog: 12 things to know about ADR
• Contrast blog: How the SOC can navigate the treacherous waters of application threats with ADR
• Contrast blog: 5 ways Contrast Security ADR closes the gap in protection for apps & APIs
• Contrast blog: Why Contrast Security is making the case for Application Detection and Response (ADR)