Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI traffic anomaly detection: are your thresholds keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Fixed-rule monitoring is no longer enough for global traffic because static thresholds cannot keep pace with shifting user behaviour and low-and-slow bot activity, according to Arkose Labs. Smart Traffic Anomaly Detection learns normal traffic patterns from six weeks of history, builds 100+ hourly thresholds per country, and in one deployment found 100,000+ suspicious sessions in three weeks while cutting false positives by more than half.

NHIMG editorial — based on content published by Arkose Labs: AI Stop Chasing False Alarms, how AI-powered traffic monitoring cuts alert fatigue

By the numbers:

Questions worth separating out

Q: How should security teams reduce false positives in global traffic monitoring?

A: Security teams should move away from one-size-fits-all thresholds and use adaptive baselines that account for geography, time of day, and business cycle.

Q: Why do fixed traffic rules miss low-and-slow attacks?

A: Fixed rules miss low-and-slow attacks because attackers can stay below a static threshold while gradually building suspicious activity over time.

Q: How do you know if anomaly detection is actually improving security operations?

A: Look for two signals: fewer false positives and more true suspicious sessions detected in places that previously had little or no coverage.

Practitioner guidance

  • Replace universal thresholds with region-aware baselines Build separate detection profiles for major countries, time zones, and business cycles so normal traffic is judged against local patterns rather than global averages.
  • Connect anomaly detection to enforcement workflows Ensure suspicious-session flags automatically trigger downstream action in the enforcement layer instead of leaving triage entirely to analysts.
  • Measure false-positive drag as an operational control metric Track analyst hours lost to benign traffic spikes and review whether threshold tuning is reducing workload or simply moving noise around.

What's in the full article

Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:

  • How Smart Traffic Anomaly Detection builds 100+ hourly thresholds per country from six weeks of historical data
  • How the detection engine feeds suspicion flags into Arkose Bot Manager's enforcement layer in real time
  • How the system reduces analyst workload by continuously refining detection against new traffic patterns
  • How deployments with no prior coverage surfaced 100,000+ suspicious sessions over three weeks

👉 Read Arkose Labs' analysis of AI-powered traffic anomaly detection and alert fatigue →

AI traffic anomaly detection: are your thresholds keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Static threshold monitoring is a governance failure, not just a tuning problem. Fixed rules assume traffic patterns remain stable long enough for a threshold to be meaningful, but global identity and bot traffic do not behave that way. Once geography, time zone, and campaign timing matter, the control no longer maps to reality. The implication is that monitoring programmes must stop treating threshold drift as an operational nuisance and recognise it as a structural mismatch between control design and traffic behaviour.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and another 47% having only partial visibility, according to The State of Non-Human Identity Security.
  • That same research found only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how fragile confidence remains even where identity controls are already in place.

A question worth separating out:

Q: What is the difference between static thresholds and adaptive baselines?

A: Static thresholds use one fixed rule to judge all traffic, while adaptive baselines learn normal behaviour from historical data and adjust by region and time. Static rules are easier to deploy but break as patterns change. Adaptive baselines are better for global environments because they reflect how traffic actually behaves across countries, hours, and weekends.

👉 Read our full editorial: AI traffic anomaly detection reduces alert fatigue without fixed thresholds



   
ReplyQuote
Share: