What is Secondary Detection?

Secondary detection refers to the cybersecurity practice of identifying threats by analyzing aggregated data, after an initial detection event or decision has occurred. Unlike primary detection methods, which directly block or flag threats as they first appear, secondary detection involves deeper and ongoing analysis of vast data sets using purpose-built AI to uncover hidden relationships and evolving attacker strategies.

For example, in bot management, secondary detection may refer to advanced technology that isolates automated traffic into distinct attack profiles after the initial block or allow decision is made. Tracking individual profiles over time allows security teams to react to attackers’ specific adaptations, add new detection signatures, and continuously block the attackers as they change tactics. 

Secondary detection helps security teams gain deeper visibility into what specific threats are doing on their application. Analyzing data post-decision enables organizations to uncover hidden threat patterns and connections between seemingly unrelated security events, which accelerates investigations and enables faster response to evolving threats. 

Beyond visibility, secondary detection allows detection to adapt and learn to the attacker’s changing behavior. Now that we can monitor individual profiles over time, the system can react to their specific adaptation, which allows us to continue to track and block the attacker.  The number of signatures used by the system for each profile increases over time, and this information is surfaced in the portal.

Secondary detection is used across cybersecurity to uncover hidden threats and evolving attack strategies that primary detection methods may miss. Below are key examples of how it is applied.

Adaptive Detection

Attackers are constantly adjusting their tactics to evade security measures. Secondary detection tracks and blocks attackers as they adapt over time to ensure a continuous line of sight and continuous protection.

Attack profiles reporting

Sophisticated bots hide among the noise. Secondary detection isolates and segments traffic into distinct profiles after the block or allow decision, surfacing specific attacks and attacker behaviors so nothing remains hidden.

Verification feedback loops

Verification challenges (such as Human Challenge) can collect valuable signals from the bots that attempt to solve them. Secondary detection analyzes the data from attempted CAPTCHA solves after a block has occurred, actively learning from user feedback in order to continuously optimize detection and minimize friction on real users.

In bot management, secondary detection means looking beyond the bot-or-not decision and analyzing bot activity data in aggregate. After blocking individual malicious bots, secondary detection uses purpose-built AI to create detailed attacker profiles, track attacker behaviors even as they change tactics, and identify larger patterns in bot traffic. This goes far beyond signature-based detection and endpoint monitoring. With secondary detection, security teams can rapidly pinpoint specific attacker methods and strategies — and respond effectively to threats as they adapt over time.

An AI data layer of interconnecting statistical and machine learning models analyzes all current and historical traffic in aggregate after a block or allow decision is made. It works by comparing all current traffic on an application to all other current traffic and then comparing that to all past traffic. The traffic is isolated and segmented into distinct bot profiles based on its characteristics and actions to identify large-scale patterns and track specific attacker behaviors. 

Purpose-built AI  models recognize how threats evolve, precisely identifying and responding to subtle shifts in tactics. The system tracks individual profiles over time and automatically adds new detection signatures as attackers evolve. This allows security teams to react to specific adaptations and continuously block specific threat actors as they change their methods.  

As attackers pivot tactics, the system dynamically adjusts its response. It automatically adjusts mitigation workflows, ensuring continued protection against emerging threats.  Secondary detection algorithms continuously learn from attack data at scale. This enhances visibility, refines response strategies, and provides ongoing, adaptive defense against sophisticated cyber threats.

HUMAN’s secondary detection engine sets a new standard in bot management. By segmenting and isolating bot traffic, we are able to deliver unprecedented insights into bot activity. Our AI is purpose-built, meaning it was architected for this specific use case vs. an LLM or off-the-shelf product. The following AI-derived secondary detection capabilities are available in Account Protection and Application Protection. 

• Adaptive Learning: Tracks and blocks attackers as they adapt and change tactics over time, ensuring a continuous line of sight and continuous protection even after the initial decision is made
• Attack Profiling: HUMAN Sightline segments malicious traffic into distinct attack profiles and provides visibility into attack characteristics and attacker actions, allowing analysis of attacks beyond just traffic spikes 
• Investigation Tools: Delivers intelligence that allows customers to jump straight into their analysis, saving time and improving understanding of what exactly happened during an attack 
• Network Attack Event Detection: Helps customers understand the scale and complexity of an attack to better identify and neutralize large-scale abuse of fake and compromised accounts

In addition to enhancing customers’ detection, mitigation, and reporting capabilities, HUMAN puts an incredible focus on explainability. Our dashboards give customers the tools to explore the reasoning behind a block decision without requiring a full investigation, as well as the tools to adjust detections on an ongoing basis if needed.

HUMAN’s secondary detection models are unique to each customer, tracking the specific traffic on each one’s application. Using this technology, we are able to turn attacker-specific signals into a bespoke threat narrative and strengthen mitigation strategies accordingly.