For ten years credential-stuffing was a volume game. You bought a paste of leaked username/password pairs and threw them at a login page until something worked. The economics were terrible per-attempt and great in aggregate.

That has flipped. The most successful attacks we've seen in the last six months are smaller, slower, and substantially more informed. They don't start at the login page. They start at the careers page.

Reconnaissance that used to be a week of work

Run an LLM against a target's /jobs, the engineering blog and the support docs and you get, for free, a serviceable map of the internal stack. Which auth provider, which observability vendor, which cloud, which deploy tooling. Knowing those names tightens the search space for which credential-pair to actually try when the time comes — by an order of magnitude or more.

What we're seeing on victim systems is the next step: a single low-rate session that walks the public surface, identifies likely-internal hostnames mentioned in postings, then makes a small number of authenticated attempts. The attempts succeed at a rate that would be economically irrational with random pairs.

The detection signal you already have

Most of the targeted reconnaissance does not look like a bot. It looks like a slow, patient reader. The detection signal is not request volume. It is the shape of the read: a session that visits twelve distinct careers postings in three minutes, then closes, then is followed an hour later by a single failed login from the same IP.

That's not a thing your WAF was built to alert on. But it's exactly the kind of cross-session pattern that the new generation of behavioural telemetry — the kind that knows about pointer paths, dwell times and read order — can stitch together.