When ten thousand benign logins hid one real wave
A Toronto-based fintech scale-up processed millions of authentication events daily. Their SIEM fired thousands of login-anomaly alerts weekly; analysts had stopped reading them. During a credential-stuffing campaign, the real intrusion sat in the noise for eleven days before a customer complaint surfaced it.
Cyber Synth AI ran a discovery phase mapping auth telemetry, then built a machine-learning detection pipeline trained on six months of labelled events. Behavioural analytics features captured velocity, geo-impossibility, and device-fingerprint drift. False-positive reduction tuning ran alongside three night-shift analysts who validated every proposed threshold.
After eight weeks, alert volume dropped by roughly 47% while detection coverage for confirmed stuffing patterns improved. SOAR automation enriched tier-one tickets with user context and risk scores. Human analysts retained approval authority on any account lockout. The client engaged us on a retainer for ongoing model retraining and SIEM content review.
Scope: ML threat detection, anomaly analytics, SOC automation, alert triage workflow design.
Outcome note: Results specific to this client's data quality and analyst participation — not a guarantee for other environments.