Application security monitoring, explained without the marketing fog.

The 30-second version

Application security monitoring (ASM) is what you call observability once you start looking at it through a security lens. The same trace data your APM uses to plot p99 latency can also tell you that 400 requests in the last 60 seconds tried to log in as admin from 73 different IPs — every one of them on three large hosting providers, every one of them failing with a 401. Your APM saw a 401 spike. ASM saw a credential-stuffing attack.

Why it matters now (and didn't in 2018)

Three things changed:

• The attack surface is the application, not the network. Most workloads are in someone else's VPC. Network-layer SIEMs see less and less of what attackers actually do.
• Bots are economically rational.LLM training scrapers, sneaker-bot resellers, and credential-stuffing rings have ROI math. They'll outrun rate limits, rotate IPs, and probe every CVE within hours of disclosure. Static rules can't keep up.
• OpenTelemetry made the data layer free.Every modern framework now emits structured traces. The hard part isn't collection anymore — it's correlation, intent classification, and enforcement.

ASM vs APM vs SIEM vs WAF — the actual differences

These categories are increasingly merged in practice, but they answer different questions:

• APM answers “is my app fast and not erroring?”
• ASM answers “is my app being abused?”
• WAF / IP firewall answers “drop these requests before they hit my app.”
• SIEM answers “correlate everything across all my systems for compliance and IR.”

The historical reason teams bought four products is that the data was in four places. Today the trace pipeline gives you all four answers from one stream — if your tool was built for it.

What ASM actually catches

A non-exhaustive list of what good ASM picks up that the WAF rules miss:

• Slow-rolling credential stuffing (under per-IP rate limits).
• API scraping with rotating residential proxies.
• Business-logic abuse: cart cycling, refund fraud, free-tier abuse.
• Model-training scrapers that ignore robots.txt.
• CVE probes within hours of disclosure — the new log4shell-of-the-week attack pattern.
• Account-takeover sequences: password reset → MFA enrol → device add, all from a new ASN.
• Internal misuse: a service principal calling endpoints it has never touched before.

The 5-point ASM tool checklist

1. OpenTelemetry-native, not a proprietary agent. Otherwise you're locked in the day you sign.
2. Logs + traces + IP intel in one query layer. Fragmented = slow forensics.
3. Enforcement included. If you have to glue a separate WAF to your ASM, the round-trip kills response time.
4. AI-assisted investigation.Humans can't scroll every span. The tool should summarise, hypothesise, and link evidence.
5. Usage-based pricing.If your bill scales with host count instead of with data scanned, you'll over-provision the wrong thing.

How SecureNow does it

SecureNow is one OpenTelemetry collector + one ClickHouse + one firewall + one AI investigation layer, sold as a single product. Concretely:

• npm install securenow + a -r preload — no code changes — captures HTTP, gRPC, DB, and outbound requests with full headers and bodies (with redaction).
• The same SDK exposes a real-time IP firewall (500k+ IPs from AbuseIPDB + your custom blocklist + automation rules).
• The dashboard correlates spans, logs, and IP intel; the AI agent answers “was anyone exploiting CVE-2024-X today?” in plain English.
• Free tier (1 GB/month) and $5 per TB after that. No per-host pricing.

See the Datadog comparison, the APM + security combo guide, or the free firewall.

Frequently asked