Application Security Insights
Practical guides, real-world attack scenarios, and expert tutorials for SOC teams, security professionals, and developers building secure applications.
Create Custom Alert Rules From the Command Line
SecureNow 8.1 adds `securenow alerts rules create` — define your own detection rules from SQL, scope them to your apps, and ship them without leaving the terminal. Here's how, with a real magic-link brute-force example.
A Next.js AWS App That Investigates And Blocks Its Own Attack
We deployed a real Next.js app to AWS, connected SecureNow traces, logs, body capture, multipart metadata, and firewall, then used an AI-assisted MCP workflow to block the attacker IP.
Secure a Next.js App with SecureNow Using This AI Onboarding Prompt
A copy-paste prompt that lets an AI coding agent install SecureNow, wire Next.js instrumentation, verify traces and logs, deploy to AWS, simulate attacks, and prove firewall blocking with human approval gates.
10 Web Development Security Best Practices for Node.js
A prioritized checklist of web development security best practices for Node.js teams, from secure coding to production monitoring and incident response.
What 1.2B Requests Look Like: Anomaly Patterns from the SecureNow Firewall Fleet
Aggregated, anonymized data from 1.2B requests across the SecureNow customer fleet. Top anomaly types, peak hours, and the day-of-week patterns nobody publishes.
10 Best Application Security Monitoring Tools in 2026
An honest, side-by-side comparison of the ten most-deployed application security monitoring tools — from enterprise platforms to free open-source options.
The 2026 npm Supply-Chain Attack Survey, Q2
A quarterly tally of malicious npm packages, the major incidents, and detection patterns. April 2026 set a new record at 847 confirmed malicious packages — here's what they did and how to detect them.
The $3,400 Egress Bill: Post-Mortem of a 72-Hour Scraping Incident
An honest write-up of how a scraping campaign cost us $3,400 in egress over 72 hours, what we missed in detection, and what would have prevented it for $0.
7 Datadog Alternatives Compared by Real Engineers (Not Vendors)
An honest, head-to-head comparison of the seven most-deployed Datadog alternatives in 2026. SecureNow dedicated instance, Grafana Cloud, HyperDX, Dash0, Uptrace, SecureNow, New Relic — what each is good and bad at.
7 Free Firewall Options for Node.js Apps in 2026
Free firewalls for Node.js — application-layer, edge-layer, and self-hostable. Honest tradeoffs for each.
Adding Backend Tracing to a Sentry Stack with OpenTelemetry
If your team uses Sentry for frontend errors and needs backend distributed tracing without doubling the Sentry bill, here's the OpenTelemetry path that doesn't make you choose.
Why Your APM Is Missing the Credential-Stuffing Attack Happening Right Now
APM dashboards plot p99 latency, not attacker behavior. The same span data hides credential stuffing in plain sight. Here's how to surface it.
Application Security Monitoring Tools — 2026 Buyer's Guide
Eight ASM tools compared on detection breadth, integration cost, pricing model, and team fit. Includes the honest tradeoffs vendors don't put in their marketing.
Application Security Monitoring vs RASP: When Each One Wins
ASM observes; RASP blocks. The difference matters more than vendors admit. Here's where each approach is the right call, and the hybrid pattern most mature teams end up with.
How to Block Bot Traffic in Express With No Extra Infra
Five approaches to bot blocking in Express, ranked by effort vs. effectiveness. From a 5-line allowlist to a full IP-reputation firewall — all without Cloudflare, AWS WAF, or any new infrastructure.
How to Block Bot Traffic in Fastify With No Extra Infra
Fastify hooks (onRequest) and the SecureNow preload both work cleanly. Here's the production setup for IP blocking and user-agent filtering.
How to Block Bot Traffic in NestJS With No Extra Infra
NestJS guards, interceptors, and global middleware all give you bot-blocking hooks. Here's the cleanest pattern for each.
How to Block Bot Traffic in Next.js With No Extra Infra
Three patterns for bot blocking in Next.js — middleware, instrumentation, or preload — ranked by what works on Vercel, self-host, and the App Router.
How to Block Bot Traffic in Nuxt With No Extra Infra
Nuxt server middleware + Nitro hooks give you bot-blocking primitives. Here's the production setup for self-hosted Nuxt 3.
We Blocked 3.2M Malicious IPs in 30 Days — Here's What They Were After
An anonymized data report from 30 days of SecureNow firewall traffic across customer fleets. Top attack types, top targeted paths, top ASNs by bad-traffic volume.
Capturing Request Bodies for Forensics in Express Without Leaking Secrets
Full request bodies make incident investigation 10x faster — and leak passwords, tokens, and PII if you do it naively. Here's the redaction-aware capture pattern for Express.
Capturing Request Bodies for Forensics in Fastify Without Leaking Secrets
A Fastify preHandler hook captures bodies for forensics. Here's the redaction-aware version that won't put passwords in your logs.
Capturing Request Bodies for Forensics in NestJS Without Leaking Secrets
NestJS interceptors give you a clean hook for body capture. Here's the redaction-aware pattern that works across REST, GraphQL, and microservices.
Capturing Request Bodies for Forensics in Next.js Without Leaking Secrets
Next.js Route Handlers and Server Actions need redaction-aware body capture. Here's the pattern that works in App Router.
Capturing Request Bodies for Forensics in Nuxt Without Leaking Secrets
Nuxt server middleware + h3 utilities give you a clean hook for body capture. Here's the redaction-aware pattern that works on Nuxt 3 and self-hosted Nitro.
Continuous Application Security Monitoring on a $0 Budget
You don't need a $50k/year ASM contract to get continuous security monitoring. Here's the OpenTelemetry-based stack that works on the free tier of every component.
Tracking Customer Cost-of-Serve from Your Trace Data
If you can't see which customer is consuming 40% of your CPU, you can't price your enterprise tier. Here's how to derive cost-of-serve per customer from OpenTelemetry traces.
Datadog Alternatives Ranked by Real Bills (Not Marketing)
What you'd actually pay on the eight most-deployed Datadog alternatives, calculated for a representative 30-host SaaS scanning 200 GB/month.
Datadog ASM vs a Separate WAF: Which One Actually Blocks Attacks?
Datadog Application Security Monitoring detects attacks. It does not block them. Here's where the gap matters and what to do about it.
Detecting Credential Stuffing in Express in 30 Lines
A working credential-stuffing detector for Express in 30 lines of middleware. Counts auth failures per IP in a sliding window, blocks offenders, exposes a small management API.
Detecting Credential Stuffing in Fastify in 30 Lines
An onRequest hook + a preHandler hook that catches per-IP credential stuffing in Fastify. Production-ready in under 30 lines.
Detecting Credential Stuffing in NestJS in 30 Lines
A working credential-stuffing guard for NestJS using a Guard + ThrottlerModule. Production-ready in 30 lines plus the module config.
Detecting Credential Stuffing in Next.js in 30 Lines
A working credential-stuffing detector for Next.js using middleware + KV — works on Vercel Edge and Node runtime.
Detecting Credential Stuffing in Nuxt in 30 Lines
A Nuxt server middleware + a server route handler that catches per-IP credential stuffing. Works on self-hosted Nuxt 3 and adapts cleanly to Vercel.
Detecting Business-Logic Abuse with the Spans Your APM Already Has
Cart cycling, refund fraud, free-tier abuse, coupon stacking — none of these match a WAF rule, but all show up in trace data if you know what to query.
Adding an IP Firewall to Express Without Cloudflare
You don't need a CDN to block bad IPs. Here's how to wire a 500k-entry IP blocklist into Express in one line, plus the manual fallback for teams that want zero dependencies.
Adding an IP Firewall to Fastify Without Cloudflare
Fastify's onRequest hook + a managed blocklist gives you a real IP firewall in one line. No CDN, no DNS changes.
Adding an IP Firewall to NestJS Without Cloudflare
NestJS sits on top of Express or Fastify. Either way, the SecureNow preload adds a 500k-IP firewall in one line — no DNS changes.
Adding an IP Firewall to Next.js Without Cloudflare
On Vercel, Edge middleware blocks at the edge. On self-host, the SecureNow preload blocks at the HTTP server. Both work without DNS changes.
Adding an IP Firewall to Nuxt Without Cloudflare
On self-hosted Nuxt the SecureNow preload works. On Vercel-deployed Nuxt, server middleware + Vercel KV gives you the same outcome.
How to Migrate from Datadog APM to OpenTelemetry in One Afternoon
A pragmatic four-hour migration playbook from Datadog APM to OpenTelemetry-native observability — including the gotchas nobody warns you about.
OpenTelemetry-Native APM Tools That Aren't Datadog
Five APM tools that use OpenTelemetry as the primary path, not as a bolt-on. Compared on what 'native' actually means in practice.
OpenTelemetry vs Proprietary APM Agents: A Benchmark
Latency overhead, memory footprint, and cold-start time for OpenTelemetry vs Datadog, New Relic, and Sentry agents on a standardized Express workload. Numbers, not opinions.
The Per-Host Pricing Trap (And How to Escape It)
Per-host APM pricing made sense in 2014. It's an actively bad axis for SaaS in 2026. Here's the math, why vendors haven't changed, and what alternatives look like.
Per-Tenant SLOs in a Multi-Tenant SaaS with OpenTelemetry
Aggregate SLOs hide the customer who's about to churn. Here's how to track per-tenant error rates and latency using standard OpenTelemetry conventions.
Rate Limiting in Express That Actually Works (And 3 Ways It Usually Doesn't)
express-rate-limit is the right starting point. Here's how to configure it for production, when its in-memory store breaks, and the three subtle mistakes that make rate limits useless.
Rate Limiting in Fastify That Actually Works
@fastify/rate-limit + Redis is the production-grade combo. Here's the config that handles trust proxy, per-route limits, and per-user keys correctly.
Rate Limiting in NestJS That Actually Works
ThrottlerModule is the right starting point. Here's the production config, the Redis-backed shared store, and per-route customization.
Rate Limiting in Next.js That Actually Works
Edge middleware + Vercel KV gives you proper rate limiting without an extra service. Here's the production setup with the gotchas Vercel docs don't cover.
Rate Limiting in Nuxt That Actually Works
Nuxt 3 doesn't ship a rate-limit module, but Nitro's event handlers + Upstash Redis give you production-grade rate limiting in 30 lines.
Sentry's Per-Event Pricing: When Frontend Errors Break the Budget
Sentry charges per error event captured. Here's the pricing math, what triggers cost spikes, and how teams keep their bills predictable as traffic grows.
Sentry vs Datadog vs SecureNow: Full-Stack Observability in 2026
A direct comparison of three different bets on full-stack observability — Sentry's frontend-led approach, Datadog's per-host empire, and SecureNow's collapsed APM+security model.
Web Application Security Monitoring with OpenTelemetry
How to use OpenTelemetry traces as the foundation for application security monitoring — the same data your APM uses, repurposed for attack detection.
The Real Datadog Bill: A $40k/year SaaS Migration Story
What a 30-engineer SaaS team paid Datadog before migrating, what they pay now, and the line items they didn't see coming. Includes a per-feature cost breakdown.
Datadog vs OpenTelemetry: When to Drop the Agent
The Datadog agent and the OpenTelemetry SDK now overlap on 90% of the trace pipeline. Here's when keeping the agent still makes sense, and when it's pure lock-in tax.
Analyzing Multipart File Upload Requests for Security Issues — A Practical Guide with SecureNow Tracing
Learn why multipart/form-data requests are a blind spot in most observability setups, what security risks they carry, and how to capture upload metadata in your traces without buffering file content — using SecureNow's new streaming multipart parser.
Getting Started with SecureNow and Nuxt 3 — Add Security Monitoring in Under 2 Minutes
A hands-on walkthrough for adding security observability to a Nuxt 3 app using the securenow npm package and official Nuxt module. Covers installation, nuxt.config.ts setup, environment variables, optional tuning, deployment targets, CLI verification, and troubleshooting.
One Flag to Trace Them All — `-r securenow/register` Now Works for ESM and CJS
Stop juggling --require and --import flags. securenow/register now auto-registers the ESM loader hook via module.register() on Node >=20.6, so a single -r flag is all you need for both CommonJS and ESM apps.
Axios npm Compromise (March 31, 2026): How to Check Your Project and Runtime for Exposure
Step-by-step guide to auditing your Node.js project for the Axios supply chain attack that shipped a remote access trojan via plain-crypto-js. Includes a ready-to-paste AI audit prompt, IOC checklist, and SecureNow forensics queries to detect runtime compromise.
Add Security Monitoring to a Next.js App with SecureNow — Traces, Logs, and Body Capture on AWS
Step-by-step guide to integrating SecureNow into a self-hosted Next.js application on AWS EC2. Covers installation, instrumentation, environment configuration, verifying traces and logs, enabling request body capture, and creating alert rules.
How to Secure Your Fastify App with SecureNow — Real-Time API Protection via OpenTelemetry
Step-by-step guide to adding security monitoring to your Fastify API with the securenow npm package. Covers CLI setup, instrumentation, body capture caveats, PM2, Docker, and dashboard verification.
How to Secure Your Feathers App with SecureNow — Full-Stack Service Monitoring
End-to-end guide for adding security monitoring to a Feathers.js application with SecureNow. Covers Express transport, service layer tracing, and production deployment.
How to Secure Your h3 App with SecureNow — Nitro-Ready Observability Guide
Complete walkthrough for adding security monitoring to your h3 / Nitro application with the securenow npm package. Covers CLI setup, body capture, instrumentation, PM2, and Docker.
How to Secure Your Hapi App with SecureNow — Full Integration Guide
Step-by-step guide to adding security monitoring and observability to your Hapi.js application using the securenow npm package. Covers CLI setup, instrumentation, PM2, and Docker.
How to Secure Your Hono App with SecureNow — ESM-Ready Tracing for Modern Node.js
Complete walkthrough for adding security monitoring to a Hono application with SecureNow. Covers the ESM preload pattern, body capture limitations, and production deployment.
How to Secure Your Koa App with SecureNow — Full-Stack Observability for Node.js APIs
Complete walkthrough for adding security monitoring to your Koa.js API with the securenow npm package. Covers CLI login, free trial setup, body capture, PM2 deployment, Docker, and trace verification.
How to Secure Your Micro / Raw HTTP App with SecureNow — Zero-Framework Node.js Monitoring
Step-by-step guide to adding security monitoring to a raw Node.js HTTP server with SecureNow. No framework required — just http.createServer and one npm package.
How to Secure Your NestJS App with SecureNow — TypeScript-Native Tracing and Threat Detection
End-to-end guide to adding security monitoring to your NestJS application using the securenow npm package. Covers instrument.js setup, TypeScript compatibility, PM2, Docker, and dashboard verification.
How to Secure Your Polka App with SecureNow — Lightweight Framework Integration Guide
End-to-end guide for adding security monitoring to your Polka application with the securenow npm package. Covers body parsing, CLI setup, instrumentation, PM2, and Docker deployment.
Getting Started with SecureNow and Express.js — From Install to Full Observability in 5 Minutes
A hands-on walkthrough for adding security monitoring to your Express.js app using the securenow npm package. Covers CLI login, app creation with the free trial, instrumentation, logging, and verifying traces in the dashboard.
Getting Started with SecureNow and Next.js — Automatic Security Monitoring in Under 2 Minutes
Step-by-step guide to adding security observability to your Next.js application using the securenow npm package. Covers CLI authentication, free trial setup, automatic and manual instrumentation, Vercel deployment, and dashboard verification.
How to Automate IP Threat Investigation with AI in Your SOC
Learn how AI-powered IP investigation reduces manual triage from 30 minutes to seconds. Automate threat verdicts, risk scoring, and response recommendations for your SOC team.
SOC Notification Triage: From Alert Overload to Actionable Incidents
Master the art of SOC notification triage with structured workflows. Learn to filter, prioritize, and resolve security alerts efficiently using status-based workflows and AI-powered investigation.
Eliminating False Positives: A SOC Team's Guide to Smarter Alerting
Reduce false positive rates in your SOC with AI-suggested exclusions, test-before-apply workflows, and intelligent path pattern matching. A practical guide to cleaner alerts.
Real-Time IP Monitoring at Scale: Tracking Thousands of IPs Across Your Infrastructure
Monitor and investigate thousands of IP addresses in real-time with automated threat intelligence enrichment, status tracking, and batch analysis for enterprise security operations.
Building Alert Rules That Actually Catch Threats (Without the Noise)
Design effective SQL-based security alert rules with smart throttling, channel routing, and exclusion patterns. A practical guide to reducing noise while catching real threats.
Case Study: How a SOC Team Detected a Credential Stuffing Attack in 12 Minutes
A step-by-step walkthrough of how a SOC team used AI-powered investigation, alert rules, and false positive management to detect and respond to a credential stuffing attack across 47 attacker IPs.
AI-Powered Trace Analysis: Detecting Security Issues Hidden in Application Spans
Discover how AI-driven trace analysis uncovers SQL injection, SSRF, auth bypass, and path traversal attacks that WAFs miss — by examining application behavior at the span level.
Security Forensics with Natural Language: Query Your Traces Like You Think
Transform security investigations with natural language forensics. Ask questions in plain English and get instant SQL results from your ClickHouse trace data — no query syntax required.
API Attack Surface Discovery: Map Every Endpoint Before Attackers Do
Automatically discover and map your entire API surface from live traffic using AI-enhanced endpoint analysis. Find shadow APIs, undocumented endpoints, and parameter patterns attackers exploit.
Enriching Threat Intelligence with SecureNow AI IPDB: Beyond Basic IP Reputation
Go beyond simple IP blocklists. Learn how SecureNow combines SecureNow AI IPDB reputation data with application-level trace analysis for higher-confidence threat verdicts and faster incident response.
Quadrant Analysis: Identifying Malicious IPs Through Traffic Behavior Patterns
Use quadrant analysis to visually identify malicious IPs, scanners, and bots by plotting traffic behavior patterns. Learn to interpret success-to-error ratios for rapid threat classification.
Anatomy of an API Abuse Campaign: Detection to Remediation in 45 Minutes
A detailed walkthrough of detecting and stopping an API abuse campaign using API surface discovery, AI investigation, trace analysis, and forensic queries — from first alert to full remediation.
Adding Security Observability to Your App in 15 Minutes with OpenTelemetry
A step-by-step developer guide to instrumenting your application with OpenTelemetry and connecting it to SecureNow for real-time security monitoring, threat detection, and AI-powered analysis.
From Traces to Security Alerts: A Developer's Guide to Threat Detection
Learn how developers can set up security alerts on their applications without a dedicated SOC — detect 4xx spikes, error patterns, and suspicious IPs using trace-based alert rules.
Writing Custom ClickHouse Queries for Application Security Analytics
A developer's tutorial on writing ClickHouse SQL queries for security analytics — find suspicious IPs, detect error patterns, and analyze application traffic using trace data.
How a Developer Caught a Supply Chain Attack in Trace Data
A realistic scenario of how a developer discovered a compromised npm package through unusual outbound HTTP calls in OpenTelemetry trace data — and used AI analysis to confirm and contain the threat.
The Complete SecureNow Workflow: From First Trace to Incident Resolution
A comprehensive walkthrough of the entire SecureNow platform — from application setup and trace ingestion through alert rules, AI investigation, forensic analysis, and incident resolution.
Stopping a Distributed Bot Attack: A Multi-Feature Response Playbook
A detailed playbook for detecting and stopping a distributed bot attack using quadrant analysis, AI investigation, SecureNow AI IPDB enrichment, forensic queries, and false positive management.
Detecting Insider Threats Through Application Trace Anomalies
How to detect insider threats by analyzing application trace patterns — after-hours access, unusual data exports, and privilege escalation detected through forensic queries and AI investigation.
SecureNow vs Traditional SIEM: Why Trace-Based Security Wins for Modern Applications
A detailed comparison of trace-based application security monitoring versus traditional SIEM — covering detection fidelity, false positive rates, time-to-detection, and total cost of ownership.
How to Integrate SecureNow with Your Next.js Application
Complete guide to adding enterprise-grade security monitoring to your Next.js app with SecureNow. Learn automatic setup, manual configuration, and best practices for production deployment.
How to Secure and Monitor Your Node.js App with PM2 and SecureNow
Step-by-step guide to integrating SecureNow into your Node.js Express application using PM2. Learn how to set up automatic monitoring and security threat detection.