Why can password spraying be missed?
Because each IP may attempt only a few logins. Single-source thresholds may never trigger, so the full pattern must be tracked.
Detection Scenario
Failed login counts alone are not enough. Source distribution, timing intensity, username pattern, and the follow-up successful login should be evaluated together.
Rapid attempts from multiple IPs against the same user, or one IP trying many usernames followed by a successful VPN session, forms a high-risk pattern.
Because these attacks are no longer tied to a single IP or a single time window. Distributed patterns require state-aware tracking.
Because each IP may attempt only a few logins. Single-source thresholds may never trigger, so the full pattern must be tracked.