> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://auth0.com/feedback

```json
{
  "path": "/docs/secure/attack-protection",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

> Describes how Auth0 detects attacks to stop malicious attempts to access your application, alert you and your users of suspicious activity, and block further login attempts.

# Attack Protection

Auth0 can detect attacks and stop malicious attempts to access your application such as blocking traffic from certain IPs and displaying CAPTCHA.

In the [Auth0 Dashboard](https://manage.auth0.com/#/security/attack-protection), you can enable the following <Tooltip tip="Attack Protection: Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication." cta="View Glossary" href="/docs/glossary?term=attack+protection">attack protection</Tooltip> options to mitigate attacks:

* [Bot Detection](/docs/secure/attack-protection/bot-detection)
* [Suspicious IP Throttling](/docs/secure/attack-protection/suspicious-ip-throttling)
* [Brute Force Protection](/docs/secure/attack-protection/brute-force-protection)
* [Breached Password Detection](/docs/secure/attack-protection/breached-password-detection)

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/cdy7uua7fh8z/7IxNz72aMoNqIEgGKPZiuv/ee9f7ec600bd2495bf51d0b338939b25/dashboard-attack-protection-list.png" alt="Dashboard Security Attack Protection page" />
</Frame>

## How it works

When it comes to combatting abuse, there is no silver bullet. Auth0 supports the principle of layered protection in security that uses a variety of signals to detect and mitigate attacks.

| Feature                     | Risk signal                                                                                 | How it works                                                                                             |
| --------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
| Bot Detection               | **IP reputation** computed by analyzing the quality of traffic seen for each IP.            | Triggers a CAPTCHA step when a login attempt comes from an IP suspected of use by a bot.                 |
| Suspicious IP Throttling    | **Velocity** of login attempts from an IP for any number of accounts against a tenant.      | Detects when a bot/script tries too many identifier/password combinations within a short period of time. |
| Brute-force Protection      | **Velocity** of login attempts from an IP for a particular account.                         | Detects when a bad actor tries to login to an account too many times within a period of time.            |
| Breached Password Detection | **Use of a breached password** that appears in lists of breached passwords on the dark web. | Stops users from using passwords that are known to be breached in some third-party sites.                |

## Notification

In the event of an attack, users will be notified by email once per hour regardless of the number of logins. For example, if a user tries to log in 200 times in 1 hour and 30 minutes, we will send 2 emails. Password reset links are valid for 5 days. You can [customize the emails](/docs/customize/email/customize-blocked-account-emails) sent to your users.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  If you reset the block and it encounters another attack, it will send another email.
</Callout>

In the event of an ongoing attack, traffic can be blocked from thousands of IP addresses at a time. Auth0 will send a single email to each administrator every hour that traffic is blocked, regardless of the number of IPs involved in the attack.

## Monitoring

Enabling attack protection features without configuring response settings activates Monitoring mode, which records related events in your tenant log only. The tenant log will contain information about whether the login was determined to be risky so you can determine if you want to configure responses.

## Reporting

You can also create reports using tenant log data to [see attack protection events](/docs/secure/attack-protection/view-attack-protection-events).

## Learn more

* [Bot Detection](/docs/secure/attack-protection/bot-detection)
* [Suspicious IP Throttling](/docs/secure/attack-protection/suspicious-ip-throttling)
* [Brute-Force Protection](/docs/secure/attack-protection/brute-force-protection)
* [Breached Password Detection](/docs/secure/attack-protection/breached-password-detection)
* [View Attack Protection Log Events](/docs/secure/attack-protection/view-attack-protection-events)