An attacker uses a program to try thousands of password combinations against your login endpoint until they find the right one. It is one of the oldest and most common attacks because it requires no special knowledge — just persistence and a fast computer.
Think of it this way
Imagine someone standing outside a combination lock trying every number from 0000 to 9999. They are not smart, they are just patient and relentless. A brute force attack is the digital version of that.
The attacker writes a script that sends login requests to your API in a rapid loop, each time trying a different password. They might start with common passwords like '123456' or 'password1', then move to random combinations. Because computers can try thousands of attempts per second, even a 6-digit PIN can be cracked in minutes if there is no protection in place.
Scenario 1
A fraudster targets a mobile banking API by sending 10,000 login attempts per minute against a victim's phone number, cycling through every 4-digit PIN combination. Without rate limiting, they crack the PIN in under 3 hours.
Scenario 2
A bot discovers an unprotected admin login page and tries the 500 most common passwords in sequence. It finds 'admin123' is in use and gains full backend access.
Scenario 3
An attacker probes an API that accepts numeric keys and systematically tries every 8-digit combination, looking for valid keys to impersonate legitimate business customers.
Anomira counts the number of failed login attempts per IP address and per user within a sliding time window. When a single IP exceeds the threshold, an alert fires and the IP can be blocked automatically.
See this attack in your live API traffic
Anomira detects brute force attack automatically — no configuration needed.