Threat detection is the process of identifying security threats across your network, systems, and applications before they are exploited as full-scale attacks. An organization’s security posture depends heavily on its ability to detect emerging threats in both cloud and on-premises environments—and to respond to them quickly.
However, attackers continuously evolve their techniques, making threat detection a constantly moving target. Organizations with limited security resources often struggle to keep up. They may not have the capacity to track the global threat landscape or investigate the sheer volume of alerts generated by SIEM systems.
Effective threat detection focuses on prioritization. By leveraging frameworks such as the Cyber Kill Chain, security teams can assess attack intent and severity, correlate contextual data, and respond more efficiently. A multi-layered intrusion detection approach—covering cloud workloads, endpoints, and data centers—provides a consolidated view of assets, vulnerabilities, and malicious activity, enabling faster investigation and response.
Threat detection typically consists of three main components:
Basic Threat Detection is enabled by default on all Adaptive Security Appliances (ASA) running version 8.0 and later. It monitors the rate at which packets are dropped across the entire appliance.
BTD provides high-level visibility, but it is not granular enough to pinpoint specific sources or detailed attack characteristics. Instead, it tracks packet drops associated with the following events:
Advanced Threat Detection provides deeper visibility by tracking granular objects such as:
It analyzes activity across multiple fixed time windows—20 minutes, 1 hour, 8 hours, and 24 hours. While these intervals cannot be modified, administrators can configure how many periods are tracked per object.
Like BTD, Advanced Threat Detection sends alerts via Syslog, but it enables more precise detection of abnormal patterns and long-term attack behaviors.
Scanning Threat Detection builds upon the BTD framework, using the same:
Unlike BTD, this feature maintains a database of attacker and target IP addresses, providing valuable context about scanning behavior. A major advantage of scanning detection is its ability to actively respond by shunning (blocking) the attacker’s IP address.
This makes it the only threat detection feature that can directly influence live connections passing through the ASA.
Most cyberattacks are driven by one of the following motives—often with a financial end goal.
Attackers seek usernames and passwords to gain initial access. It is far easier to log in with stolen credentials than to exploit a vulnerability. Many attackers then use privilege escalation techniques to gain higher-level access and reach more sensitive systems.
PII such as social security numbers, driver’s license numbers, or financial details can be used for identity theft and fraud.
Industrial espionage remains a serious threat. Nation-states and competitors may steal trade secrets, proprietary research, or confidential business strategies to gain economic or strategic advantages.
Ransomware encrypts or threatens to publish an organization’s data unless a ransom is paid. These attacks can cripple operations and cause severe financial and reputational damage.
Disgruntled insiders or hacktivists may attempt to disrupt services, deface websites, or slow systems to protest policies or embarrass organizations and governments.