Catching Suspicious Logins Before They Cause Damage

If your business has any kind of online login, whether it’s a customer portal, an internal tool, or even just a WordPress site, people are logging in every day. Most of those logins are your actual customers or employees. But some aren’t. And the tricky part is telling the difference before the wrong person gets in.

I built a system that watches login activity and learns what “normal” looks like: what time people usually sign in, how many attempts it takes, what kind of connection they’re coming from. When something doesn’t fit the pattern, like a login at 3 AM from an unfamiliar location or a bunch of failed password attempts in a row, it gets flagged.

The hard part isn’t catching suspicious activity. It’s catching it without annoying everyone else. If you challenge every login, your real customers get frustrated. If you challenge nothing, you’re leaving the door open. So the system uses a tiered approach:

• About half of logins look completely normal and go through without any extra steps.
• About 45% are slightly unusual, like a new device or a different time of day, and get a quick verification step like a code sent to their phone.
• About 5% look genuinely suspicious and trigger an alert so someone can take a closer look.

The result is that your real users barely notice anything different, but when someone is actually trying to break in, you know about it right away.

What this means for a business

Most small businesses don’t have a security team watching their systems around the clock. That’s totally normal, but it means the bad guys are counting on nobody noticing. A setup like this runs quietly in the background and only bothers you when there’s a real reason to pay attention. Think of it like a security camera that doesn’t just record everything. It taps you on the shoulder when something actually looks wrong.