Book IndexHideShow
Back to topic

Account Takeover Protection

Account Takeover Protection

Account Takeover Protection

Account Takeover (ATO) Protection detects and mitigates account takeover attempts, protecting your web applications against volumetric and low and slow ATO attacks.


  • Real-time login protection with no added latency
  • Maximal mitigation, minimal false positives
  • Minimal user configuration and interaction
  • Clear visibility into attack attempts, users at risk, and compromised user accounts

Imperva Account Takeover Protection is part of the Imperva Cloud Application Security suite.

In this topic:

What is ATO?

Account takeover can be characterized as the exploitation of legitimate functionality, rather than by the attempt to exploit unmitigated vulnerabilities. It is one of the most significant cyberthreats today.

In this form of identity theft, a hacker gains illegal access to user login credentials and uses them for malicious purposes, such as to carry out transactions for monetary gain, transfer of funds, or ecommerce.

How does ATO work?

ATO works on valid business logic, impersonating legitimate users, putting your assets and reputation at great risk.

Automated ATO attacks can often lead to successful penetration of your web application. For example,

  • credential stuffing, in which hackers gain access to lists of user credentials and automate the injection of the breached user name and password combinations to attempt to gain unauthorized access to user accounts, or
  • credential cracking, in which hackers discover valid login credentials by repeated randomized attempts.

Anatomy of an Account Takeover Attack

The challenge

The wide availability of resources and the increasingly sophisticated capabilities of attackers present a real challenge to the detection and mitigation of ATO attacks.

  • Stolen lists of credentials are publicly available for free or for low cost online. The common practice of password reuse on multiple systems or devices greatly increases the risk.
  • Distributed "low and slow" ATO attacks, in which the source of the attack spans many IP addresses and geolocations at a slow rate using hacked computers or routers, enable hackers to stay below the radar and remain undetected.
  • Automation tools are used to mask hackers as legitimate users.
  • Once detected, attackers quickly change tactic. Attacks continue to evolve to avoid detection and mitigation.

The detection and mitigation methods of traditional security tools are not sufficient to protect against ATO attacks. They use methods such as:

  • Helping your users choose secure passwords: Even complicated passwords are now being hacked.
  • Multi-factor authentication: Unnecessary challenges negatively impact the user experience.
  • Mitigation based on login history and IP reputation: IPs can be quickly changed.

A different approach is needed. Successful protection requires accurate detection and advanced mitigation.

Imperva ATO Protection

How can you protect against account takeover?

Accurate detection

Accurate detection is critical for minimizing false positives and maximizing protection.

Imperva Account Takeover Protection employs a layered approach that takes into account a range of factors to determine the identity and intent of those attempting to gain access to your system.

Identify the source: Is it bot or human? Good or bad bot? Our unique classification technology can identify the specific type of bot visiting your website. Not all bots pose a threat. In fact, some are crucial to your business. Good bots are used for productive purposes, such as for gathering data for search engines (googlebot), for commercial purposes (finding you the best deal), or for chatbots (customer service).

Determine the intent: In addition to looking at who is attempting to log in and the method they are using, our detection mechanism has to consider the intent of the client as well. Is the login attempt legitimate?

We collect data on devices and IPs, and continue to add them to our reputation engine. Our extensive global network provides a dynamic view that feeds our system with additional information all the time, leading to fast and accurate detection.

Attack Probability

Our proprietary system of complex algorithms takes into account factors such as client application, login attempt rates, and IP reputation, and builds a profile that assesses the likelihood of attack. Then Account Takeover Protection assigns a risk level to each account takeover attempt: high, medium, or low.

Advanced mitigation

The right balance in mitigation strategy is important. Too lenient, and you are exposed to risk. Too stringent, and you impact legitimate users and impede the work of good bots that help your business run.

Account Takeover Protection takes a risk-based mitigation approach.

Based on the accumulated information we have on a specific entity at a given time, we assign a risk level. However, the risk of attack is actively evolving.

For example, an attack may begin from a single source that we don't recognize, but is coming from a standard browser and appears to be legitimate. At some point, the activity of this client begins to raise suspicion, and continues for some time. Now the risk has gone up, and our assessed risk level does as well.

Account Takeover Protection enables you to choose a mitigation strategy for each level of risk.

Instead of a static policy, our mitigation evolves as the attack does. You can set a different action for Imperva to take for each level of risk. For example, you can select a more stringent mitigation for a higher risk level, such as blocking the login attempt, and a lower level intervention for lower risk, such as a CAPTCHA challenge.

Once you make your selections and test your strategy, your mitigation policy goes into effect. We actively assess the risk level of each login attempt, and mitigate accordingly, reducing the need for manual mitigation or your additional input.


Account Takeover Protection provides visibility into login activities. You can see if your sites are under attack, which sites are affected, and which user accounts were hacked.

Of equal or greater significance, you can see which user accounts are at risk, and take the appropriate action.

How do I get started?

New to Account Takeover Protection? Here's how to get started:

Activity More information
Onboarding Get Started
Configure mitigation rules and run a simulation to assess impact Configure Mitigation Rules
Explore the data Explore the Data
Drill down into the list of compromised users and take appropriate action Users at Risk


See also:


Join the Discussion