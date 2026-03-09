IBM @ RSAC 2026 Securing hybrid cloud and AI at scale | 23–26 March | Join us
Post-auth is the new perimeter: A simple example with big implications

By Ryan Anschutz
Published 09 March 2026

Every now and then, something completely mundane sneaks up on you and delivers a security lesson you were not looking for.

For me, it started with something embarrassingly ordinary: I needed to export a list of event attendees. Nothing exciting. No red team engagement. No late-night incident call. Just a very normal “can I please get this into a CSV?” moment.

The problem was the UI. Infinite scroll. No export button. Which meant I either scrolled until my fingers fell off … or I took a look at what the application was actually doing behind the scenes.

You can probably guess which option I chose.

The moment I opened browser developer tools, the task stopped being about exporting a list and turned into a clean, real-world example of something we talk about constantly in incident response (IR): the real security boundary of modern applications isn’t the UI, it’s whatever the backend trusts after authentication.

A tiny automation task that turned into a lesson

Once I looked at the network traffic, the architecture revealed itself immediately:

  • GraphQL API
  • Paginated responses
  • Session cookie plus a CSRF token
  • One API call per scroll event

There was nothing magical about the UI. It was simply replaying the same authorized API request with different pagination tokens as I scrolled. Once you see that, the solution becomes obvious: script the same requests, walk the pagination and dump the results.

  • No exploits
  • No bypasses
  • No stretched permissions

Just automating the exact workflow the browser was already performing on my behalf.

And that is when it clicked: this is exactly how attackers think.

Not in terms of screens and buttons, but in terms of what the backend will accept from an authenticated client.

“Attackers don’t care about your UI”

This is something we say all the time in security, but it’s easy to forget in practice: the UI is a suggestion; the API is the truth.

Attackers don’t care that you intended users to scroll slowly. They don’t care that you didn’t include an export button. They don’t care about your “intended workflow” at all.

They care about one thing: what the backend will trust.

And the browser? From an attacker’s perspective, it’s just a pre-built, fully authorized API client they didn’t even have to write.

That’s why so many real-world incidents end up looking like:

  • Session hijacking
  • Token replay
  • API abuse
  • Or so-called “MFA bypass” that isn’t bypassing MFA at all

Once authentication is complete, the problem stops being about identity and starts being about trust. And trust is where most organizations get blindsided.

Where incident response needs to shift its thinking

This tiny export task ended up being a perfect reminder of how incident responders should be framing modern investigations.

First, focus on API behavior, not UI actions. If the API allowed something, arguing that “the UI would not do that” is beside the point.

Second, treat session abuse as full compromise. If an attacker can replay a session token, they are the user. End of discussion.

Third, ask better questions during scoping. Not “Would a user click this?” but:

  • Is this request possible for a legitimate user?
  • Did the backend enforce authorization independently?
  • Would this behavior look normal if done rapidly or at scale?

Those questions surface the truth much faster than debating UI intent.

Finally, do harmless exercises like this more often. There is no better way to sharpen attacker intuition than automating something you’re legitimately allowed to do and watching how the system behaves. It builds instinct in a way documentation never will.

The reality check

I did not exploit anything. The application worked exactly as designed. That’s the part worth sitting with.

Because attackers rely on the same reality: if you can safely replay an authenticated API call, someone will eventually replay it unsafely.

After authentication, everything becomes the real perimeter, and most defenses still aren’t built around that truth.

So what could have stopped this?

A handful of modern controls could have either broken this behavior outright or made it obvious something unusual was happening:

  • Session tokens bound to device or browser context
  • Behavioral rate limiting that notices no human paginates this fast
  • Authorization enforced at the API layer, not assumed via the UI
  • Step-up authentication for bulk or sensitive data access
  • Short session lifetimes with frequent token rotation
  • API-level telemetry that shows actual query behavior, not just page views

And the most important one: never treating the UI as a security boundary. Defenders who think in UI terms will always lag behind attackers who think in API terms.

The bigger picture

Mapped to MITRE ATT&CK, this lives squarely in familiar territory: session theft, token replay, valid-account abuse, API misuse.

Mapped to NIST, it aligns just as cleanly: session binding, risk-based authentication, backend authorization and anomaly detection.

In other words, this isn’t theoretical. This is where modern compromise actually happens.

The bottom line for IR teams

MITRE tells us how attackers abuse trust. NIST tells us where organizations are expected to manage it. This simple export task sat right in the middle.

The question is not, “Did MFA work?” The real question is, “What did the backend trust after MFA succeeded?” That is the perimeter now.

The sooner incident response treats it that way, the better we’ll be at detecting, and containing, what actually matters.

Appendix

MITRE ATT&CK TTPs and NIST Control Alignment

AreaMITRE ATT&CK TechniqueDescription (IR Context)NIST Reference
Session AbuseT1550 — Use Alternate Authentication MaterialReuse of valid session cookies or tokens instead of credentialsNIST SP 800-63B §7 (Session Management)
Session TheftT1539 — Steal Web Session CookieTheft and replay of browser session cookiesNIST CSF PR.AC-1
Valid Account AbuseT1078 — Valid AccountsAbuse of legitimate user access post-authenticationNIST CSF PR.AC-4
API AbuseT1071 — Application Layer ProtocolUse of legitimate application-layer protocols (HTTP/GraphQL)NIST CSF DE.CM-1
Backend EnumerationT1213 — Data from Information RepositoriesBulk access or enumeration of backend data via APIsNIST SP 800-53 AC-3
Post-Auth MFA BypassT1550.004 — Web Session CookieBypassing MFA by replaying authenticated session tokensNIST SP 800-63B §6 (Risk-Based Auth)
Privilege MisuseT1068 — Exploitation for Privilege EscalationBackend authorization trusting UI behaviorNIST CSF PR.AC-6
Automation at ScaleT1046 — Network Service Discovery (Conceptual)Automated enumeration patterns at scaleNIST CSF DE.AE-1
Data ExfiltrationT1041 — Exfiltration Over C2 Channel (Logical)Large data transfer over legitimate channelsNIST CSF DE.CM-7
Monitoring EvasionT1562 — Impair Defenses (Implicit)Operating within “normal” auth flows to avoid alertsNIST CSF DE.AE-3
Ryan Anschutz

North America Leader for IBM X-Force Incident Response
