Skip to main content


Attacks are groups of attack events that target applications and servers. There are multiple attack events that Contrast includes in an attack, including, but not limited to:

  • SQL injection

  • Untrusted deserialization

  • Command injection

  • Many other common vulnerability types

When Contrast detects multiple attack events from the same IP address within 30 minutes, Contrast groups these events together as an attack. If Contrast sees new events from the same IP address after you fix the code, Contrast shows a new attack.

The displayed dates on the dashboard for attacks seen are based on the time when the Contrast task runs on the server, not your local timezone.

Event data retention

Contrast keeps attack event data for thirty days before removing it. To keep attack data for a longer amount of time, do the following:

  • Output to syslog

  • Set up a generic webhook

    A webhook receives data in a POST request only when a specified event occurs. When the webhook sees the event, it collects the data and sends it to the specified URL.

  • Select the arrow at the end of the attack row and then select Export attack (CSV) or (XML) from the menu.

    Image shows how to export attack data


In Contrast, you can:

  • View attack details such as which application and server was attacked and the location in the code where the attack occurred.

  • Manage attacks by taking actions on attacks and attack events. For example, you can configure a Protect rule for specific attack events.

  • Monitor attacks in an overview of current and past attacks..