Threat Detection
Learn how cside's detection engine identifies malicious scripts and automatically alerts your team via email.
cside monitors third-party scripts on your site for malicious activity. Each script passes through multiple detection layers asynchronously. When a threat is found, cside alerts everyone on your team.
Threat detection alerts are fully configurable through notification configs. Choose which team members or external addresses get notified, or route alerts to Slack, Discord, Jira, Linear, S3, or custom webhooks instead of email.
How it works
Every third-party script loaded on your site goes through a multi-stage pipeline. First, cside deobfuscates and normalizes the script, then checks it against static detection rules and scores it on several threat signals. If a script crosses a risk threshold, cside runs a deeper AI-powered analysis. Malicious scripts trigger an alert to all your configured notification destinations.
Detection methods
cside uses a layered approach to identify malicious scripts:
Known bad sources
Scripts are checked against databases of known malicious sources, including:
- Hostnames: domains known to serve malicious content
- URLs: specific URLs that have been flagged as malicious
- IP addresses: IP addresses associated with malicious activity
Known bad payloads
Script content is compared against known malicious payloads using:
- File hashes: SHA-256 and other hash comparisons against databases of known malicious script payloads
Script normalization
Before analysis, cside deobfuscates and normalizes scripts to reveal what they actually do. This reverses common obfuscation techniques so attackers can’t bypass detection just by disguising their code.
Threat scoring
cside calculates a risk score for each script based on signals like content changes, domain age, behavioral flags, and how many sites are affected. Scripts above the risk threshold get escalated for deeper analysis.
AI-based deep analysis
High-risk scripts go through AI-powered analysis that catches threats static rules miss:
- Obfuscated malicious code - scripts trying to hide what they do
- Zero-day threats - attack patterns not yet in any database
- Behavioral anomalies - scripts doing things they shouldn’t be
Alerts and notifications
When cside flags a malicious script, it can notify your team through any destination in your notification configs - email, Slack, Discord, Jira, Linear, S3, or custom webhooks.
To set this up, create a notification config with the Script Threat Detected trigger. See Notifications for details.
Threat detection vs. vulnerability detection
cside offers two complementary security features:
| Feature | Threat Detection | Vulnerability Detection |
|---|---|---|
| What it detects | Actively malicious scripts | Scripts with known CVEs or advisories |
| Detection method | Known bad sources, payload hashes, dynamic analysis, AI | Version matching against vulnerability databases |
| Alert delivery | Configured notification destinations | Dashboard alerts and configured notification destinations |
| Example | A script serving a cryptominer from a compromised CDN | lodash 4.17.21 with a prototype pollution CVE |
These two features cover different angles - use both for the best coverage of your third-party scripts.
Thanks for your feedback!