Threat Detection
Learn how cside's detection engine identifies malicious scripts and automatically alerts your team via email.
cside monitors third-party scripts on your site for malicious activity. Each script passes through multiple detection layers asynchronously. When a threat is found, cside alerts everyone on your team.
All user emails are automatically opted in to threat detection alerts. There is no way to opt out of these notifications - this ensures that every team member is immediately aware of potential security threats.
How it works
Every third-party script loaded on your site goes through a multi-stage pipeline. First, cside deobfuscates and normalizes the script, then checks it against static detection rules and scores it on several threat signals. If a script crosses a risk threshold, cside runs a deeper AI-powered analysis. Malicious scripts trigger an alert to all your configured notification destinations.
Detection methods
cside uses a layered approach to identify malicious scripts:
Known bad sources
Scripts are checked against databases of known malicious sources, including:
- Hostnames: domains known to serve malicious content
- URLs: specific URLs that have been flagged as malicious
- IP addresses: IP addresses associated with malicious activity
Known bad payloads
Script content is compared against known malicious payloads using:
- File hashes: SHA-256 and other hash comparisons against databases of known malicious script payloads
Script normalization
Before analysis, cside deobfuscates and normalizes scripts to reveal what they actually do. This reverses common obfuscation techniques so attackers can’t bypass detection just by disguising their code.
Threat scoring
cside calculates a risk score for each script based on signals like content changes, domain age, behavioral flags, and how many sites are affected. Scripts above the risk threshold get escalated for deeper analysis.
AI-based deep analysis
High-risk scripts go through AI-powered analysis that catches threats static rules miss:
- Obfuscated malicious code - scripts trying to hide what they do
- Zero-day threats - attack patterns not yet in any database
- Behavioral anomalies - scripts doing things they shouldn’t be
Alerts and notifications
When cside flags a malicious script, it can notify your team through any destination in your notification configs - email, Slack, Discord, Jira, Linear, S3, or custom webhooks.
To set this up, create a notification config with the Script Threat Detected trigger. See Notifications for details.
Threat detection vs. vulnerability detection
cside offers two complementary security features:
| Feature | Threat Detection | Vulnerability Detection |
|---|---|---|
| What it detects | Actively malicious scripts | Scripts with known CVEs or advisories |
| Detection method | Known bad sources, payload hashes, dynamic analysis, AI | Version matching against vulnerability databases |
| Alert delivery | Configured notification destinations | Dashboard alerts and configured notification destinations |
| Example | A script serving a cryptominer from a compromised CDN | lodash 4.17.21 with a prototype pollution CVE |
These two features cover different angles - use both for the best coverage of your third-party scripts.
Thanks for your feedback!