Lumara in Action: Stopping VPN Brute-Force with Live Detection

Most organisations let people in through a public-facing VPN client. It has to be reachable from the internet by design. For any business with remote staff, contractors, travelling executives, or more than one site, access needs to be delivered... and controlled.

And that reachability is why the Firewall is the most consistently probed surface on any network. At one of our Lumara SecOps customers, that activity recently got through. A brute-force script working through generic usernames found a forgotten account in the school's directory, still carrying its default password.

If your VPN is set up the way most are, an account like that is almost certainly on yours too.

It's Bigger Than One Customer

What we saw at that customer is part of a global pattern. The same activity is being reported in volumes that dwarf anything we see locally.

In December 2025, more than 1.7 million automated login attempts hit Palo Alto Networks GlobalProtect portals in a single 16-hour window, from more than 10,000 unique IPs. The same campaign turned on Cisco SSL VPNs the next day. Fortinet's SSL VPNs have shown the same pattern. One of the largest single-day waves of brute-force traffic against them in months saw more than 780 unique IPs hitting login portals in a single day, and roughly 80% of spikes like it have been followed by a new Fortinet vulnerability disclosure within six weeks.

The Australian picture is the same shape. ASD's Annual Cyber Threat Report 2024-25 names edge devices, the routers, firewalls, and VPN products that sit at the network's perimeter, as one of the most consistently exploited entry points into Australian networks.

Two patterns hold across all of this.

• The goal is always your password. Whether attackers use brute-force scripts, exploit a newly discovered software vulnerability, or trick someone with a phishing email.

• Signal-to-noise is the defender's hardest problem. Every public VPN is being probed continuously. The one login that matters looks like a credential that worked, or a session from a country with no staff in it. It has to be picked out of millions that don't.

That's the trap. Routine noise is loud enough that most teams turn their alerts down, or off altogether. And the one attempt that matters looks identical to the ten thousand that don't, until you check what happened after the login.

Most Teams Are Missing the Same Things

Most teams don't know how their VPN is actually configured until something goes wrong. A short self-audit usually settles it. Three questions, honestly answered, will tell you whether yours is in the same shape.

Who is allowed in? When was the last time anyone looked at the actual list of accounts permitted to authenticate against your VPN? If the answer is "anyone in our directory," that list includes service accounts you've forgotten, vendor accounts from projects that ended years ago, and roles that have moved on. Every one of them is a live key.

Where can they come from? If geo-blocking is off, your VPN is reachable from every country on earth. That includes places no one on your team has any business logging in from.

Who would notice if it worked? Every public VPN is being probed continuously. The question isn't whether yours is seeing brute-force traffic; it is. The real question is whether anyone would notice the attempt that worked.

If you can't answer those three with confidence, you're in good company, because most can't. The gap between most and prepared is what these campaigns count on.

Four controls do most of the structural work. They keep the brute-force noise from landing on anything that authenticates.

• Explicit allow-lists, not implicit ones. A well-run VPN has a deliberately maintained list of accounts permitted to authenticate against it, made up of named humans in current roles with real reasons to connect remotely. "Anyone in AD can VPN in" is a configuration choice, and almost always the wrong one.

• Service accounts kept off the VPN. An account with no person behind it has no business authenticating remotely. Service accounts that need to reach the network do that from inside it.

• Geo-blocking by default, exceptions on purpose. A geo-block by country removes most of the exposure. The brute-force traffic in those GreyNoise numbers wouldn't reach an Australian login prompt if it had to come from Australia first.

• Scheduled audits, not incident-driven ones. Allow-lists drift, and a quarterly review of who is allowed to authenticate, owned by a named person and written down, is what stops the list from becoming a museum of forgotten accounts.

These controls help. Even with all of them in place, no team has the hours to manually review every login across every system. That's the gap live detection fills.

Live Detection Is the Difference

Standing up an in-house Security Operations Centre that can pull the meaningful signal out of millions of failed VPN logins is out of reach for most Australian businesses. Lumara gives you that capability without building the team yourself.

Our 24/7 SOC runs continuous monitoring and AI-assisted threat hunting across customer environments. The VPN edge most organisations think of as solved is where our analysts spend their time. They look for the authentication that worked when it shouldn't have, the country that doesn't match the staff roster, and the dormant account that suddenly came back to life.

If a forgotten account in your directory was used to log into your VPN this morning, would you actually know? If you're not sure, get in touch. We'll show you what Lumara can do for your business.