Mideye Shield

Attacks stopped before they log in.

Shield is a pre-authentication threat intelligence API. Every source IP is scored 0–100 in real time, so credential stuffing, password spray, and brute force are rejected before they reach your authentication system.

The challenge

Static defenses can't keep up.

When one Shield customer is attacked, the collaborative network protects everyone else automatically. Traditional defenses can't do that, and they all share the same weaknesses.

Block lists go stale

Attackers rotate through IPs faster than any feed can update.

Manual rules don't scale

Managing block lists and firewall rules manually takes time and leads to mistakes.

Attack data stays local

What you learn from an attack doesn't help anyone else, and vice versa.

How it works

Built on shared intelligence.

1

Collaborative

Attack data from all Shield deployments feeds a shared threat intelligence network. An IP flagged at one customer raises the score for everyone. Every authentication event, successful or failed, feeds back into the shared scoring model.

2

Adaptive

Scores decay over time. An IP that was malicious last week scores lower today if no new activity is observed. Real-time velocity scoring distinguishes bot patterns from legitimate users.

3

Curated

No block lists to maintain. No rules to configure. Shield returns a risk score (0–100) on every request. Your system decides what to do with it.

The network effect

When one customer is attacked, everyone learns. Instantly.

How Mideye Shield works An attacker attacks a Mideye Server, which detects the attack and reports it to the Mideye Shield Central System. When the attacker then attacks another Mideye Server, that server queries Shield Central, learns the source is a known attacker, and blocks the login. Other Mideye Servers stay connected to Shield Central and query it continuously. Attacker Mideye Server Protected Attack detected Mideye Server Protected Login blocked Mideye Shield Central System Mideye Shield updated Mideye Shield queried Mideye Server Protected Mideye Server Protected Mideye Server Protected Mideye Server Protected
Mideye Shield hive-defense emblem

Day-one protection

Shield launches with a warm intelligence engine, drawing from aggregated, anonymized production data across multiple Nordic enterprises. No cold start. Production-proven detection from day one, based on attack patterns already observed across the network.

Included with Mideye Server 6.5.12 and later releases.

Mideye Insight

See what Shield sees.

Mideye Insight is the customer dashboard for Shield: live telemetry of what's hitting your login endpoints, and a per-IP view of how every source was scored and handled.

Security overview

Activity history, blocked-versus-successful trends, a geographic attack distribution map, and the ASNs behind both your legitimate users and hostile traffic.

IP activity

Every scored IP with its 0–100 risk score, activity sparkline, and a recommended action: block, challenge, rate-limit, or monitor. Filter by scenario presets such as leaked credentials, and export up to 1,000 IPs as CSV.

Corroborated intelligence

IPs reported by multiple sources are flagged, with ASN and country metadata refreshed from a daily threat-intelligence snapshot. Access is scoped per customer and signed in with Mideye MFA.

Available to Shield customers.

Integration

Two ways in. One shared defense.

REST API

Query the risk score for any IP with a simple HTTP call, and ingest authentication events to feed the network. Works with Python, Go, Java, Node.js, and any HTTP-capable stack, scoring individual logins as they happen.

GET /api/v2/ips/{ip_address}
POST /api/v2/ips/events
View API documentation

RADIUS backend

Integrates directly as a RADIUS backend module, with no changes to existing authentication infrastructure. Inline protection for VPN, Wi-Fi, and network access.

RADIUS → Shield → Allow / Challenge / Block

Both options feed data back to the shared threat intelligence network.

Why authentication-specific

Different tools, different jobs.

Shield focuses on authentication and access flows: credential stuffing, password spray, and brute force.

"I have a WAF"

WAFs protect web traffic. Shield protects authentication flows specifically, detecting patterns in login attempts that WAFs aren't designed to catch.

"I use IP reputation lists"

IP reputation flags known bad actors. Shield detects novel attacks and shares intelligence in real time, including attacks from previously unknown IPs.

"I have MFA"

MFA prevents successful account takeover but doesn't stop credential stuffing attempts. Shield blocks the attempts before they reach your authentication system.

"We don't see many attacks"

You might not know. Most authentication attacks are silent. Shield gives visibility into what's actually hitting your login endpoints.

Collaborative. Adaptive. Curated.

Shield's shared threat intelligence and incident detection align with DORA Article 45 (threat intelligence sharing) and NIS2 Article 21(2)(e) (incident detection). See the compliance hub for complete framework mappings. Built by the team behind Mideye, protecting Nordic authentication infrastructure since 2005.