🛡️ Building Slack’s Anomaly Event Response System
Beyond Detection: Security That Works While You Do
TL;DR 🚀
Slack built Anomaly Event Response (AER) — a native security system that:
Detects anomalies across billions of daily events.
Decides what’s suspicious using org-specific baselines.
Responds automatically by killing bad sessions, logging it, and notifying admins.
This closes the detection → response gap from hours/days down to minutes.
The design is worth studying because it shows how to combine real-time detection, adaptive thresholds, automation, and transparency into one elegant loop.
Why This Matters 🔑
Think of enterprise security as a house alarm. Most alarms today:
Detect someone breaking a window.
Send a notification.
Wait for a human to check cameras and call police.
By then, the burglar might be in the kitchen making a sandwich 🥪.
AER is different: it doesn’t just alert, it locks the doors, kicks the intruder out, and then calls you. All in a few minutes.
For companies with millions of users and billions of daily interactions, that’s the difference between losing sensitive data and sleeping easy.
For engineers like us, it’s a case study in closing feedback loops at scale.
Shared Responsibility 🧩
Slack handles enormous scale — tens of millions of users, billions of events — but also recognizes that every org has a different threat model.
So they split the responsibility:
Slack’s part → Detect suspicious stuff, build protective automation.
Customer’s part → Configure which events are critical, and integrate with their bigger security stack if needed.
This “shared responsibility” design keeps it flexible:
Startups get out-of-the-box defense.
Enterprises can layer custom security on top.
Design Philosophy 🎯
Keep reading with a 7-day free trial
Subscribe to Byte-Sized Design to keep reading this post and get 7 days of free access to the full post archives.