Last year I got paged at 2am because someone was brute-forcing SSH on one of my servers. I woke up, fumbled for my phone, opened the dashboard, confirmed it was real, and banned the IP. By the time I did that — maybe 4 minutes — they'd tried 3,800 passwords.

They didn't get in. But that's not the point.

The point is: why did that require a human?

The pattern was unambiguous. High-frequency auth failures from a single IP, no prior connection history, no valid user account targeted. An intern could have made that call. So why was I woken up at 2am to rubber-stamp a decision that was already obvious?

That question is why I built Watch Cortex.