Credential stuffing rarely looks like a single loud burst. It is usually a slow drizzle across many accounts.
Watch for high-entropy user-agents, shifting IP ranges, and consistent timing between attempts.
The most reliable controls are rate limits, MFA, and passwordless options for high-value roles.
After containment, prioritize user notifications and credential resets for impacted identities.