Last year I got paged at 2am because someone was brute-forcing SSH on one of my servers. I woke up, fumbled for my phone, opened the dashboard, confirmed it was real, and banned the IP. By the time I did that — maybe 4 minutes — they'd tried 3,800 passwords. They didn't get in. But that's not the point. The point is: why did that require a human? The pattern was unambiguous. High-frequency auth failures from a single IP, no prior connection history, no valid user account targeted. An intern coul