Here's a thing that happened to a mid-sized SaaS last year: They had rate limiting. They had CAPTCHA on failed attempts. They had account lockout after 10 failures. Their security posture, by most checklists, was "reasonable." Over 47 days, 2.3 million credential pairs were tested against their login endpoint. Zero lockouts triggered. Zero CAPTCHAs served. Zero alerts fired. The reason isn't a zero-day. It isn't some exotic bypass. It's something so structurally simple that once you see it, you can't unsee it — and you'll look at your own auth implementation differently. The Velocity Gap The entire architecture of brute-force and credential stuffing defense is built on one assumption: attacks are fast. Lock out after N failures. Rate limit per IP. Detect anomalous request volumes. All of it assumes the attacker is in a hurry. They're not.…