No Fail2Ban. No rate-limiting libraries. No shortcuts. Just Python, a deque, and statistics. There is a moment every engineer dreads. You are staring at your monitoring dashboard. The request graph is vertical. Your server is on its knees. Legitimate users are getting timeouts. And somewhere out there, an attacker is running a script they downloaded in five minutes - while your defence took you zero minutes to build, because you had none. That was the situation at cloud.ng , a rapidly growing cloud storage platform powered by Nextcloud. After a wave of suspicious activity, I was handed a mandate: build an anomaly detection engine that watches all incoming HTTP traffic in real time, learns what normal looks like, and automatically responds when something deviates. No off-the-shelf tools. No Fail2Ban. Build it from scratch. This is the full story - every decision, every line of reasoning, every tradeoff.…