Slack has launched a new security system called Anomaly Event Response (AER) to detect and respond to suspicious activity in real time. The system is designed to reduce the time between detection and mitigation, helping organizations prevent potential security breaches before they escalate.
AER is a native security feature that autonomously identifies high-confidence threat actor behaviors on the Slack platform. When suspicious activity is detected, the system can automatically terminate the associated user sessions, reducing the security detection and response gap from potential days or hours to minutes.
Slack engineers Nathan Lehotsky and Ryan Persaud emphasized the company’s approach to security:
Trust is our number one core value. We believe security is a shared responsibility between us and our customers by empowering them with data and tools to build security solutions while also fostering a secure platform and neutralizing threats.
The architecture of Anomaly Event Response consists of three main components: a detection engine, a decision framework, and a response orchestrator. The detection engine continuously monitors billions of Slack events daily, applying rule-based heuristics and dynamic thresholds tailored to each organization’s usage patterns. It identifies unusual activities such as logins from Tor exit nodes, rapid file downloads, excessive API calls, session fingerprint mismatches, and non-standard user agents.
Slack AER System Architecture (Source: Slack Engineering Blog Post)
When a potential threat is detected, the decision framework validates the anomaly against internal rules and the organization’s configuration. This step reduces false positives and ensures that only genuine threats trigger automated actions. The response orchestrator then executes pre-defined actions, including terminating affected sessions, generating audit logs, and notifying relevant security teams. Notification logic ensures alerts are not duplicated for users holding multiple roles, keeping incident response manageable.
Slack provides comprehensive audit logs to Enterprise customers, recording when entities take actions on the platform. AER extends this with anomaly audit logs, which automatically link detected anomalies to responses. While full integration into broader security solutions may not be feasible for all organizations, AER offers an out-of-the-box solution for Enterprise Grid customers, usable independently or as part of a larger security strategy.
According to Slack engineers, the system is configurable, allowing organizations to determine which types of anomalies trigger need automated responses and which are only logged. Audit logs maintain a complete history of each detected anomaly and the corresponding automated response, helping organizations investigate incidents, verify actions, and maintain compliance with internal policies or regulatory requirements.
As per the Slack engineering team, AER’s approach reduces the need for manual intervention, improves transparency, and ensures that security actions are fully auditable. By bridging detection and automated response, the system allows security teams to focus on higher-priority investigations while routine anomalies are handled efficiently.
