One of the most difficult things to do today is to identify a legitimate user. Part of the problem is that the definition of a legitimate users depends greatly on the application. Your public facing website, for example, may loosely define legitimate as “can open a TCP connection and send HTTP request” while a business facing ERP or CRM system requires valid credentials and group membership as well as device or even network restrictions.