Comment by cratermoon

I work in IT/AppSec, and this came to mind immediately. Implementing perfect security would be "don't connect to the internet and don't let anyone use the computer". Clearly not an option, so my job is to analyze the cost and risks against the benefits and help choose a path of balance. A specific example: we can only heuristically detect the difference between legitimate and malicious calls to the public endpoints. Is that spike in traffic trying to DDOS us, or is it close to Black Friday so customers are in go-go mode? Setting the rate limits somewhere meaningful is a tradeoff.