Hackers use smart tools these days. There is a growing breed of attacks that routinely bypass the web application firewall (WAF), the first line of defence at most internet sites. These attacks appear legitimate to a WAF. So how do you catch a sophisticated web attacker posing as a legitimate client? One answer is to look for inconsistencies in their story.