---
title: Real-time API deception attack blocking
description: API Security Enforcer (ASE) detects any client probing a decoy application programming interface (API). When a client probes an out-of-context decoy API, ASE logs but does not drop the client connection. However, if the same client tries to access a legitimate path in the in-context decoy API, then ASE blocks the client in real-time.
component: pingintelligence
version: 5.2
page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_inline_real_time_api_deception_attack_blocking
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_inline_real_time_api_deception_attack_blocking.html
revdate: June 5, 2024
---

# Real-time API deception attack blocking

API Security Enforcer (ASE) detects any client probing a decoy application programming interface (API) *(tooltip: \<div class="paragraph">
\<p>A specification of interactions available for building software to access an application or service.\</p>
\</div>)*. When a client probes an out-of-context decoy API, ASE logs but does not drop the client connection. However, if the same client tries to access a legitimate path in the in-context decoy API, then ASE blocks the client in real-time.

Here is a snippet of an ASE access log file showing real-time decoy blocking:

```
[Tue Aug 14 22:51:49:707 2018] [thread:209] [info] [connectionid:1804289383] [connectinfo:100.100.1.1:36663] [type:connection_drop] [api:decoy] [request_payload_length:0] GET /decoy/test/test HTTP/1.1
User-Agent: curl/7.35.0
Accept: /
Host: app
```

The blocked client is added to the deny list which can be viewed by running the `view_blacklist` CLI command:

```
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist
Realtime Decoy Blacklist
1) type : ip, value : 100.100.1.1
```