Timing Attack Exploitation
T15 · Human Workflow Exploitation →Review and enforcement systems have *temporal seams*: maintenance windows when controls are degraded, grace periods after a policy ships, auto-approval timers, cache TTLs during config rollouts, quota-reset boundaries, and timezone edge cases in scheduling logic. Timing Attack Exploitation lands a request precisely in one of these windows, so the human-in-the-loop check is absent, weakened, or fails open by default. Unlike fatigue (which degrades reviewer attention) this technique targets *system state* — the gate is momentarily off or misconfigured regardless of how alert the humans are.
- Window-correlated outcome monitoring: Track approval/bypass rates during maintenance, deploys, grace periods, and incidents; spikes localized to these windows indicate timing exploitation.
- Auto-disposition during transitions: Alert when fail-open auto-approvals or stale-policy decisions occur during config rollouts or maintenance.
- Submission-timing anomaly detection: Flag submitters whose activity clusters precisely at reset boundaries, deploy times, or known maintenance schedules.
- Quota double-dip detection: Detect usage patterns straddling reset boundaries that exceed intended per-period limits.
Timing attacks are the system-state counterpart to T15-AT-001 (fatigue) and T15-AT-006 (queue) — together they let an attacker choose the exact moment and posture of the gate. The auto-approval and incident vectors overlap those techniques directly.