Case Studies

Q2 Continues to Win with F5: Thwarts 99% of Automated Attacks

Q2 is a leading provider of digital transformation solutions for financial services, serving banks, credit unions, alternative finance companies, and fintech organizations in the U.S. and internationally. As automated attacks and fraud losses explode, the company uses F5 Distributed Cloud Services to cut malicious automation by 99%. The F5 solutions deliver bot security that’s easy to manage and user insights to better fight fraud.

Challenge

Financial transactions amounting to more than $3.4 trillion passed through the Q2 platform in 2024. From its U.S. headquarters and international offices, the software solutions company serves more than 1,200 financial institutions around the world.  Its customers include more than 40% of the top 100 U.S. banks and 40% of the nation’s top 100 credit unions. Q2 provides financial transaction technologies that deliver always-on, consistent experiences to roughly 37 million consumer and commercial account holders across geographies and devices, including voice banking.  Account transactions on the Q2 platform range from balance checks to large wires for home purchases or commercial loans.

With so much money and customer trust at stake, Q2 cannot compromise on security. The U.S. Federal Trade Commission estimates annual financial fraud losses at $10 billion and growing. Account takeovers, often achieved via credential stuffing or other malicious login attempts, are responsible for a large share of the losses. By 2020, Q2 was contending with half a billion login attempts per month, 82% of them credential stuffing attacks. It couldn’t go on.

“The bad guys were consuming much of our resources,” says Lou Senko, Chief Availability Officer for Q2. “We had to scale our infrastructure to many times its original size just to be able to handle the attacks and keep them from impacting our service availability. We knew we had to change our defense strategy.”

The solution had to be sophisticated. While trust is crucial, financial services consumers are sensitive to access delays or disruptions. In addition, banks and credit unions need to frequently offer new and ever more customized user experiences while navigating tight regulatory environments. Q2 provides much of this innovation, constantly delivering new features and greater personalization. But those changes also potentially increase the attack surface, especially with nearly three-quarters of logins performed via mobile device.

The new security had to meet these challenges, minimizing false positives while shutting down unwanted traffic without impacting performance for humans. It also had to be easy to manage so Senko’s team could spend less time on defense and more on performance and new features.

Fortunately, Q2 relies on close partnerships to help it satisfy such competing demands. The F5 BIG-IP products in its data centers meant that F5 was already one of those partners.

Solution

After considering other options, Q2 adopted F5 Distributed Cloud Bot Defense. The solution is part of the Distributed Cloud Services family of SaaS-based security, networking, and application management solutions. The bot mitigation solution not only offers superior efficacy and the ability to scale with business growth but aligned with a pending Q2 shift toward a cloud-only architecture.

When Q2 first considered Distributed Cloud Bot Defense, it had a large hybrid cloud footprint using private and public clouds and data centers. Thanks in part to changing regulatory positions, it would soon begin eliminating its data centers. Hundreds of thousands of workloads would need to be moved without disrupting customers or cybersecurity. Distributed Cloud Bot Defense could provide seamless protection throughout the three-year migration, regardless of where those workloads were hosted.  Other criteria that helped Q2 choose F5 included easy implementation and management, low false positives, transparency to account holders, and overall value.

“We’re price sensitive, like anyone else,” Senko says. “We looked at competitors, but we feel F5 is the top in bot defense and therefore the strongest value for our investment. And the F5 team has always been easy to work with.” 

At implementation, the malicious traffic load on the company’s systems could exceed four million sessions per hour. Q2 set policies to control when and how the F5 solution flagged, blocked, and mitigated traffic. The results have been spectacular.

Results

Repel 99% of malicious automation

Right away, automated traffic dropped from a high of 88% of all traffic (including legitimate automation from financial services aggregators) to 3% by late 2022. 

“We were blocking nearly 40 billion sessions a year, so almost 70,000 a minute blocked from ever getting to our application service,” says Senko.

Automated traffic has continued to shrink to less than 1% today despite what Senko calls a “whirlwind” of business growth. The Q2 platform supports 22% more active users making 45% more transactions than just two years ago. Because the company increasingly serves commercial as well as consumer banks, the total dollars involved have more than doubled. Senko says, “We’re moving almost $10 million a minute.”

Nonetheless, the automated attacks that need to be blocked are down to fewer than 2,000 per minute, on average, and attack duration has also dropped by more than 90% from its peak.

“When attackers realize we’re defended, they move on,” Senko says. “And when things do pop up, F5 is quick to respond. We can make a slight tuning adjustment and deal with it. We’ve had such great success that it’s become a customer expectation.”

Protect the user experience at lower cost

Stopping bots is just the beginning. “There are a lot of eyes here on the quality of the user experience,” says Senko. Q2 tracks availability and quality to ten thousandths of a percent, with a 2024 availability average of 99.9822% across all customers. In the four years prior to implementing Distributed Cloud Bot Defense, that figure averaged 99.9312. That improvement matters to Q2 customer, as it equates to 50% less downtime at these levels of availability. But the user experience depends on other factors, too. 

“Uptime is not just that the machines are running, but that people can log in to an incredible experience and do what they meant to do without any imposed friction,” Senko says. False positives that block legitimate traffic could prevent that. However, Senko says with the F5 solution, “False positives have not been an issue for us.”

Nor has the F5 security noticeably slowed application response. Meanwhile, the more attacks Distributed Cloud Bot Defense blocks, the better the user experience. A single automated attack, even if it doesn’t result in a breach, can hinder other transactions.  

“The bad bots bring not just another 100,000 logins today but nearly 400 logins in a second,” says Senko. “So the user experience drags and components become unavailable as they’re overwhelmed.”

Overbuilding infrastructure to handle such peaks is not cost efficient. Fortunately, Senko says, “With Distributed Cloud Bot Defense, that traffic never reaches our infrastructure. The user experience isn't impacted, and the infrastructure doesn’t have to swell to deal with it. There’s a real cost benefit to us.”

Scale with agility as strategy shifts

Distributed Cloud Bot Defense has delivered consistent protection as Q2’s cloud migration nears completion. “During the hurry-up mode of our platform migration, when there was a problem, F5 was quick to identify it, jump on the phone, and fix it,” says Senko.

That’s important, since the growth in the business has not been reflected in the size of his team. “The workloads have gone up thousands of percent,” Senko says. “With our transition from the data centers, we’ll go from about 12,000 servers to 400,000 containers. We’re not adding more staff to do that. It’s all about scaling with tools and automation.” Distributed Cloud Bot Defense scales with them. 

In fact, when asked to summarize his experience with the solution, Senko mentions scale first. 

“F5 Distributed Cloud Bot Defense gives us scale, speed, and accuracy,” he says. “Without those three things, our solutions and our reputation suffer.” 

Adapt to change with flexible subscription options

Recently, Q2 further increased its agility by adopting the F5 Flexible Consumption Program (FCP). This subscription option empowers Q2 to self-license other Distributed Cloud Services or expand to new environments on demand as needs are identified.

Senko says, “We wanted to have the option to try new things F5 is working on and move our spend as our usage changes over time.” For example, his team recently deployed Distributed Cloud Data Intelligence, which helps identify unusual user behavior, login and other interaction patterns, and infrastructure characteristics that can support fraud prevention. 

Reduce fraud with enhanced data intelligence

“Fraud is exploding for our customers,” says Senko. “It's up 14% year over year and just broke $10 billion in the industry. So we’re leaning heavily now into the fraud space.” 

Distributed Cloud Data Intelligence works with existing decision tools and processes to help identify suspected fraud before it happens. It complements the hyper-personalization Q2 delivers to customers. 

“The behaviors and traits for making the experience more unique for users also helps fraud detection,” explains Senko. “As we look at the F5 endpoint intelligence, we are augmenting our data about that user and session to make better decisions.”

Ideally, the result will stop fraud sooner than ever. Senko says, “If we think you’re suspect, we probably shouldn’t have let you log in in the first place, right? The intel we’re now ingesting from F5 will start blocking sessions right at the login. We’re excited to be working on that now, and I hope over time we’ll be able to measure a correlation between suspicious sessions blocked and fewer fraud events.”

The Q2 name may refer to the second quarter of a financial year, but the company’s approach to cybersecurity is positioning it for much longer into the future. Senko says, “We’re industry leaders in our uptime, our growth, and the way we use some of this technology, and we are positioned to become a billion-dollar company in the near future. F5 has been a great partner for us, and the data intelligence piece is only going to deepen the relationship.”

Learn more about Q2's journey with F5 in their 2022 story ›

q2 logo
Benefits
  • Repel 99% of malicious automation 
  • Protect the user experience at lower cost
  • Scale with agility as strategy shifts 
  • Reduce fraud with enhanced data intelligence 
Challenges
  • Skyrocketing financial fraud 
  • Automated attacks peaking at 88% of traffic 
  • Strained availability and cybersecurity teams
  • Rapid business growth and cloud migration 
Products

Distributed Cloud Bot Defense ›

Distributed Cloud Data Intelligence ›