Implement rate limiting at the API gateway to cap requests by IP, user, or token, slowing brute force attacks while preserving availability for legitimate clients.