How-to
Cache Bypass Detector
Detect ASNs whose request mix bypasses your cache at an abnormal rate, indicating origin abuse.
What it detects
Catches ASNs whose cache outcome mix deviates from the site's healthy baseline. An attacker hammering uncacheable URLs (or using cache-busting query parameters) shifts their mix to mostly miss/dynamic — even when the global cache mix still looks healthy.
How it works
The detector compares each ASN's bypass ratio (miss + dynamic + none + expired as a share of total) against the site's baseline bypass ratio multiplied by a configurable factor.
Important for SFCC: the baseline is calibrated automatically from the source's real traffic (after 4 hours). SFCC sites naturally have 50–60% bypass because storefront pages (/on/demandware.store) are dynamic by design. The detector accounts for this — it only trips when an ASN's bypass rate is dramatically above the site's natural level.
Default thresholds
| Parameter | Default | Description |
|---|---|---|
window_minutes | 10 | Evaluation window |
multiplier | 3 | Trip when bypass ratio > baseline × this |
min_requests | 5,000 | Volume floor |
Baseline source
Uses baseline_cache_hit_ratio from the source row. Auto-calibrated after 4 hours of real data. When no baseline exists, defaults to 0.30 (30% bypass assumed healthy).
SFCC path awareness
With the SFCC-aware path normaliser, the detector can distinguish "ASN browsing product pages (expected 100% bypass on /on/demandware.store)" from "ASN hammering /dw/image at 60% bypass (real attack — images should be cached)."