How-to
Challenge Solving Detector
Detect when attackers upgrade tooling to solve WAF challenges after being blocked.
What it detects
The challenge solving detector catches post-mitigation evasion. After you apply a WAF rule that blocks or challenges an ASN, the attacker may upgrade their tooling to solve the challenges. The signal: same ASN, but the ratio of successful responses (2xx) from previously challenged traffic increases significantly.
How it works
Uses a two-window comparison (like Slow Burn):
- Baseline (24h): calculates the solve rate for challenged requests per ASN
- Current (2h): calculates the same metrics
- Trips when the solve rate has increased by the configured percentage AND the ASN had significant challenge activity in the baseline
Requirements
This detector uses the SecurityActions field from SFCC eCDN Logpush (or FirewallMatchesActions for direct Cloudflare Logpush). If your Logpush job doesn't include this field, the detector gracefully degrades (never trips). We recommend adding SecurityActions to your Logpush field selection for full detection coverage.
Default thresholds
| Threshold | Default | Description |
|---|---|---|
current_window_hours | 2 | Current evaluation window |
baseline_window_hours | 24 | Baseline comparison window |
min_challenged_requests | 100 | Minimum challenged requests in baseline |
solve_rate_increase_pct | 50 | Trip when solve rate increases by this % |
min_requests | 1000 | Volume floor |
Severity
- Warning: solve rate increase of 50-200%
- Critical: solve rate increase > 200%