Chapter 5
Detectors and Alerts
How the eleven detectors work and what to do when an alert fires.
2 min readLast updated 26 April 2026
The eleven detectors
Edge runs eleven detectors across three cron tiers:
| Detector | What it catches | Cron |
|---|---|---|
| ASN Spike | Sudden traffic surge from one network | Every minute |
| 499 Rate | High client-closed-connection ratio | Every minute |
| Cache Bypass | Abnormal cache-miss ratio from one network | Every minute |
| UA Rotation | Too many user-agent families from one network | Every minute |
| Slow Burn | Gradual escalation over weeks | Hourly |
| Bot Score | High ratio of automated traffic from a single network | Hourly |
| TLS Weak Protocol | Deprecated TLS 1.0/1.1 or unencrypted traffic | Hourly |
| Path Entropy | Systematic catalogue crawling with even path distribution | Hourly |
| Challenge Solving | Post-mitigation evasion (upgraded tooling solving WAF challenges) | Hourly |
| Operation Fingerprint | Known-bad scraping behaviour from new networks | Hourly |
| Certificate Expiry | SSL/TLS certificates approaching expiry | Daily |
When an alert fires
- The detector opens an alert in D1 with status "open"
- Notifications are sent via email and/or webhook (based on your routing config)
- The alert appears on the Alerts page and the Overview active alerts panel
- Each subsequent cron tick updates the alert's current value
Investigating an alert
Click the alert to see its dimension key (e.g. asn:AS45899), then:
- Go to Offenders — search for the ASN by number or organisation name, or use the "Alerts: Has open alerts" filter to surface only ASNs with active alerts
- Check the enrichment: org name, country flag, sparkline trend, BPR, and bypass tier tell you whether this is a consumer ISP, a cloud provider, or a VPN/proxy
- Click into the ASN detail page to see the stacked timeseries (compare against the site-wide baseline), cache breakdown, UA anomaly flags, per-path bypass rates, and similar ASNs
- Export the ASN's full profile as JSON for your records or to share with your security team
- Decide whether to block the ASN in your WAF, Cloudflare firewall rules, or pin it for continued monitoring
Alert lifecycle
- Open -- detector is currently tripping
- Acknowledged -- an operator has seen it (manual action via the Alerts page)
- Resolved -- the condition has cleared (automatic) or an operator resolved it manually