How-to
Slow Burn Detector
Detect gradual traffic escalation over days and weeks that evades short-window detectors.
1 min readLast updated 26 April 2026
What it detects
Catches the "boiling frog" — a scraper that slowly ramps up traffic to avoid triggering spike detectors. Instead of jumping from 1,000 to 50,000 requests/minute overnight, it grows 5% per day for a month.
How it works
Runs hourly. Compares three metrics across two windows:
- Current (7-day rolling): total requests, 499 ratio, cache hit ratio
- Baseline (28-day rolling): same metrics
Trips when any axis has deviated by more than the configured percentage AND the weekly volume exceeds a floor.
Default thresholds
| Parameter | Default | Description |
|---|---|---|
total_deviation_pct | 50 | Volume growth to trip |
ratio_499_deviation_pct | 100 | 499 ratio growth to trip |
cache_hit_drop_pp | 15 | Cache hit ratio drop (percentage points) to trip |
min_weekly_requests | 100,000 | Volume floor |
Severity
Scales with how many axes deviate simultaneously:
- Info: 1 axis
- Warning: 2 axes
- Critical: 3 axes (all three — volume up, 499s up, cache hits down — is a strong attack signal)
Note on new sources
Slow burn needs 7+ days of data to build a meaningful baseline. For newly onboarded sources, it's normal for this detector to stay quiet for the first week. The 6-hour warmup window also applies.