Tuning Thresholds

When to tune

The default thresholds work for most SFCC deployments. Consider tuning when:

• You're getting false positives (alerts on legitimate traffic spikes, e.g. during a sale)
• You're not catching known attacks (the thresholds are too loose for your traffic profile)
• Your site has unusual traffic characteristics (very low/high cache-hit ratios, naturally high 499s due to slow responses)

How to tune

Go to Rules and review each detector's thresholds. The key dials:

ASN Spike

• multiplier: how many times above the baseline the current rate must be. Default 5x. Lower for more sensitivity, raise for fewer false positives during sales events.
• min_requests: the volume floor. Default 10,000. Raise if low-traffic ASNs are creating noise.

499 Rate

• ratio_threshold: the 499 ratio that triggers the alert. Default 0.20 (20%). Lower if your site naturally has very few 499s.

Cache Bypass

• multiplier: how many times above the baseline bypass ratio. Default 3x. Depends heavily on your cache-hit baseline -- set the baseline first.

UA Rotation

• distinct_ua_threshold: how many distinct UA families before triggering. Default 15. Lower for sites with very uniform traffic.

Slow Burn

• total_deviation_pct: percentage growth that triggers. Default 50%. Lower to catch subtler creep.
• cache_hit_drop_pp: percentage-point drop in cache hit ratio. Default 15pp.

Verify your changes

After updating a rule, the change takes effect on the next cron tick (within 60 seconds). Check the Alerts page to see if the new thresholds produce the expected behaviour.