Skip to main content

Response playbook

This is a confirmed exploit — the WAF alert and ADR agree. Treat as high priority

Enable ADR Block Mode for the affected rule and application if not already active

Check the WAF action field: was it ALLOW or BLOCK?
- If ALLOW (detect mode): consider moving this WAF rule to block mode — ADR has validated it catches real attacks
- If BLOCK and ADR still saw an exploit, the attacker bypassed the WAF. Update WAF rules using the exact payload ADR captured.

Review WAF logs for the same source IP — how many requests did the attacker send? What other endpoints were probed?

Search ADR for the same source IP across other applications

Escalate to AppSec with the specific vulnerability for remediation

Use this data to tune your WAF: ADR-confirmed exploits tell you which WAF rules are working and which have gaps

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.