The detection gap

“SQLi pattern detected on /api/search ” — real attack or false positive? WAFs match patterns, not outcomes.

WAF flagged the request AND ADR confirmed: payload reached execute() and modified the SQL query. This is real.

High alert volume, low confidence. Analysts deprioritize WAF alerts because most are noise.

Only the WAF alerts corroborated by ADR surface as SIEM detections. The noise stays in the WAF logs; the confirmed exploits reach the analyst.

Tuning WAF rules is a constant battle — too aggressive means blocking legitimate traffic, too loose means missing attacks.

ADR provides ground truth for WAF tuning: you can see exactly which WAF rules correctly identified real exploitation and which fired on benign traffic.