The scenario

An attacker sends a crafted request to your application. A WAF might flag the pattern. A scanner might log the attempt. But neither can tell you whether the payload actually reached a vulnerable function and executed. Contrast ADR can — it instruments the application runtime and observes code execution directly.

This is the foundational use case. It requires no correlation with other tools. A single ADR attack event in your SIEM tells you: this specific attack, against this specific application, reached this specific function, and the outcome was exploitation.