The scenario

WAFs operate primarily by pattern matching at the network edge. They see HTTP requests and try to decide whether the request looks malicious. The problem: pattern matching produces a high volume of alerts with a significant false positive rate. SOC teams learn to deprioritize or ignore WAF alerts because investigating each one takes time and most turn out to be noise.

This is especially true when WAFs run in detect/alert mode (also called “log only” or “monitoring mode”) — the WAF flags suspicious requests but doesn’t block them, because the team hasn’t tuned the rules enough to trust them for blocking. The alerts pile up. Analysts triage the urgent ones and let the rest age out.

ADR changes this equation. When a WAF flags a request and ADR independently confirms that the same request exploited a vulnerability at the code level, that’s two independent signals agreeing. The WAF saw a suspicious pattern. ADR confirmed it reached a dangerous function and executed. That WAF alert is now a confirmed exploit — act on it.