Adaptive Defense
Adaptive Defense is Atomic Edge’s AI-powered threat detection system. It analyzes traffic patterns from your WAF and access logs to identify malicious actors and can automatically block them before they cause damage.
How It Works
Adaptive Defense continuously monitors your site’s traffic and builds behavioral profiles for each IP address:
- Log Aggregation: Every 15 minutes, the system analyzes your WAF violations and access logs
- Actor Profiling: For each IP, it tracks request patterns, error rates, WAF violations, and unique paths accessed
- AI Threat Scoring: When an IP crosses suspicious activity thresholds, AI analyzes the behavioral profile and assigns a threat score (0-100)
- Automated Response: Based on your settings, high-threat IPs are either flagged for review or automatically blocked
Enabling Adaptive Defense
- Navigate to your site’s Edit page
- Click the Adaptive Defense tab
- Toggle Enable Adaptive Defense to on
- Choose your operating mode and sensitivity
- Settings auto-save as you make changes
Operating Modes
Monitor Only
In Monitor mode, Adaptive Defense:
- ✓ Scores threats using AI
- ✓ Sends you notifications for high-threat detections
- ✗ Does NOT automatically block any IPs
This is the recommended starting mode. Review detections and build confidence in the system before enabling auto-blocking.
Auto-Enforce
In Auto-Enforce mode, Adaptive Defense:
- ✓ Scores threats using AI
- ✓ Sends you notifications
- ✓ Automatically blocks IPs that exceed your auto-block threshold with high confidence
Blocks are temporary (default: 24 hours) and automatically expire. You can unblock IPs manually at any time.
⚠️ Recommendation: Start with Monitor mode for at least a week to understand your traffic patterns before enabling Auto-Enforce.
Detection Sensitivity
Sensitivity controls how aggressively the system looks for threats:
| Sensitivity | Best For | Behavior |
|---|---|---|
| Low | High-traffic sites | Only obvious attacks trigger scoring. Minimizes false positives but may miss subtle attacks. |
| Medium | Most sites (recommended) | Balanced detection. Catches most attacks while keeping false positives low. |
| High | High-security sites | Aggressive early detection. More alerts but better coverage of potential threats. |
| Custom | Advanced users | Set your own thresholds for complete control. |
Sensitivity Thresholds
Each sensitivity level defines when an IP qualifies for AI scoring:
| Setting | Low | Medium | High |
|---|---|---|---|
| Min Requests | 100 | 30 | 15 |
| Min WAF Hits | 10 | 5 | 3 |
| Min Error Rate | 40% | 25% | 15% |
| Alert Threshold | 75 | 60 | 50 |
| Auto-Block Threshold | 95 | 85 | 75 |
An IP must have either the minimum WAF hits or the minimum error rate (plus minimum requests) to be scored.
Custom Thresholds
When sensitivity is set to Custom, you can configure:
- Minimum Requests Before Scoring: IP must have at least this many requests
- Minimum WAF Hits Before Scoring: IP must have at least this many WAF rule violations
- Minimum Error Rate Before Scoring: IP must have at least this error rate (4xx/5xx responses)
- Alert Threshold: Generate notification when threat score reaches this level
- Auto-Block Threshold: Automatically block when score reaches this level (Auto-Enforce mode)
Behavior Settings
Honor IP Whitelist
When enabled, IPs in your global whitelist are never scored or blocked by Adaptive Defense. This ensures trusted IPs (like your office, VPN, or monitoring services) are always exempt.
Auto-Block Duration
How long automatically blocked IPs remain blocked (1-8760 hours). After this time, the block expires automatically.
- Short (1-6 hours): For minor threats or if you want frequent re-evaluation
- Medium (24-48 hours): Recommended for most sites
- Long (168+ hours): For persistent attackers
Notifications
- Notify on Auto-Block: Receive email and dashboard notification when an IP is automatically blocked
- Notify on High-Score Detection: Receive notification when a high-threat IP is detected (useful in Monitor mode)
AI Budget
Adaptive Defense uses AI to analyze threat patterns. Each plan tier includes a daily AI scoring budget:
| Plan | Daily AI Budget |
|---|---|
| Free | 50 requests/day |
| Pro | 200 requests/day |
| Enterprise | Unlimited |
The budget resets daily at midnight UTC. If exhausted, scoring pauses until the next day but existing blocks remain active.
💡 Tip: The budget is per-site. If you have multiple sites, each has its own allocation.
Understanding the Dashboard
Settings Tab
Configure all Adaptive Defense options including mode, sensitivity, thresholds, and notification preferences.
Detections Tab
View all threat detections with:
- IP Address: The detected threat actor
- Threat Score: AI-assigned risk score (0-100)
- Confidence: How confident the AI is in its assessment
- Status: Pending review, auto-blocked, user-blocked, dismissed, or expired
- Detection Reasons: Why the AI flagged this IP
Click on any detection to see full details including the behavioral analysis.
Actor Profiles Tab
View all tracked IP addresses and their activity:
- Total Requests: How many requests from this IP
- WAF Hits: How many WAF rule violations
- Error Rate: Percentage of 4xx/5xx responses
- Current Score: Latest threat score (if scored)
- Blocked Status: Whether currently blocked
Use the search to find specific IPs or filter by score.
Blocked IPs Tab
View and manage all Adaptive Defense blocks:
- Active Blocks: Currently blocked IPs with expiration times
- Expired Blocks: Previously blocked IPs (for audit trail)
You can manually unblock any IP from this tab.
Taking Action on Detections
Reviewing Detections
For each detection, you can:
- View Details: See the full behavioral analysis, including request patterns, WAF violations, and error rates
- Block IP: Manually add to blacklist (permanent until removed)
- Dismiss: Mark as false positive (won’t be auto-blocked again during this detection window)
Manual Blocking
From the Detections or Actor Profiles tab, you can manually block an IP. This adds it to your IP blacklist and takes effect immediately across all Atomic Edge endpoints.
Unblocking
To unblock an IP:
- Go to the Blocked IPs tab
- Find the IP in the list
- Click Unblock
The IP will be removed from the Adaptive Defense block list. If you also added it to your manual IP blacklist, you’ll need to remove it there separately.
Best Practices
Getting Started
- Start in Monitor mode for at least one week
- Review detections daily to understand your traffic patterns
- Dismiss false positives to train your intuition
- Adjust sensitivity based on your false positive rate
- Enable Auto-Enforce once you’re confident
Tuning Sensitivity
- Too many false positives? Lower sensitivity or increase thresholds
- Missing obvious attacks? Raise sensitivity or lower thresholds
- High-traffic site with many alerts? Use Low sensitivity and higher auto-block threshold
Working with IP Whitelists
Add these to your IP whitelist to prevent Adaptive Defense from blocking them:
- Your office/home IP addresses
- VPN exit nodes you use
- Monitoring services (Pingdom, UptimeRobot, etc.)
- API integrations that access your site
- CI/CD systems that deploy to your site
Troubleshooting
No Detections Appearing
- Is Adaptive Defense enabled? Check the toggle is on
- Is there traffic? Check Analytics & Logs tab for recent activity
- Are thresholds too high? Lower sensitivity or custom thresholds
- Is AI budget exhausted? Check the budget display in settings
Too Many False Positives
- Lower your sensitivity level (High → Medium → Low)
- Increase minimum thresholds in Custom mode
- Add known-good IPs to your whitelist
- Review and dismiss false positives to identify patterns
Blocks Not Expiring
Blocks should automatically expire after the configured duration. If they persist:
- Check the block expiration time in the Blocked IPs tab
- Verify server time is correct
- Contact support if blocks aren’t expiring as expected
AI Budget Running Out Too Fast
- Increase minimum thresholds to reduce scoring candidates
- Use Low sensitivity for high-traffic sites
- Consider upgrading to Pro or Enterprise for higher budgets
Plan Limits
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
| Adaptive Defense | ✓ | ✓ | ✓ |
| Daily AI Budget | 50 | 200 | Unlimited |
| Auto-Enforce Mode | ✓ | ✓ | ✓ |
| Custom Thresholds | ✓ | ✓ | ✓ |
| Notifications | ✓ | ✓ | ✓ |
Frequently Asked Questions
What is Adaptive Defense in Atomic Edge?
AI-powered threat detection overviewAdaptive Defense is Atomic Edge’s AI-powered threat detection system. It analyzes traffic patterns from your WAF and access logs to identify malicious actors, assigns threat scores using AI, and can automatically block high-risk IPs before they cause damage to your site.
How do I enable Adaptive Defense?
Activating AI threat detectionNavigate to your site’s Edit page, click the Adaptive Defense tab, and toggle ‘Enable Adaptive Defense’ to on. Choose your operating mode (Monitor or Auto-Enforce) and sensitivity level. Settings auto-save as you make changes.
What is the difference between Monitor and Auto-Enforce modes?
Operating mode comparisonMonitor mode scores threats and sends notifications but does NOT auto-block any IPs—you review and take action manually. Auto-Enforce mode automatically blocks IPs that exceed your auto-block threshold with high confidence. Start with Monitor mode to understand your traffic patterns before enabling Auto-Enforce.
What sensitivity level should I choose?
Detection sensitivity recommendationsMedium sensitivity is recommended for most sites, offering balanced detection. Use Low for high-traffic sites where false positives are costly. Use High for high-security sites where missing an attack is more costly than occasional false positives. Custom mode lets you set your own thresholds.
What is the AI budget and how does it work?
Understanding daily AI scoring limitsEach plan includes a daily AI scoring budget: Free gets 50 requests/day, Pro gets 200/day, Enterprise gets unlimited. The budget resets at midnight UTC. If exhausted, scoring pauses until the next day but existing blocks remain active. The budget is per-site, so multiple sites each have their own allocation.
How long do automatic blocks last?
Auto-block duration settingsYou configure the auto-block duration in Behavior Settings (default: 24 hours). Blocks automatically expire after this time. You can set anywhere from 1 hour to 8760 hours (1 year). You can also manually unblock IPs at any time from the Blocked IPs tab.
Will Adaptive Defense block my own IP or monitoring services?
Preventing false positives on trusted IPsEnable ‘Honor IP Whitelist’ in Behavior Settings to ensure IPs in your global whitelist are never scored or blocked. Add your office IP, VPN exit nodes, monitoring services (Pingdom, UptimeRobot), API integrations, and CI/CD systems to your whitelist.
How do I unblock an IP that was blocked by Adaptive Defense?
Removing automatic blocksGo to the Adaptive Defense tab, click the Blocked IPs sub-tab, find the IP in the list, and click Unblock. The IP will be removed from the Adaptive Defense block list immediately. If you also added it to your manual IP blacklist separately, you’ll need to remove it there too.
Why am I not seeing any threat detections?
Troubleshooting missing detectionsCheck that Adaptive Defense is enabled for your site. Verify there’s actual traffic in your Analytics & Logs tab. Thresholds may be too high—try lowering sensitivity. Also check if your AI budget is exhausted for the day (shown in the settings section).
What triggers an IP to be scored by the AI?
Scoring qualification criteriaAn IP qualifies for AI scoring when it has the minimum number of requests AND either the minimum WAF hits OR the minimum error rate defined by your sensitivity level. For example, Medium sensitivity requires 30+ requests and either 5+ WAF hits or 25%+ error rate.
Can I see why the AI flagged a specific IP?
Viewing detection reasonsYes! Click on any detection in the Detections tab to see the full details, including detection reasons, behavioral analysis, request patterns, WAF violations, error rates, and the AI’s confidence level in its assessment.
Is Adaptive Defense available on the Free plan?
Plan availability and limitsYes, Adaptive Defense is available on all plans including Free. The difference is the daily AI budget: Free gets 50 scoring requests/day, Pro gets 200/day, and Enterprise gets unlimited. All other features (auto-enforce, custom thresholds, notifications) are available on all plans.