Unified Detection

Threat Scoring

Every detection generates a single threat score from 0-100, combining multiple signals into one actionable risk assessment. Configure automated responses based on score thresholds.

0-20 Minimal
21-40 Low
41-60 Medium
61-80 High
81-100 Critical
Configure Rules Opens in a new tab
Score Breakdown Score: 87
SQL Injection (25%)
+35
Honeypot Match (20%)
+25
Datacenter IP (15%)
+15
Bot User Agent (15%)
+12
Action: Block + Cloudflare WAF

Score Components

The unified score weighs seven factors to create a comprehensive risk assessment.

Component Weight Focus
Attack Signatures 25% SQL injection, XSS, command injection
Honeypot Match 20% Decoy link or endpoint interactions
IP Reputation 15% AbuseIPDB scores, threat lists
User Agent 15% Bot signatures and anomalies
Header Analysis 10% Missing or suspicious headers
Fingerprint 10% Browser consistency checks
Behavior 5% Submission speed, mouse patterns

Threat Levels & Actions

Configure automated responses based on threat score thresholds.

MINIMAL

0-20

Allow requests

Legitimate visitors

LOW

21-40

Log for analysis

Monitor patterns

MEDIUM

41-60

Challenge with CAPTCHA

Review alerts

HIGH

61-80

Challenge or block

Notify security team

CRITICAL

81-100

Block immediately

Investigate source

Recommended thresholds: Financial sites: block at 60 · Standard sites: block at 75 · Public content: block at 85

Attack Detection

Signature Scoring

Attack signatures detected in requests add points to the threat score. Multiple signatures can combine for high scores.

SQL Injection +30-40
Command Injection +35-45
XSS Attempt +25-35
Multiple Honeypots +90-100
Score Explanation
{
  "total_score": 87,
  "level": "CRITICAL",
  "components": {
    "attack_signatures": {
      "weight": "25%",
      "contribution": 35,
      "signals": ["sql_injection"]
    },
    "honeypot_match": {
      "weight": "20%",
      "contribution": 25,
      "signals": ["endpoint_triggered"]
    },
    "ip_reputation": {
      "weight": "15%",
      "contribution": 15,
      "signals": ["datacenter_ip", "abuseipdb_score"]
    }
  },
  "recommended_action": "block_immediately"
}

Integrations

When WebDecoy detects a threat, automated actions execute across your security stack.

Cloudflare

WAF/Blocking

Automatic IP blocking

AWS WAF

WAF/Blocking

Automatic IP blocking

Fastly

WAF/Blocking

Access control lists

Vercel

Edge

Edge middleware + blocking

Slack

Notifications

Real-time alerts

CrowdStrike

SIEM

Falcon LogScale events

Datadog

SIEM

Event forwarding & metrics

Webhooks

Custom

POST to any endpoint

View All Integrations

Recommended Setup

Start with these integration combinations for effective protection.

Basic Protection

For most websites and applications.

  • Cloudflare or AWS WAF for blocking
  • Slack for real-time alerts
  • Block threshold at 75

Comprehensive Security

For high-security or financial applications.

  • WAF integration (Cloudflare/AWS)
  • SIEM (CrowdStrike or Datadog)
  • Slack + custom webhooks
  • Block threshold at 60

Why Automate Bot Blocking

Manual bot response is too slow. Automated rules block attackers in milliseconds.

Sub-Second Response

Automated rules trigger within 100ms of detection. By the time a human reviews an alert, the attacker has already moved on.

Edge-Level Blocking

WAF integrations block attackers at the CDN edge before they reach your origin. Your servers never see the malicious traffic.

Scales Automatically

Handle thousands of concurrent attacks without manual intervention. Rules scale with your traffic and threat volume.

Learn More About Threat Response

Guides on integrating WebDecoy with your security infrastructure.

SIEM Integration Guide

Forward bot detections to Splunk, Elastic, CrowdStrike, and Datadog.

WebDecoy & WAAP Integration

How honeypot intelligence integrates with Web Application and API Protection.

Bot Detection for Security Teams

How blue, red, and purple teams leverage bot detection intelligence.

See also: Decoy Links for honeypot traps, Endpoint Decoys for API honeypots, and Bot Scanner for client-side detection.

Frequently Asked Questions

Common questions about threat scoring and automated bot blocking.

How is the threat score calculated?

The threat score (0-100) combines seven weighted factors: attack signatures (25%), honeypot matches (20%), IP reputation (15%), user agent analysis (15%), header analysis (10%), browser fingerprint (10%), and behavioral signals (5%). Multiple detections can combine to push scores into critical ranges.

What actions can be triggered based on threat scores?

You configure automated responses at each threshold: allow normal traffic (0-20), log for monitoring (21-40), challenge with CAPTCHA (41-60), challenge or block (61-80), and block immediately (81-100). Actions can include WAF blocking, Slack alerts, SIEM forwarding, and custom webhooks.

How does the Cloudflare WAF integration work?

When a threat exceeds your blocking threshold, WebDecoy automatically adds the IP address to your Cloudflare WAF IP list. This blocks the attacker at the edge before they can reach your origin server. The integration uses the Cloudflare API and requires only an API token.

Can I customize the threat score thresholds?

Yes. You set your own thresholds for each action. Financial and high-security sites typically block at score 60, standard business sites at 75, and public content sites at 85. You can also configure different thresholds for different paths or endpoints.

How do I send bot detections to my SIEM?

WebDecoy supports native integrations with Splunk, Elastic Security, CrowdStrike Falcon LogScale, and Datadog. You can also use universal formats like Syslog and CEF. Detection events include full context: threat score, attack signatures, IP metadata, and user agent analysis.

Ready to automate bot blocking?

Configure threat scoring rules that integrate with Cloudflare, AWS WAF, and your SIEM.

Get Started Free