Risk Scoring Lifecycle
How actor risk accumulates, decays, and triggers actions. Dynamic risk scoring at the edge — sub-millisecond decisions, no backend required.
Risk Score Threshold Model
Below threshold — request passes, actor monitored
Interrogator engaged — progressive challenges issued
Blocked on sight — request rejected, tarpit active
Risk Sources — What Adds Points
Failed Interrogator challenge
JavaScript execution failed
CAPTCHA timeout / wrong answer
Strong indicator of bot behavior
Linked to active campaign
Correlated via fingerprints
Shared attack patterns
Automatic when correlated
SQLi, XSS, path traversal
Command injection
Protocol violations
Per detection, configurable
Known bad IP lists
Tor exit nodes
Datacenter / VPN ranges
Configurable feeds
Exceeding request limits
Burst patterns
Endpoint hammering
Scales with severity
TLS / User-Agent mismatch
Session behavior anomalies
Auth token inconsistencies
Per anomaly type
Example — Credential Stuffing Attack
Risk climbing from 0 → 90 in 6 requests
ACTOR: 198.51.100.12 · JA4: a]b1c2d3e4f5 · SESSION: new
Request 1: Rate limit triggered
+15
Request 5: Failed login pattern detected
+10
Request 10: Campaign correlation link
+30
CHALLENGE — Interrogator challenge sent
—
Challenge failed — JS PoW not computed
+35
BLOCKED — Request rejected · Tarpit engaged
—
Decay: 5 minutes of good behavior to return below CHALLENGE threshold (if behavior improves)
Risk Decay — How Risk Reduces
−10 pts/min
Configurable decay rate. Risk decreases every minute of good behavior — legitimate requests with no WAF triggers.
Persistent
Risk survives restarts. Actors can't reset their score by reconnecting or rotating IPs (fingerprint tracking).
Configurable
RISK_DECAY_RATE_PER_MINUTE adjustable via API or config file. Tune for your traffic patterns.
Reward Good Behavior
Returning users who behave see their risk drop naturally. No manual intervention needed.