ilmexus
Detection

Detection rules overview

Ilmexus detection rules turn raw edge signals — requests, IPs, payloads and behaviour — into a clear verdict. Every rule is versioned, scored for confidence and reviewable before it ever affects live traffic.

Rule anatomy

A rule is a small, typed record. It pairs a match condition with a default verdict, and carries the metadata our analysts and your team use to trust it.

idStable identifier, e.g. ilx-waf-0142
categoryWAF · BOT · FRD · REP
matchThe condition: pattern, behaviour or reputation lookup
severitylow · medium · high · critical
confidence0–100, how sure the signal is
verdictDefault action when the rule fires

Verdicts

Rules never act silently. Each one resolves to one of five verdicts, and a blocking verdict always requires high confidence.

ALLOWPass the request. Logged for context, no friction.
CHALLENGEInterpose a proof-of-work or managed challenge.
BLOCKDeny at the edge. Reserved for high-confidence threats.
ENRICHTag and forward to Intelligence for correlation.
ESCALATERaise to the on-call analyst for a human decision.

Severity & confidence

Severity describes the potential impact; confidence describes how sure the signal is. We separate them deliberately — a high-severity, low-confidence hit is enriched and escalated, not blocked. Blocking is reserved for high severity and high confidence.

Severity

low · medium · high · critical — what happens if this is a true positive and we let it through.

Confidence

0–100 — corroboration across payload, behaviour and reputation. Low confidence routes to a human, never a silent block.

Rule categories

WAF

WAF / payload

SQLi, XSS, SSRF, traversal and template-injection signatures, tuned per platform.

BOT

Bot & automation

Headless browsers, scraper fingerprints and credential-stuffing cadence.

FRD

Fraud signals

Carding patterns, velocity anomalies and high-risk geo/ASN combinations.

REP

Reputation

Enriched IP and ASN scoring from Ilmexus Intelligence and OSINT feeds.

Lifecycle

Rules move through a controlled path before they reach your edge:

  1. 01
    Author

    Written and unit-tested in Ilmexus Labs against synthetic and historical traffic.

  2. 02
    Shadow

    Run in log-only mode on live traffic to measure false positives.

  3. 03
    Promote

    Graduated to an active verdict once precision clears threshold.

  4. 04
    Review

    Continuously monitored; any drift reopens the rule for tuning.

Reviewable by design

No rule changes your live policy without a promotion gate and an audit trail. Remediation is recommended and applied under review — never silent, never autonomous.

Talk to detection engineeringHow intelligence works

$ ask an AI to summarise this page

Open in ChatGPTOpen in ClaudeOpen in Perplexity