CASE 36 · WEXLEY · 2025
WAF rules that drop the right traffic, not the rest.
A B2C subscription business had AWS WAF in front of CloudFront with three managed rule groups and 14% of legitimate signup traffic getting falsely blocked. We rebuilt the WAF configuration with custom rules, AWS Bot Control, and a careful tuning loop using sampled requests.
B2C subscription
SECURITY
2025
RESULTS
What changed, by the numbers.
FALSE POSITIVES
−93%
BOT TRAFFIC BLOCKED
11%
WAF COST
+8%
TUNING CYCLES
14d
HOW IT WENT
The managed rule groups were doing their job — they just weren’t the right job for this traffic pattern. The signup form looked enough like a credential stuffing attempt that the managed rules tagged it. The team had been working around the false positives with retry logic.
We piped all WAF logs to Firehose → S3, queried with Athena, and built a Grafana dashboard of "what would have been blocked, by rule." The first analysis surfaced eight false-positive rules and three genuine threat patterns the managed groups missed.
Custom rules replaced the broad ones for the signup endpoint. Bot Control caught the credential stuffing attempts that the regex-based rules had missed. False-positive rate dropped from 14% to 1%. Genuinely bad traffic now drops at the edge before reaching the origin.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.