In June, we released one of the most significant updates to our Antibot solution, the part of StormWall for Web. Users now have access to ML-detections* — an intelligent system that automatically detects anomalies in HTTPS traffic and applies the configured protection rules in real time. Here’s what this update delivers.

Why ML-detections Matter
Modern bots are constantly evolving. Traditional protection methods — such as IP filtering, known threat signatures, and rate limiting — remain effective against many attacks. However, today’s bots have become increasingly sophisticated. They rotate IP addresses, emulate real browsers, use legitimate devices, and distribute traffic across thousands of sources simultaneously. As a result, distinguishing malicious bot activity from legitimate user traffic is becoming increasingly difficult.
Traditional bot mitigation techniques remain highly effective. However, modern attacks are increasingly designed to evade signatures and standard filtering rules.
| For example, a botnet may consist of thousands of devices, each generating only a small number of requests. Individually, these requests appear legitimate, but together they can place a significant load on an application or an entire infrastructure. |
In scenarios like these, analyzing individual requests is no longer enough. Instead, it’s essential to analyze overall traffic behavior.
ML-detections continuously analyze your HTTPS traffic in real time by:
- analyzing traffic across multiple parameters simultaneously;
- detecting anomalous traffic patterns;
- identifying threats that are difficult to detect using signature-based analysis.
This enables organizations to detect attacks faster, reduce incident response time, and reduce the workload on security teams.
Complete Visibility into Your Traffic
To simplify anomaly analysis, we’ve introduced a dedicated ML-detections section in the StormWall Client Portal.

From a single interface, you can:
- monitor traffic intensity (Requests Per Second, RPS) in real time
- analyze anomalies by Domains, URL, IP addresses, IP+URL, and TLS Fingerprint
- review detected attacks in Attack History
- examine detailed information about every anomaly and attack
- compare Total traffic and Anomalous RPS.
Instead of simply receiving AI-generated alerts, you gain complete visibility into traffic changes and all the data needed for in-depth analysis.
From Individual Anomalies to Complete Attack Detection
ML-detections not only identify anomalies for different traffic objects — including IP addresses, URLs, Domains, and TLS Fingerprints — but also logically group related anomalies into attacks.

Each attack receives a unique identifier, allowing you to track it while it’s active and review its complete history later in Attack History.

By correlating multiple anomalies into a single attack, the system provides a clearer view of the threat landscape, helping security teams assess attack scope more quickly and make better-informed decisions.
Flexible Threat Response
Detecting an anomaly is only the first step. Responding appropriately is just as important.
That’s why ML-detections provide various response scenarios: from simple monitoring to the automatic application of protective measures.
Depending on your security requirements, you can choose one of the available protection modes, including:
- Monitoring
- Redirect
- JS
- JSA
- Captcha
- L7-block
- L3-block
Alternatively, you can select Inherit Protection Settings, which automatically applies the strictest filtering mode configured for your protected resource.

Fine-Tune Protection for Every Resource
Every application has its own traffic profile. Some websites experience predictable traffic spikes, while others receive large volumes of similar API requests.
To accommodate these differences, ML-detections allow you to configure detection parameters independently for each protected resource, including:
- Sensitivity level
- AI Feature Threshold
- Number of triggers / for time (sec)
- Unidentified anomaly threshold.
If you’re confident that certain traffic is legitimate — for example, trusted API requests — you can add URL path, IP addresses, or TLS Fingerprint values to Exceptions. Once added, anomalies associated with these objects will no longer be recorded.
You can also save your preferred configuration as reusable Profiles, making it easy to apply consistent protection settings across multiple resources.
This level of flexibility minimizes false positives while ensuring reliable protection tailored to your specific traffic patterns.

And This Is Just the Beginning
ML-detections are more than just another section in the StormWall Client Portal. They represent an important milestone in the evolution of our products and one of the key applications of artificial intelligence across our platform.
We’ll be introducing more AI-powered innovations and other major product releases very soon, so stay tuned to our blog for the latest updates.
*ML-detections are available as part of the Enterprise plan (Antibot with advanced functionality). For more information, please refer to the User Guide.
DDoS Protection for Websites
- Activate protection in 10 minutes
- 24/7 technical support















