---
title: Attack signal thresholds are now aggregated
summary: null
url: >-
  https://www.fastly.com/documentation/reference/changes/2023/09/attack-signal-thresholds-are-now-aggregated
---

[System site alerts](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations) monitor and flag IP addresses that exhibit repeat malicious behavior and then block or log subsequent malicious requests from the flagged IP addresses. Previously, flagging occurred when the number of requests that were tagged with the **same** attack signal and that were from the same IP address reached one of our thresholds. Now, attack signals are counted in aggregate instead of per-signal, meaning that even if attackers rotate their attacks, the total number of requests with attack signals will count towards the thresholds.

This change only applies to the default thresholds for attack signals. It does not affect any attack signals that have had their thresholds adjusted through [custom site alerts](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-site-alerts) or are being used in instant blocking rules.