Skip to main content
The Live Threat Feed is the central view in your Recon44 dashboard. It displays every request that triggered a WAF rule or IP-based detection as it occurs, giving you a live view of who is attacking your site and what Recon44 did about it. You do not need to refresh — entries stream in automatically.

What each entry shows

Every entry in the Threat Feed contains the following fields:
FieldDescription
TimeTimestamp of the request, shown in your local timezone.
Attack typeThe category of threat detected (see below).
Source IPThe IP address the request originated from.
CountryThe country associated with the source IP via geo-lookup.
ActionWhat Recon44 did with the request: blocked, mitigated, throttled, or logged.
Rule IDThe WAF rule that matched, if applicable (e.g., WAF-SQLI-01).
Click any entry to expand it and see the full request path, matched rule details, and options to block or whitelist the source IP.

Attack types in the feed

SQL Injection

A request matched one or more SQL injection signatures in the query string, request body, or headers.

XSS Attack

A cross-site scripting payload was detected in the request — typically in a form field or URL parameter.

DDoS Surge

A volumetric spike from one or more source IPs exceeded normal traffic thresholds. The surge is absorbed at the edge.

Brute Force

Repeated login attempts from the same IP or IP range triggered rate-limiting rules.

Scanner

Automated reconnaissance activity — port scanning, directory enumeration, or vulnerability probing.

Action states explained

The Action column tells you exactly what happened to the request. The meaning of each action is consistent across all entries, but which actions appear depends on your plan.
Blocked means the request was rejected at the edge and never forwarded to your origin server. The source IP was added to the active blocklist for the session.
  • The attacker receives no response (connection is dropped) or a generic error response — they get no information about why they were blocked.
  • Blocked entries include the WAF rule ID or the IP rule that triggered the block.
  • Blocked is the primary action on Pro, Business, Scale, and Enterprise plans when the WAF is in active blocking mode.
Mitigated means the attack was neutralized but may have received a response. This action applies primarily to DDoS surges: volumetric traffic is absorbed and rate-shaped at the edge, and legitimate requests from the same IP range may be allowed through at a reduced rate.
  • Mitigated is common for DDoS events where the source is a large IP range (e.g., a botnet), making an outright block impractical without collateral impact on legitimate users.
  • The attack volume is absorbed across Recon44’s edge network before it can saturate your origin’s bandwidth.
Throttled means the source IP exceeded a rate limit and subsequent requests from that IP are being deliberately slowed. The IP has not been fully blocked; it can still reach your site but at a controlled request rate.
  • Throttled is the primary response to brute force and credential stuffing patterns.
  • If the suspicious pattern continues after throttling, Recon44 automatically escalates to a full block.
  • Throttled traffic still reaches your origin at the reduced rate. If you want to stop it entirely, manually block the IP from the feed.
Logged means the request matched a rule or detection pattern, but no blocking or throttling action was taken. The request was passed through to your origin and the event was recorded for your review.
  • Logged is the only action available on the Free plan, where the WAF runs in read-only mode.
  • On paid plans, logged entries typically represent events that matched a lower-confidence rule that is configured to observe rather than block.
  • Use logged entries to identify patterns you want to manually block or to investigate whether a rule is generating false positives.
On the Free plan, all actions appear as Logged. Upgrading to Pro or above enables active blocking, which changes the action on matched requests to Blocked.

How to read and act on the feed

1

Identify high-frequency sources

Sort the feed by Source IP to spot IPs generating large numbers of events. A single IP with dozens of entries in a short window is likely a scanner or brute-force bot.
2

Check the attack type and rule ID

Expand an entry to see which rule matched. If you see WAF-SQLI-01 or WAF-XSS-01, a specific exploit is being attempted. If you see repeated Scanner entries, someone is probing your site for vulnerabilities.
3

Block or whitelist in one click

From any expanded entry, click Block IP to immediately add the source to your blocklist, or Whitelist IP if the entry is a false positive from a trusted source (a monitoring service, your own infrastructure, etc.).
4

Filter by attack type or action

Use the filter bar at the top of the feed to narrow to a specific attack type (e.g., show only DDoS Surge events) or a specific action (e.g., show only Logged entries you haven’t reviewed). Filters apply in real time.
If you see a sudden spike of DDoS Surge entries, check the Country column. Geo-blocking an entire region can stop a volumetric attack at the source. See Geo and ASN blocking for how to do this in one click.

Feed retention

The Threat Feed retains the last 24 hours of events. Older entries are not accessible from the dashboard.

WAF — How It Works

Understand the rules behind the attack types you see in the feed.

IP Blocking

Block or whitelist IPs, and set up geo and ASN rules to stop attacks at the source.