Most enterprise WAFs are configured to block IPs above a certain abuse confidence threshold. AbuseIPDB threshold 50 is a common SOC default. The assumption is that hostile traffic gets caught at the gate.
We tested that assumption.
Of 240 hostile actors detected by behavior on our infrastructure over 19 days, operating from 380 distinct IPs, 45% have AbuseIPDB scores below 50. They pass standard WAF configurations because their IPs aren't reported enough times to trigger blocking. They behave hostile but they don't yet have the reputation to match.
Here's what we found, and what it means.
The data
We cross-referenced a sample of 100 hostile actors detected by behavioral analysis against two public threat intelligence sources: GreyNoise Community API and AbuseIPDB.
The methodology was simple. For each IP we asked: does any public threat feed know this is hostile?
The results, ordered by threshold:
| Threshold | % of hostile actors that pass |
|---|---|
| 0 reports (completely unknown) | 18% |
| 0-2 reports (noise level) | 25% |
| 0-5 reports (under the radar) | 30% |
| Score below 25 (typical SOC threshold) | 32% |
| Score below 50 (typical WAF threshold) | 45% |
The 45% figure is operational. It's not "completely invisible to threat intel." It's "low enough confidence that automated systems leave them alone."
Why this happens
Public threat intelligence works by aggregation. Someone has to report an IP. Multiple reports increase confidence. Eventually the IP crosses thresholds and gets blocked.
That model breaks against actors who do three things:
One: rotate infrastructure aggressively. A single hostile actor using residential proxies through providers like Chiron Software LLC operates from IPs that look like home internet connections. Those IPs cycle out before they accumulate reports.
Two: stay below volume thresholds. An actor making 5-15 requests per IP, then rotating, never triggers per-IP detection. The aggregate behavior is hostile. The per-IP behavior looks like noise.
Three: target sites that don't report. Most websites block hostile traffic silently. They don't submit IPs to public databases. The hostile activity happens but never enters the threat feed loop.
The result is a class of actors that operate hostile, persist for weeks, and remain technically invisible to reputation-based defenses.
What 18% completely invisible looks like
The cleanest data point is the 18% who have zero reports anywhere. We checked the profile of those 18 IPs:
- 12 of 18 (67%) belong to Chiron Software LLC, a US residential proxy provider
- 14 of 18 (78%) are categorized as "Fixed Line ISP"
- 13 of 18 (72%) geolocate to United States
Translation: hostile actors are running through US residential proxy networks and getting traffic that looks like home internet users. There's nothing in the IP metadata that triggers suspicion. The only way to identify them is to look at what they do, not who they are.
What this means operationally
If you depend on IP reputation to filter traffic, you're catching the actors who already burned their cover. The careful operators slip through.
Three concrete implications.
For SOC teams: AbuseIPDB threshold 50 catches the loud actors but misses 45% of the careful ones. Lowering threshold catches more but generates noise. The structural problem is that reputation-based detection has a built-in delay. By the time an IP earns a reputation, the actor has rotated to a new one.
For compliance and audit: "We block known malicious IPs" is a defensible technical statement that doesn't reflect reality on the ground. The hostile traffic on your infrastructure isn't all coming from known-bad addresses. A meaningful portion is coming from addresses that no public source has flagged.
For procurement of security tools: Vendors that price by IP reputation feeds are pricing the easier 55%. The harder 45% requires behavioral measurement that most current tooling doesn't do.
How we detected what threat feeds missed
The actors that pass WAFs aren't invisible to behavioral observation. We detected them through behavioral trajectory analysis -- patterns in how they navigate, what they request first, how their sessions evolve over days, and inconsistencies between their declared identity and their technical fingerprint.
None of these signals require knowing who the actor is. All of them produce evidence that holds up under audit.
The structural difference between behavioral detection and reputation-based detection is timing. Reputation tells you what an IP did somewhere else, after someone reported it. Behavior tells you what an actor is doing on your infrastructure, right now, before anyone else sees it.
What we're publishing next
The full Bot Conduct Report 2026 will cover all 421 actors observed across 19 days, with behavioral profiles, infrastructure mapping, and the methodology in detail.
For now, the practical takeaway is narrow and verifiable: if your defense depends on IP reputation, 45% of hostile traffic is configured to walk past it.
If you want to see what hostile traffic looks like on your specific infrastructure, our Site Risk Assessment produces an independent forensic report.
Full write-up: https://botconduct.org/blog/waf-bypass-45-percent/
Methodology details available on request. Data from BotConduct Observatory, April 2026.