Skip to Content

How to Activate Always‑On Attack Signature Detection and Remove Log‑vs‑Block Trade‑off

4 March 2026 by
Suraj Barman

Always‑On Attack Signature Detection - definition

Always‑on attack signature detection runs every security signature on each HTTP request as soon as traffic reaches the edge, providing full visibility without automatically blocking traffic. Metadata about each match is attached to the request, allowing teams to create precise mitigation policies later.

Attack Signature Detection Overview

This component evaluates inbound requests against a library of managed signatures, similar to a traditional web application firewall rule set, but it never enforces a block by default.

  • Executes all signatures on each request the moment it is proxied.
  • Generates three metadata arrays: confidence scores, categories, and Ref IDs.
  • Categories tag the attack vector (e.g., SQLi, XSS, RCE).
  • Confidence indicates the likelihood of a false positive for each match.
  • Data is streamed to Security Analytics for real‑time insight.

Full‑Transaction Detection

Full‑transaction detection expands analysis to the complete HTTP exchange, correlating request and response data to surface threats that only appear after the server replies.

  • Combines request signatures with response‑side heuristics.
  • Detects reflective attacks such as SQL injection that manifest in responses.
  • Reduces false positives by considering end‑to‑end context.
  • Provides additional metadata fields for downstream rule creation.
  • Operates under the same always‑on framework, keeping detection separate from mitigation.

Integration with Security Analytics

The detection metadata feeds directly into the analytics dashboard, where security teams can slice and dice the data to understand threat patterns.

  • Dashboards display aggregated confidence, categories, and Ref IDs.
  • Teams can build custom edge‑rule policies using the new metadata fields.
  • Historical data supports safe onboarding of new applications.
  • Reference implementation for analytics integration: real‑time orchestration guide.
  • Exportable reports assist compliance and audit workflows.

Performance and Latency Considerations

Detections are designed to run with minimal impact. When no blocking rule references a detection, the engine can postpone execution until after the origin response.

  • Zero added latency for passive detection mode.
  • When a blocking rule is active, detection runs inline, adding only the processing time of the signature set.
  • Latency impact varies with traffic profile and signature count.
  • Performance benchmarks are documented in the network latency article.
  • Engine automatically scales with traffic using edge compute resources.

Deployment and Onboarding Workflow

Enabling always‑on detection follows a simple three‑step process, allowing teams to move from logging‑only to full protection without losing visibility.

  • Activate Attack Signature Detection in the security settings panel.
  • Monitor the populated analytics fields for the first 24‑48 hours to identify high‑frequency matches.
  • Create targeted mitigation rules based on observed confidence and categories.
  • Optionally enable Full‑Transaction Detection once baseline signatures are stable.
  • Guidance for end‑to‑end deployment can be found in AWS Well‑Architected lens.