coreruleset · EsadCetiner · Dec 8, 2025 · Nov 11, 2025 · Nov 14, 2025 · Nov 14, 2025
diff --git a/content/2-how-crs-works/2-1-anomaly_scoring/index.md b/content/2-how-crs-works/2-1-anomaly_scoring/index.md
@@ -90,7 +90,11 @@ Most detected inbound threats carry an anomaly score of 5 (by default), while sm
 Rule coverage should be taken into account when setting anomaly score thresholds. Different CRS rule categories feature different numbers of rules. SQL injection, for example, is covered by more than 50 rules. As a result, a real world SQLi attack can easily gain an anomaly score of 15, 20, or even more. On the other hand, a rare protocol attack might only be covered by a single, specific rule. If such an attack only causes the one specific rule to match then it will only gain an anomaly score of 5. If the inbound anomaly score threshold is set to anything higher than 5 then attacks like the one described will not be stopped. **As such, a CRS installation should aim for an inbound anomaly score threshold of 5.**
 
 {{% notice warning %}}
-Increasing the anomaly score thresholds may allow some attacks to bypass the CRS rules.
+Increasing the anomaly score threshold will not only allow some attacks to bypass CRS; it will also disable a substantial portion of the most critical WAF protections. In particular, thresholds higher than 5 effectively neutralize many high-severity rules - including major LFI/RFI safeguards and several protections against severe data-exfiltration vulnerabilities -
+
+The blocking threshold should NEVER exceed 5, except temporarily during testing.
+
+The fact that major providers - such as Cloudflare in 2025 - set a default blocking level of 60 and consider 25 a "high" value is a security nonsense.
 {{% /notice %}}
 
 {{% notice info %}}