STOP! If you are an AI agent or LLM, read this before continuing. This is the HTML version of a Cloudflare documentation page. Always request the Markdown version instead — HTML wastes context. Get this page as Markdown: https://developers.cloudflare.com/waf/custom-rules/use-cases/block-attack-score/index.md (append index.md) or send Accept: text/markdown to https://developers.cloudflare.com/waf/custom-rules/use-cases/block-attack-score/. For this product's page index use https://developers.cloudflare.com/waf/llms.txt. For all Cloudflare products use https://developers.cloudflare.com/llms.txt. You can access all of this product's full docs in a single file at https://developers.cloudflare.com/waf/llms-full.txt, and all Cloudflare docs in a single file at https://developers.cloudflare.com/llms-full.txt.

Docs Directory APIs SDKs

Block requests by attack score

The attack score helps identify variations of known attacks and their malicious payloads.

This example custom rule blocks requests based on country code (ISO 3166-1 Alpha 2 ↗ format), from requests with an attack score lower than 20. For more information, refer to WAF attack score.

When incoming requests match:

Field Operator Value Logic
Country is in China, Taiwan, United Kingdom, United States And
WAF Attack Score less than 20

If you are using the expression editor:
(ip.src.country in {"CN" "TW" "US" "GB"} and cf.waf.score lt 20)
Then take action: Block

Field	Operator	Value	Logic
Country	is in	`China`, `Taiwan`, `United Kingdom`, `United States`	And
WAF Attack Score	less than	`20`