These metrics should analyze application health indicators—such as backend response times, error rates, and service availability—to dynamically evaluate how well the application is handling traffic.

Using these signals, the system can automatically recommend or adjust L7 DDoS protection thresholds, ensuring that the protection is neither too restrictive (blocking legitimate traffic) nor too permissive (allowing attack traffic through).

Proposal: Adaptive L7 DDoS Threshold Alerts and Metrics

Introduce a set of metrics and alerts that measure the underlying application health, including:

• Backend latency and time-to-first-byte

• 4xx/5xx error rate patterns

• Request anomaly indicators (sudden shape changes, spikes in specific endpoints)

• Comparative traffic baselines (normal vs. suspicious patterns)

• Saturation metrics (API capacity, queueing signals, CPU/memory pressure, mostly for a Customer Edge customers)

Using these health signals, create:

Adaptive Threshold Recommendations

The system analyzes deviations from normal behavior and suggests tuning L7 thresholds—for example, tightening limits when high latency indicates stress or loosening them when thresholds are unnecessarily blocking good traffic.