Most enterprise WAFs are configured to block IPs above a certain abuse confidence threshold. AbuseIPDB threshold 50 is a common SOC default. The assumption is that hostile traffic gets caught at the gate. We tested that assumption. Of 240 hostile actors detected by behavior on our infrastructure over 19 days, operating from 380 distinct IPs, 45% have AbuseIPDB scores below 50. They pass standard WAF configurations because their IPs aren't reported enough times to trigger blocking. They behave hostile but they don't yet have the reputation to match. Here's what we found, and what it means. The data We cross-referenced a sample of 100 hostile actors detected by behavioral analysis against two public threat intelligence sources: GreyNoise Community API and AbuseIPDB. The methodology was simple. For each IP we asked: does any public threat feed know this is hostile?…