Hi Rafa,
Imperva CWAF have various solutions with different modeling that provides coverage for a different type of risks to your site, for example
- WAF is a True Negative model that will block known malicious request
- API security is a True Positive model that will allow only request matching the API spec
But when it comes to OWASP Automated Threats to Web Applications the client classification is only a part of a solution that needs to be combined with different modeling like rate limiting, hidden challenges. The challenges can be progressively made difficult on the condition and filter usage. The features, rules, and action can be based on specific use cases coverage, ability to parse data to model risk, ability to work with Imperva SOC that has many advanced filters, and experience for many use cases.
For example, IncapRules will only parse requests and not payload responses to verify the action from origin whereas ATO can model action based on response data and provide mitigation based on severity easily without rules needs like incaprule.
Advanced bot protection is also a great solution for preventing automation and scope to specific resources for controlling business risks. Scope the High-Value Target (HVT) paths as selectors in the ABP for the Site Group, Create a policy that mimics the default policy named after the use case, enable the managed conditions in that policy assigned to the use case selector, and fine-tune to avoid any false positives.
So if you can share your use case and issue and subscription for your account, specific guidance can be provided based on the scenario, client and coverage needed