You can now configure a lower threshold for rate-based rules you use with AWS WAF, allowing you to mitigate low-volume application threats. The new threshold of 100 requests per 5 minutes (previously 2000 requests per 5 minutes) gives you greater control for stopping slow brute force login attempts, limiting per-user API usage, blocking low-volume denial of service (DoS) attacks, and stopping malicious bots that consume resources and scrape content.