[WAF] Clarify OWASP ruleset vs OWASP Top 10 (#18234)

Author: pedrosousa

src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx

@@ -3,15 +3,28 @@ pcx_content_type: configuration
 title: Cloudflare OWASP Core Ruleset
 sidebar:
   order: 3
-
 ---
 
-import { DirectoryListing } from "~/components"
+import { DirectoryListing } from "~/components";
 
 The Cloudflare OWASP Core Ruleset is Cloudflare's implementation of the [OWASP ModSecurity Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/) (CRS). Cloudflare routinely monitors for updates from OWASP based on the latest version available from the official code repository.
 
 The Cloudflare OWASP Core Ruleset is designed to work as a single entity to calculate a [threat score](/waf/managed-rules/reference/owasp-core-ruleset/concepts/#request-threat-score) and execute an action based on that score. When a rule in the ruleset matches a request, the threat score increases according to the rule score. If the final threat score is greater than the configured [score threshold](/waf/managed-rules/reference/owasp-core-ruleset/concepts/#score-threshold), Cloudflare executes the action configured in the last rule of the ruleset.
 
+:::note
+
+The Cloudflare OWASP Core Ruleset is Cloudflare's implementation of the OWASP ModSecurity Core Rule Set, which is different from the [OWASP Top 10](https://owasp.org/www-project-top-ten/).
+
+The OWASP Top 10 is a list of the most severe security risks that can affect applications. Some of the identified security risks can be addressed by the OWASP Core Ruleset, but other risks cannot be protected by a web application firewall, such as the following:
+
+- Insecure Design
+- Identification and Authentication Failures
+- Security Logging and Monitoring Failures
+
+These risks depend more on how the application is built or how the entire monitoring pipeline is set up.
+
+:::
+
 ## Resources
 
 <DirectoryListing />