diff --git a/public/_redirects b/public/_redirects
index bf46e3e39fc8cc8..243322397df5480 100644
--- a/public/_redirects
+++ b/public/_redirects
@@ -1384,6 +1384,7 @@
 /waf/custom-rules/manage-dashboard/ /waf/custom-rules/create-dashboard/ 301
 /waf/security-analytics/ /waf/analytics/security-analytics/ 301
 /waf/custom-rules/use-cases/require-valid-hmac-token/ /waf/custom-rules/use-cases/configure-token-authentication/ 301
+/waf/custom-rules/use-cases/block-ip-reputation/ /waf/custom-rules/use-cases/block-attack-score/ 301
 /waf/tools/scrape-shield/server-side-excludes/ /waf/tools/scrape-shield/ 301
 /waf/rate-limiting-rules/create-account-dashboard/ /waf/account/rate-limiting-rulesets/create-dashboard/ 301
 /waf/managed-rules/deploy-account-dashboard/ /waf/account/managed-rulesets/deploy-dashboard/ 301
diff --git a/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx b/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx
index ff138e8d3c6c4ad..4c35819cd91f135 100644
--- a/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx
+++ b/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx
@@ -2,7 +2,6 @@
 pcx_content_type: reference
 source: https://support.cloudflare.com/hc/en-us/articles/204191238-What-are-the-types-of-Threats-
 title: Threat types
-
 ---
 
 Cloudflare classifies the threats that it blocks or challenges. To help you understand more about your site’s traffic, the “Type of Threats Mitigated” metric on the analytics page measures threats blocked or challenged by the following categories:
@@ -21,19 +20,19 @@ Cloudflare's [Browser Integrity Check](/waf/tools/browser-integrity-check/) look
 
 Visitors were presented with an interactive challenge page and failed to pass.
 
-*Note: An interactive challenge page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly or not answered in a timely fashion, the request is blocked.*
+_Note: An interactive challenge page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly or not answered in a timely fashion, the request is blocked._
 
 ## Browser challenge
 
 A bot gave an invalid answer to the JavaScript challenge (in most cases this will not happen, bots typically do not respond to the challenge at all, so "failed" JavaScript challenges would not get logged).
 
-*Note: During a JavaScript challenge you will be shown an interstitial page for about five seconds while Cloudflare performs a series of mathematical challenges to make sure it is a legitimate human visitor.*
+_Note: During a JavaScript challenge you will be shown an interstitial page for about five seconds while Cloudflare performs a series of mathematical challenges to make sure it is a legitimate human visitor._
 
 ## Bad IP
 
-A request that came from an IP address that is not trusted by Cloudflare based on the Threat Score.
+A request that came from an IP address that is not trusted by Cloudflare based on the threat score.
 
-Cloudflare uses Threat Scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the Threat Score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity. Site owners may override the Threat Score at any time using Cloudflare's security settings.
+Cloudflare uses threat scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the threat score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.
 
 ## Country block
 
@@ -59,7 +58,7 @@ A /24 IP range that was blocked based on the [user configuration](/waf/tools/ip-
 
 Requests made by a bot that failed to pass the challenge.
 
-*Note: An interactive challenge page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly or not answered in a timely fashion, the request is blocked.*
+_Note: An interactive challenge page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly or not answered in a timely fashion, the request is blocked._
 
 ## Bot Request
 
@@ -67,6 +66,6 @@ Request that came from a bot.
 
 ## Unclassified
 
-Unclassified threats comprises a number of automatic blocks that are not related to the Browser Integrity Challenge (Bad Browser). These threats usually relate to Hotlink Protection, and other actions that happen on Cloudflare's global network based on the composition of the request (and not its content).
+Unclassified threats comprises a number of automatic blocks that are not related to the Browser Integrity Challenge (Bad Browser). These threats usually relate to Hotlink Protection, and other actions that happen on Cloudflare's global network based on the composition of the request (and not its content).
 
 Unclassified means a number of conditions under which we group common threats related to Hotlink Protection as well as certain cases of IP reputation and specific requests that are blocked at Cloudflare's global network before reaching your servers.
diff --git a/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx b/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx
index f1221325ea61904..aa12f1da2328d20 100644
--- a/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx
+++ b/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx
@@ -2,15 +2,14 @@
 pcx_content_type: reference
 source: https://support.cloudflare.com/hc/en-us/articles/204964927-How-does-Cloudflare-calculate-Total-threats-stopped-
 title: Total threats stopped
-
 ---
 
 Total Threats Stopped measures the number of “suspicious” and “bad” requests that were aimed at your site. Requests receive these labels by our IP Reputation Database as they enter Cloudflare’s network:
 
-* **Legitimate:** request pass directly to your site
-* **Suspicious:** request has been challenged with a [Cloudflare challenge](/waf/reference/cloudflare-challenges/)
-* **Bad:** request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP range block.
+- **Legitimate:** Request passed directly to your site.
+- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/waf/reference/cloudflare-challenges/).
+- **Bad:** Request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP range block.
 
-Cloudflare uses Threat Scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the Threat Score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.
+Cloudflare uses threat scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the threat score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.
 
 In addition to threat analytics you can also monitor search engine crawlers going to your websites. For most websites, threats and crawlers make up 20% to 50% of traffic.
diff --git a/src/content/docs/bots/concepts/bot-score/index.mdx b/src/content/docs/bots/concepts/bot-score/index.mdx
index e2225c48ab98e95..0d10ae22ee6f85b 100644
--- a/src/content/docs/bots/concepts/bot-score/index.mdx
+++ b/src/content/docs/bots/concepts/bot-score/index.mdx
@@ -3,10 +3,9 @@ pcx_content_type: concept
 title: Bot scores
 sidebar:
   order: 2
-
 ---
 
-import { GlossaryTooltip, Render } from "~/components"
+import { GlossaryTooltip, Render } from "~/components";
 
 <Render file="bot-score-definition" />
 
@@ -14,7 +13,7 @@ Bot scores are available to be used in rule expressions and with Workers to cust
 
 :::note
 
-Granular bot scores are only available to Enterprise customers who have purchased Bot Management. All other customers can only access this information through [bot groupings](#bot-groupings) in Bot Analytics. 
+Granular bot scores are only available to Enterprise customers who have purchased Bot Management. All other customers can only access this information through [bot groupings](#bot-groupings) in Bot Analytics.
 :::
 
 ## Bot groupings
@@ -32,7 +31,7 @@ Bot scores are not computed for requests to paths that are handled by Cloudflare
 
 :::note
 
-The following detection engines only apply to Enterprise Bot Management. For specific details about the engines included in your plan, refer to [Plans](/bots/plans/). 
+The following detection engines only apply to Enterprise Bot Management. For specific details about the engines included in your plan, refer to [Plans](/bots/plans/).
 :::
 
 <Render file="bm-bot-detection-engines" />
@@ -48,7 +47,3 @@ The following detection engines only apply to Enterprise Bot Management. For spe
 ### Notes on detection
 
 <Render file="bots-cookie" />
-
-## Comparison to Threat Score
-
-Bot Score is different from <GlossaryTooltip term="threat score">Threat Score</GlossaryTooltip>. Bot Score identifies bots and Threat Score measures IP reputation across our services. Most customers achieve the best results by relying on bot scores and avoiding IP reputation entirely.
diff --git a/src/content/docs/bots/troubleshooting.mdx b/src/content/docs/bots/troubleshooting.mdx
index 1e4f1e59f59e502..319f429523689d2 100644
--- a/src/content/docs/bots/troubleshooting.mdx
+++ b/src/content/docs/bots/troubleshooting.mdx
@@ -71,17 +71,6 @@ Yes. WAF rules are executed before Super Bot Fight Mode. If a WAF custom rule pe
 
 ---
 
-## What is the difference between the threat score and bot management score?
-
-The difference is significant:
-
-- Threat score (_cf.threat_score_) is what Cloudflare uses to determine IP Reputation. It goes from 0 (good) to 100 (bad).
-- Bot management score (_cf.bot_management.score_) is what Cloudflare uses in Bot Management to measure if the request is from a human or a script. The scores range from 1 (bot) to 99 (human). Lower scores indicate the request came from a script, API service, or an automated agent. Higher scores indicate that the request came from a human using a standard desktop or mobile web browser.
-
-These fields are available via [WAF custom rules](/waf/custom-rules/) and other products based on the Ruleset Engine.
-
----
-
 ## What is cf.bot_management.verified_bot?
 
 A request's _cf.bot_management.verified_bot_ value is a boolean indicating whether such request comes from a Cloudflare allowed bot.
diff --git a/src/content/docs/fundamentals/trace-request/how-to.mdx b/src/content/docs/fundamentals/trace-request/how-to.mdx
index 0e200fa91bb1851..910fc778a79e004 100644
--- a/src/content/docs/fundamentals/trace-request/how-to.mdx
+++ b/src/content/docs/fundamentals/trace-request/how-to.mdx
@@ -9,10 +9,9 @@ head:
   - tag: title
     content: How to - Cloudflare Trace (beta)
 description: Learn how to use Cloudflare Trace in the dashboard and with the API.
-
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip } from "~/components";
 
 ## Use Trace in the dashboard
 
@@ -27,18 +26,18 @@ import { GlossaryTooltip } from "~/components"
 
 2. Enter a URL to trace. The URL must include a hostname that belongs to your account.
 
-3. Select an HTTP method. If you select *POST*, *PUT*, or *PATCH*, you should enter a value in **Request body**.
+3. Select an HTTP method. If you select _POST_, _PUT_, or _PATCH_, you should enter a value in **Request body**.
 
 4. (Optional) Define any custom request properties to simulate the conditions of a specific HTTP/S request. You can customize the following request properties:
 
-   * **Protocol** (HTTP protocol version)
-   * **Request headers**
-   * **Cookies**
-   * **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/reference/ip.src.country/), [region](/ruleset-engine/rules-language/fields/reference/ip.src.region/), and [city](/ruleset-engine/rules-language/fields/reference/ip.src.city/))
-   * [**Bot score**](/bots/concepts/bot-score/)
-   * <GlossaryTooltip term="threat score" link="/ruleset-engine/rules-language/fields/reference/cf.threat_score/">**Threat score**</GlossaryTooltip>
-   * **Request body** (for `POST`, `PUT`, and `PATCH` requests)
-   * **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue)
+   - **Protocol** (HTTP protocol version)
+   - **Request headers**
+   - **Cookies**
+   - **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/reference/ip.src.country/), [region](/ruleset-engine/rules-language/fields/reference/ip.src.region/), and [city](/ruleset-engine/rules-language/fields/reference/ip.src.city/))
+   - [**Bot score**](/bots/concepts/bot-score/)
+   - **Threat score**
+   - **Request body** (for `POST`, `PUT`, and `PATCH` requests)
+   - **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue)
 
 5. Select **Send trace**.
 
@@ -48,7 +47,7 @@ The **Trace results** page shows all evaluated and executed configurations from
 
 1. Analyze the different [steps](#steps-in-trace-results) with evaluated and executed configurations for the current trace. Trace results include matches for all active rules and configurations, whether configured at the account level or for a specific domain or subdomain.
 
-   To show all configurations, including the ones that did not match the request, select *All configurations* in the **Results shown** dropdown.
+   To show all configurations, including the ones that did not match the request, select _All configurations_ in the **Results shown** dropdown.
 
 2. (Optional) Update your Cloudflare configuration (at the account or at the domain/subdomain level) and create a new trace to check the impact of your changes.
 
@@ -63,10 +62,10 @@ To run a trace later with the same configuration:
 
 Use the [Request Trace](/api/resources/request_tracers/subresources/traces/methods/create/) operation to perform a trace using the Cloudflare API.
 
-***
+---
 
 ## Steps in trace results
 
-* Execution of one or more rules of Cloudflare products built on the [Ruleset Engine](/ruleset-engine/). Refer to the Ruleset Engine's [Phases list](/ruleset-engine/reference/phases-list/) for a list of such products.
-* [Page Rules](/rules/page-rules/): Execution of one or more rules.
-* [Workers](/workers/): Execution of one or more scripts.
+- Execution of one or more rules of Cloudflare products built on the [Ruleset Engine](/ruleset-engine/). Refer to the Ruleset Engine's [Phases list](/ruleset-engine/reference/phases-list/) for a list of such products.
+- [Page Rules](/rules/page-rules/): Execution of one or more rules.
+- [Workers](/workers/): Execution of one or more scripts.
diff --git a/src/content/docs/learning-paths/prevent-ddos-attacks/advanced/customize-security.mdx b/src/content/docs/learning-paths/prevent-ddos-attacks/advanced/customize-security.mdx
index 47b533d4c3239e6..c18962af1e5498f 100644
--- a/src/content/docs/learning-paths/prevent-ddos-attacks/advanced/customize-security.mdx
+++ b/src/content/docs/learning-paths/prevent-ddos-attacks/advanced/customize-security.mdx
@@ -3,17 +3,15 @@ title: Customize Cloudflare security
 pcx_content_type: learning-unit
 sidebar:
   order: 3
-
 ---
 
 Another way of reducing origin traffic is customizing the Cloudflare WAF and other security features. The fewer malicious requests that reach your application, the fewer that could reach (and overwhelm) your origin.
 
 To reduce incoming malicious requests, you could:
 
-* Create [WAF custom rules](/waf/custom-rules/) for protection based on specific aspects of incoming requests.
-* Adjust DDoS rules to handle [false negatives and false positives](/ddos-protection/managed-rulesets/adjust-rules/).
-* Build [rate limiting rules](/waf/rate-limiting-rules/) to protect against specific patterns of requests.
-* Enable [bot protection](/bots/get-started/) or set up [Bot Management for Enterprise](/bots/get-started/bm-subscription/) to protect against automated abuse.
-* Explore [network-layer DDoS attack protection](/ddos-protection/managed-rulesets/network/).
-* Configure your zone's [Security Level](/waf/tools/security-level/) globally or selectively (depending on your needs).
-* Review the rest of Cloudflare's [security options](/learning-paths/application-security/account-security/).
+- Create [WAF custom rules](/waf/custom-rules/) for protection based on specific aspects of incoming requests.
+- Adjust DDoS rules to handle [false negatives and false positives](/ddos-protection/managed-rulesets/adjust-rules/).
+- Build [rate limiting rules](/waf/rate-limiting-rules/) to protect against specific patterns of requests.
+- Enable [bot protection](/bots/get-started/) or set up [Bot Management for Enterprise](/bots/get-started/bm-subscription/) to protect against automated abuse.
+- Explore [network-layer DDoS attack protection](/ddos-protection/managed-rulesets/network/).
+- Review the rest of Cloudflare's [security options](/learning-paths/application-security/account-security/).
diff --git a/src/content/docs/network/onion-routing.mdx b/src/content/docs/network/onion-routing.mdx
index 2a7bd93c7ac74ac..e298a42f38af047 100644
--- a/src/content/docs/network/onion-routing.mdx
+++ b/src/content/docs/network/onion-routing.mdx
@@ -14,20 +14,14 @@ Improve the Tor user experience by enabling Onion Routing, which enables Cloudfl
 
 ## How it works
 
-Due to the behavior of some individuals using the Tor network (spammers, distributors of malware, attackers), the IP addresses of Tor exit nodes may earn a bad reputation, elevating their Cloudflare threat score.
-
-Our [basic protection level](/waf/tools/security-level/) issues challenges to visitors whose IP address has a high threat score, depending on the level chosen by the Cloudflare customer.
-
-One way to address this threat score is to create [custom WAF rules](/waf/custom-rules/). Cloudflare assigns the two-letter code `T1` for Tor.  There's no geographical country associated with these IPs, but this approach lets Cloudflare customers override the default Cloudflare threat score to define the experience for their Tor visitors. Cloudflare updates its list of Tor exit node IP addresses every hour.
-
-The other way to improve the Tor user experience is through Onion Routing. This improves Tor browsing as follows:
+Onion Routing helps improve Tor browsing as follows:
 
 - Tor users no longer access your site via exit nodes, which can sometimes be compromised, and may snoop on user traffic.
 - Human Tor users and bots can be distinguished by our Onion services, such that interactive challenges are only served to malicious bot traffic.
 
 [Tor Browser](https://tb-manual.torproject.org/about/) users receive an [alt-svc header](https://httpwg.org/specs/rfc7838.html#alt-svc) as part of the response to the first request to your website. The browser then creates a Tor Circuit to access this website using the `.onion` TLD service provided by this header.
 
-You should note that the visible domain in the UI remains unchanged, as the host header and the SNI are preserved. However, the underlying connection changes to be routed through Tor, as the [UI denotes on the left of the address bar](https://tb-manual.torproject.org/managing-identities/#managing-identities) with a Tor Circuit. Cloudflare does not provide a certificate for the `.onion` domain provided as part of alt-svc flow, which therefore cannot be accessed via HTTPS.
+You should note that the visible domain in the user interface remains unchanged, as the host header and the SNI are preserved. However, the underlying connection changes to be routed through Tor, as the [UI denotes on the left of the address bar](https://tb-manual.torproject.org/managing-identities/#managing-identities) with a Tor Circuit. Cloudflare does not provide a certificate for the `.onion` domain provided as part of alt-svc flow, which therefore cannot be accessed via HTTPS.
 
 ## Enable Onion Routing
 
@@ -35,9 +29,9 @@ You should note that the visible domain in the UI remains unchanged, as the host
 
 To enable **Onion Routing** in the dashboard:
 
-1. Log in to your [Cloudflare account](https://dash.cloudflare.com) and go to a specific domain.
-2. Go to **Network**.
-3. For **Onion Routing**, switch the toggle to **On**.
+1. Log in to your [Cloudflare account](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Network**.
+3. For **Onion Routing**, switch the toggle to **On**.
 
 </TabItem> <TabItem label="API">
 
diff --git a/src/content/docs/rules/configuration-rules/settings.mdx b/src/content/docs/rules/configuration-rules/settings.mdx
index 91dcd00aae806c5..093449f930de8a0 100644
--- a/src/content/docs/rules/configuration-rules/settings.mdx
+++ b/src/content/docs/rules/configuration-rules/settings.mdx
@@ -262,26 +262,21 @@ API configuration property name: `"rocket_loader"` (boolean).
 
 </Details>
 
-## Security Level
+## I'm Under Attack
 
-[Security Level](/waf/tools/security-level/) controls Managed Challenges for requests from low reputation IP addresses.
+When enabled, [Under Attack mode](/fundamentals/reference/under-attack-mode/) performs additional security checks to help mitigate layer 7 DDoS attacks. Validated users access your website and suspicious traffic is blocked.
 
-On the Cloudflare dashboard, you can turn Under Attack mode on or off. 
-
-- Off
-- I'm Under Attack
-
-Refer to [Under Attack mode](/fundamentals/reference/under-attack-mode/) for more information.
+Use this setting to turn on or off Under Attack mode for matching requests.
 
 <Details header="API information">
 
 API configuration property name: `"security_level"` (string).
 
-API values: `"off"`, `"essentially_off"`, `"low"`, `"medium"`, `"high"`, `"under_attack"`.
+API values: `"off"`, `"essentially_off"`, `"under_attack"`.
 
 ```json title="API configuration example"
 "action_parameters": {
-  "security_level": "low"
+  "security_level": "under_attack"
 }
 ```
 
diff --git a/src/content/docs/rules/page-rules/reference/recommended-rules.mdx b/src/content/docs/rules/page-rules/reference/recommended-rules.mdx
index 45531f17124502b..655085bf82e12c1 100644
--- a/src/content/docs/rules/page-rules/reference/recommended-rules.mdx
+++ b/src/content/docs/rules/page-rules/reference/recommended-rules.mdx
@@ -5,40 +5,38 @@ title: Recommended rules
 head:
   - tag: title
     content: Recommended rules | Page Rules
-
 ---
 
-import { Example, Render } from "~/components"
+import { Example, Render } from "~/components";
 
-Use Cloudflare Page Rules to improve the user experience of your domain with hardened security and enhanced site performance, while increasing reliability and minimizing bandwidth usage for your origin server.
+Use Cloudflare Page Rules to improve the user experience of your domain with hardened security and enhanced site performance, while increasing reliability and minimizing bandwidth usage for your origin server.
 
 <Render file="page-rules-migration" />
 
 Keep in mind that not all rules will be right for everyone, but these are some of the most popular.
 
-* 301/302 Forwarding URL
-* Security Level and Cache Level
-* Edge Cache TTL, Always Online, and Browser Cache TTL
+- 301/302 Forwarding URL
+- Cache Level in specific paths
+- Edge Cache TTL, Always Online, and Browser Cache TTL
 
 ### 301/302 Forwarding URL
 
 :::note
-
-Consider using [Single Redirects](/rules/url-forwarding/single-redirects/) or [Bulk Redirects](/rules/url-forwarding/bulk-redirects/) to forward or redirect traffic to a different URL due to ease of use, maintenance, and cost. You should only use Page Rules when Dynamic or Bulk Redirects do not meet your use case. 
+Consider using [Single Redirects](/rules/url-forwarding/single-redirects/) or [Bulk Redirects](/rules/url-forwarding/bulk-redirects/) to forward or redirect traffic to a different URL due to ease of use, maintenance, and cost. You should only use Page Rules when Dynamic or Bulk Redirects do not meet your use case.
 :::
 
 Two common examples for using forwarding URLs are:
 
-* Defining the root as the canonical version of your domain.
-* Directing visitors to a specific page with an easy to remember URL.
+- Defining the root as the canonical version of your domain.
+- Directing visitors to a specific page with an easy to remember URL.
 
 This example page rule configuration defines the root as the canonical version of your domain:
 
 <Example>
 
-* **If the URL matches**: `*www.example.com/*`
-* **Setting**: *Forwarding URL* | **Select status code**: *301 Permanent Redirect*
-* **Enter destination URL**: `https://example.com/$2`
+- **If the URL matches**: `*www.example.com/*`
+- **Setting**: _Forwarding URL_ | **Select status code**: _301 Permanent Redirect_
+- **Enter destination URL**: `https://example.com/$2`
 
 </Example>
 
@@ -46,24 +44,22 @@ This example redirects visitors to a specific page with an easy to remember URL:
 
 <Example>
 
-* **If the URL matches**: `*www.example.com/fb*`
-* **Setting**: *Forwarding URL* | **Select status code**: *302 Temporary Redirect*
-* **Enter destination URL**: `https://www.facebook.com/username`
+- **If the URL matches**: `*www.example.com/fb*`
+- **Setting**: _Forwarding URL_ | **Select status code**: _302 Temporary Redirect_
+- **Enter destination URL**: `https://www.facebook.com/username`
 
 </Example>
 
-### Security Level and Cache Level
+### Cache Level in specific paths
 
 Certain sections of a website, like the login or admin section, have different security and performance requirements than your general public-facing pages.
 
-The following example page rule configuration performs several security and cache adjustments for requests targeting a specific path:
+The following example page rule configuration bypasses cache for requests targeting a specific path:
 
 <Example>
 
-* **If the URL matches**: `example.com/user*`
-* **Setting**: *Security Level* | **Value**: *High*
-* **Setting**: *Cache Level* | **Value**: *Bypass*
-* **Setting**: *Disable Apps*
+- **If the URL matches**: `example.com/user*`
+- **Setting**: _Cache Level_ | **Value**: _Bypass_
 
 </Example>
 
@@ -73,14 +69,14 @@ Certain resources on your domain will likely not change often. For these resourc
 
 #### Examples
 
-In the following example page rule configuration, the target is a folder that holds the majority of the image assets as well as some other types of multimedia.
+In the following example page rule configuration, the target is a folder that holds the majority of the image assets as well as some other types of multimedia.
 
 <Example>
 
-* **If the URL matches**: `example.com/sites/default/files*`
-* **Setting**: *Browser Cache TTL* | **Value**: *a day*
-* **Setting**: *Cache Level |* **Value**: *Cache Everything*
-* **Setting**: *Edge Cache TTL |* **Value**: *7 days*
+- **If the URL matches**: `example.com/sites/default/files*`
+- **Setting**: _Browser Cache TTL_ | **Value**: _a day_
+- **Setting**: _Cache Level |_ **Value**: _Cache Everything_
+- **Setting**: _Edge Cache TTL |_ **Value**: _7 days_
 
 </Example>
 
@@ -88,10 +84,10 @@ The following example page rule configuration applies unique rules for critical
 
 <Example>
 
-* **If the URL matches**: `example.com/terms-of-service`
-* **Setting**: *Browser Cache TTL* | **Value**: *a day*
-* **Setting**: *Always Online |* **Value**: *On*
-* **Setting**: *Cache Level* | **Value**: *Cache Everything*
-* **Setting**: *Edge Cache TTL* | **Value**: *a month*
+- **If the URL matches**: `example.com/terms-of-service`
+- **Setting**: _Browser Cache TTL_ | **Value**: _a day_
+- **Setting**: _Always Online |_ **Value**: _On_
+- **Setting**: _Cache Level_ | **Value**: _Cache Everything_
+- **Setting**: _Edge Cache TTL_ | **Value**: _a month_
 
 </Example>
diff --git a/src/content/docs/ruleset-engine/rules-language/values.mdx b/src/content/docs/ruleset-engine/rules-language/values.mdx
index d4703dbc36e7ca9..4b6cf55607e1e67 100644
--- a/src/content/docs/ruleset-engine/rules-language/values.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/values.mdx
@@ -14,7 +14,7 @@ The values that populate the lookup tables of the Rules language are drawn from
 
 - **Primitive properties** are obtained directly from the request (`http.request.uri.path`, for example).
 - **Derived values** are the product of a transformation, composition, or basic operation. For example, the transformation `lower(http.request.uri.path)` converts the value of `http.request.uri.path` to lowercase.
-- **Computed values** are the product of a lookup, computation, or other intelligence. For example, Cloudflare uses a machine learning process to dynamically calculate threat scores, represented by the `cf.threat_score` field.
+- **Computed values** are the product of a lookup, computation, or other intelligence. For example, Cloudflare uses a machine learning process to dynamically calculate attack scores, represented by `cf.waf.score*` fields.
 
 Besides these values, expressions may also contain literal values. These are static, known values that you incorporate into expressions to compare them with values from request/response fields with or without any transformations.
 
diff --git a/src/content/docs/support/third-party-software/content-management-system-cms/cloudflare-and-joomla-recommended-first-steps.mdx b/src/content/docs/support/third-party-software/content-management-system-cms/cloudflare-and-joomla-recommended-first-steps.mdx
index 24cddedd0635818..dff3a31b8dffa3b 100644
--- a/src/content/docs/support/third-party-software/content-management-system-cms/cloudflare-and-joomla-recommended-first-steps.mdx
+++ b/src/content/docs/support/third-party-software/content-management-system-cms/cloudflare-and-joomla-recommended-first-steps.mdx
@@ -2,14 +2,13 @@
 pcx_content_type: troubleshooting
 source: https://support.cloudflare.com/hc/en-us/articles/201997250-Cloudflare-and-Joomla-Recommended-First-Steps
 title: Cloudflare and Joomla Recommended First Steps
-
 ---
 
 ## Overview
 
 These basic steps will help reduce common areas of confusion for Joomla users that are new to the Cloudflare services. In addition, these steps are very quick and will generally take you only a few minutes of your time to help you make your experience using Cloudflare better.
 
-***
+---
 
 ## Restore visitor IP
 
@@ -17,60 +16,43 @@ Restore visitor IP by following the directions in [this article](/support/troubl
 
 Why should you restore visitor IP?
 
-If you receive a lot of comments or spam on your blog, you may mistakenly believe that Cloudflare is spamming you. Some other Joomla plugins or extensions  may also rely on the original visitor IP for the  services to work properly and reduce false alerts.
+If you receive a lot of comments or spam on your blog, you may mistakenly believe that Cloudflare is spamming you. Some other Joomla plugins or extensions may also rely on the original visitor IP for the services to work properly and reduce false alerts.
 
 :::note
-
-You don't need to worry about this if you activated through a hosting
-partner, since they already restore visitor IP addresses on their
-servers by default. 
+You don't need to worry about this if you activated through a hosting partner, since they already restore visitor IP addresses on their servers by default.
 :::
 
-***
+---
 
-## Create a PageRule to exclude Joomla
+## Create a Page Rule to exclude Joomla
 
-Create a [PageRule](https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-Page-Rules-) to exclude the Joomla admin or Joomla login sections from Cloudflare’s caching and performance features. You can access PageRules in your [Cloudflare 'Settings' options](https://support.cloudflare.com/hc/en-us/articles/200172336-How-do-I-create-a-PageRule-).
+Create a [Page Rule](/rules/page-rules/) to exclude the Joomla admin or Joomla login sections from Cloudflare's caching and performance features.
 
 Why do this?
 
 While there is not always an issue, we have seen instances where optional performance features like Rocket Loader may inadvertently break certain functions (editors, etc.) in your Joomla back end.
 
-***
+---
 
 ## Allow IP addresses via Cloudflare Threat Control panel
 
 Log in to your Cloudflare Threat Control panel and allow IP addresses you want traffic from or expect traffic from. Some common services you probably want to allow include:
 
-* APIs you’re pulling from
-* Monitoring services you use to monitor your site's uptime
-* Security services
-* IP addresses you frequently login from
+- APIs you are pulling from
+- Monitoring services you use to monitor your site's uptime
+- Security services
+- IP addresses you frequently login from
 
 Why do this?
 
-If Cloudflare has an IP address with a high threat score going to your site, or if you have [Cloudflare's Web Application Firewall](https://cloudflare.com/waf) turned on, you may get challenged working in your back end and/or services you want to access your site may get challenged. Taking the steps to allow in the beginning will help prevent future surprises on your site.
+If Cloudflare has an IP address with a high threat score going to your site, or if you have [Cloudflare's Web Application Firewall](https://cloudflare.com/waf) turned on, you may get challenged working in your back end and/or services you want to access your site may get challenged. Taking the steps to allow in the beginning will help prevent future surprises on your site.
 
 :::note
 
-We allow all known search engine and social media crawlers in our macro
-list. If you decide to block countries in Threat Control, please use
-care because you may end up inadvertently blocking their crawlers
-(blocking the USA, for example, could mean that their crawler gets
-challenged). 
+We allow all known search engine and social media crawlers in our macro list. If you decide to block specific countries, you must use care because you may end up inadvertently blocking their crawlers (blocking the USA, for example, could mean that their crawler gets challenged).
 :::
 
-***
-
-## Review your basic security settings
-
-If your site is  frequently the target of spam attacks or botnet attacks, changing your security level to a higher setting will help further reduce the amount of spam you get on your site. We default all users to a medium setting when they first add the domain to Cloudflare.
-
-Why do this?
-
-If you want your site to have less security and protection from various attacks, then you would want to change your settings to a lower level (please keep in mind this makes your site more vulnerable). If you want your site to have higher security, please keep in mind that you may get more false positives from visitors complaining about a challenge page that they have to pass to enter your site.
-
-***
+---
 
 ## Ensure requests from Cloudflare's IP ranges aren't blocked or limited
 
diff --git a/src/content/docs/support/third-party-software/content-management-system-cms/using-cloudflare-and-drupal-five-easy-recommended-steps.mdx b/src/content/docs/support/third-party-software/content-management-system-cms/using-cloudflare-and-drupal-five-easy-recommended-steps.mdx
index c289cb3616c76d1..9ed0256109d3f7f 100644
--- a/src/content/docs/support/third-party-software/content-management-system-cms/using-cloudflare-and-drupal-five-easy-recommended-steps.mdx
+++ b/src/content/docs/support/third-party-software/content-management-system-cms/using-cloudflare-and-drupal-five-easy-recommended-steps.mdx
@@ -2,59 +2,48 @@
 pcx_content_type: troubleshooting
 source: https://support.cloudflare.com/hc/en-us/articles/201883834-Using-Cloudflare-and-Drupal-Five-Easy-Recommended-Steps
 title: Using Cloudflare and Drupal Five Easy Recommended Steps
-
 ---
 
 ## Overview
 
-These basic steps will help reduce common areas of confusion for Drupal users that are new to using Cloudflare to speed up and protect their sites. In addition, these steps are very quick and will generally take only a few minutes of your time to go through.
+These basic steps will help reduce common areas of confusion for Drupal users that are new to using Cloudflare to speed up and protect their sites. In addition, these steps are very quick and will generally take only a few minutes of your time to go through.
 
 **Step #1**
 
-Install the [Cloudflare Drupal plugin](https://drupal.org/project/cloudflare) to restore visitor IP information. Since Cloudflare acts as a proxy for sites using our network, Cloudflare’s IPs are going to show in your logs, including comments, unless you install something to restore the original visitor IP.
+Install the [Cloudflare Drupal plugin](https://drupal.org/project/cloudflare) to restore visitor IP information. Since Cloudflare acts as a proxy for sites using our network, Cloudflare’s IPs are going to show in your logs, including comments, unless you install something to restore the original visitor IP.
 
 Why should you install the plugin?
 
-If you receive a lot of comments or spam on your blog, you may mistakenly believe that Cloudflare is spamming you. Some other Drupal plugins or extensions may also rely on the original visitor IP for the  services to work properly and reduce false alerts.
+If you receive a lot of comments or spam on your blog, you may mistakenly believe that Cloudflare is spamming you. Some other Drupal plugins or extensions may also rely on the original visitor IP for the services to work properly and reduce false alerts.
 
-Note: You don’t need to worry about this if you activated through a certified Cloudflare [certified Cloudflare Hosting partner](https://www.cloudflare.com/partners/technology-partners/), since they already [restore visitor IPs](https://support.cloudflare.com/hc/articles/200170786) by default.
+Note: You don’t need to worry about this if you activated through a certified Cloudflare [certified Cloudflare Hosting partner](https://www.cloudflare.com/partners/technology-partners/), since they already [restore visitor IPs](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/) by default.
 
 **Step #2**
 
-Create a [Page Rule](/rules/page-rules/) to exclude the Drupal admin or Drupal login sections from Cloudflare’s caching and performance features. You can access Page Rules in the [Rules app](/rules/page-rules/).
+Create a [Page Rule](/rules/page-rules/) to exclude the Drupal admin or Drupal login sections from Cloudflare’s caching and performance features. You can access Page Rules in the [Rules app](/rules/page-rules/).
 
 Why do this?
 
-While there is not always an issue, we have seen some optional performance features like Rocket Loader inadvertently breaking certain functions (editors, etc.) in your site's admin area..
+While there is not always an issue, we have seen some optional performance features like Rocket Loader inadvertently breaking certain functions (editors, etc.) in your site's admin area..
 
 **Step #3**
 
-Allow IP addresses you expect traffic from in the Cloudflare **Firewall** App. Some common services you probably want to allow include:
+Allow IP addresses you expect traffic from in the Cloudflare **Firewall** App. Some common services you probably want to allow include:
 
-* APIs you’re pulling from
-* Monitoring services you use to monitor your site's uptime
-* Security services
-* IP addresses you frequently login from
+- APIs you’re pulling from
+- Monitoring services you use to monitor your site's uptime
+- Security services
+- IP addresses you frequently login from
 
 Why do this?
 
-If Cloudflare has an IP address with a high threat score going to your site, or if you have [Cloudflare's Web Application Firewall](https://www.cloudflare.com/waf) turned on, you may get challenged working in your back end and/or services you want to access your site may get challenged. Taking the steps to allow in the beginning will help prevent future surprises on your site.
+If Cloudflare has an IP address with a high threat score going to your site, or if you have [Cloudflare's Web Application Firewall](https://www.cloudflare.com/waf) turned on, you may get challenged working in your back end and/or services you want to access your site may get challenged. Taking the steps to allow in the beginning will help prevent future surprises on your site.
 
-**Note:** We allow all known search engine and social media crawlers in our macro list. If you decide to block countries in Threat Control, please use care because you may end up inadvertently blocking their crawlers (blocking the USA, for example, could mean that a good crawler gets challenged).
+**Note:** We allow all known search engine and social media crawlers in our macro list. If you decide to block specific countries, please use care because you may end up inadvertently blocking their crawlers (blocking the USA, for example, could mean that a good crawler gets challenged).
 
 **Step #4**
 
-Review your basic security settings
-
-If your site is frequently the target of spam attacks or botnet attacks, changing your security level to a higher level will reduce the amount of spam you get on your site. We default all users to a medium setting when they first add the domain to Cloudflare.
-
-Why do this?
-
-If you want your site to have less security and protection from various attacks, then you would want to [change your settings](https://support.cloudflare.com/hc/articles/200170056) to a lower level (please keep in mind this makes your site more vulnerable). If you want your site to have higher security, please keep in mind that you may get more false positives from visitors complaining about a challenge page that they have to pass to enter your site.
-
-**Step #5**
-
-If you are using services like .htaccess, firewalls or server mods to manage access to your site from visitors, it is vitally important to make sure requests from [Cloudflare’s IP ranges](https://www.cloudflare.com/ips) are not being blocked or limited in any way. The number one cause of site offline issues in our support channel is something blocking or restricting requests from our IPs, so please take the time to make sure that all of Cloudflare’s IPs are allowed on your server and with your hosting provider.
+If you are using services like `.htaccess`, firewalls, or server mods to manage access to your site from visitors, it is vitally important to make sure requests from [Cloudflare's IP ranges](https://www.cloudflare.com/ips) are not being blocked or limited in any way. The number one cause of site offline issues in our support channel is something blocking or restricting requests from our IPs, so please take the time to make sure that all of Cloudflare's IPs are allowed on your server and with your hosting provider.
 
 Why do this?
 
diff --git a/src/content/docs/support/third-party-software/content-management-system-cms/what-settings-are-applied-when-i-click-optimize-cloudflare-for-wordpress-in-cloudflares-wordpress-plugin.mdx b/src/content/docs/support/third-party-software/content-management-system-cms/what-settings-are-applied-when-i-click-optimize-cloudflare-for-wordpress-in-cloudflares-wordpress-plugin.mdx
index ca47dcee122db34..b0d9da2e1a3d205 100644
--- a/src/content/docs/support/third-party-software/content-management-system-cms/what-settings-are-applied-when-i-click-optimize-cloudflare-for-wordpress-in-cloudflares-wordpress-plugin.mdx
+++ b/src/content/docs/support/third-party-software/content-management-system-cms/what-settings-are-applied-when-i-click-optimize-cloudflare-for-wordpress-in-cloudflares-wordpress-plugin.mdx
@@ -3,18 +3,16 @@ pcx_content_type: troubleshooting
 source: https://support.cloudflare.com/hc/en-us/articles/227342487-What-settings-are-applied-when-I-click-Optimize-Cloudflare-for-WordPress-in-Cloudflare-s-WordPress-plugin-
 title: What settings are applied when I click Optimize Cloudflare for WordPress
   in Cloudflare's WordPress plugin
-
 ---
 
 ## Overview
 
-If you're using Cloudflare's Wordpress plugin, our "Optimize Cloudflare for WordPress" one-click configuration applies the following settings to your Cloudflare account:
+If you're using Cloudflare's WordPress plugin, our "Optimize Cloudflare for WordPress" one-click configuration applies the following settings to your Cloudflare account:
 
-![Cloudflare's one-click configuration Wordpress plugin.](~/assets/images/support/dash-optimize_wordpress.png)
+![Cloudflare's one-click configuration WordPress plugin.](~/assets/images/support/dash-optimize_wordpress.png)
 
 | **Setting**                            | **Value**                          |
 | -------------------------------------- | ---------------------------------- |
-| Security level                         | Medium                             |
 | Caching level                          | Standard                           |
 | Browser Cache TTL                      | 4 hours                            |
 | Always Online                          | On                                 |
diff --git a/src/content/docs/waf/custom-rules/create-api.mdx b/src/content/docs/waf/custom-rules/create-api.mdx
index 8013d0ac0ccf878..5ea0c98354b4633 100644
--- a/src/content/docs/waf/custom-rules/create-api.mdx
+++ b/src/content/docs/waf/custom-rules/create-api.mdx
@@ -31,7 +31,7 @@ You must deploy custom rules to the `http_request_firewall_custom` [phase entry
 
 This example request adds a rule to the `http_request_firewall_custom` phase entry point ruleset for the zone with ID `{zone_id}`. The entry point ruleset already exists, with ID `{ruleset_id}`.
 
-The new rule, which will be the last rule in the ruleset, will challenge requests from the United Kingdom or France with a <GlossaryTooltip term="threat score">threat score</GlossaryTooltip> greater than `10`:
+The new rule, which will be the last rule in the ruleset, will challenge requests from the United Kingdom or France with an <GlossaryTooltip term="attack score">attack score</GlossaryTooltip> lower than `20`:
 
 ```bash
 curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules \
@@ -39,7 +39,7 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/
 --header "Content-Type: application/json" \
 --data '{
   "description": "My custom rule",
-  "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and cf.threat_score > 10",
+  "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and cf.waf.score lt 20",
   "action": "challenge"
 }'
 ```
@@ -58,7 +58,7 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/
 --header "Content-Type: application/json" \
 --data '{
   "description": "My custom rule with plain text response",
-  "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and cf.threat_score > 50",
+  "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and cf.waf.score lt 20",
   "action": "block",
   "action_parameters": {
     "response": {
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-attack-score.mdx b/src/content/docs/waf/custom-rules/use-cases/block-attack-score.mdx
new file mode 100644
index 000000000000000..0c13c1e5f962fd2
--- /dev/null
+++ b/src/content/docs/waf/custom-rules/use-cases/block-attack-score.mdx
@@ -0,0 +1,13 @@
+---
+pcx_content_type: configuration
+title: Block requests by attack score
+---
+
+import { GlossaryDefinition } from "~/components";
+
+The [attack score](/waf/detections/attack-score/) helps identify variations of known attacks and their malicious payloads.
+
+This example blocks requests based on country code ([ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format), from requests with an attack score lower than 20. For more information, refer to [WAF attack score](/waf/detections/attack-score/).
+
+- **Expression**: `(ip.src.country in {"CN" "TW" "US" "GB"} and cf.waf.score lt 20)`
+- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-ip-reputation.mdx b/src/content/docs/waf/custom-rules/use-cases/block-ip-reputation.mdx
deleted file mode 100644
index 7851d205a0de1d4..000000000000000
--- a/src/content/docs/waf/custom-rules/use-cases/block-ip-reputation.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-pcx_content_type: configuration
-title: Block requests by Threat Score
----
-
-import { GlossaryDefinition } from "~/components";
-
-<GlossaryDefinition term="threat score" />
-
-This example blocks requests based on country code ([ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format), from IP addresses that score greater than 0. This is equivalent to setting the Security Level in **Security** > **Settings** to _High_. For more information, refer to [Security Level](/waf/tools/security-level/).
-
-- **Expression**: `(ip.src.country in {"CN" "TW" "US" "GB"} and cf.threat_score gt 0)`
-- **Action**: _Block_
diff --git a/src/content/docs/waf/detections/attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx
index 94603fd7fe44527..574263fed908433 100644
--- a/src/content/docs/waf/detections/attack-score.mdx
+++ b/src/content/docs/waf/detections/attack-score.mdx
@@ -102,4 +102,4 @@ If you are an Enterprise customer and you created a rule with _Log_ action, chan
 
 ## Additional remarks
 
-The WAF Attack Score is different from <GlossaryTooltip term="threat score">Threat Score</GlossaryTooltip> and Bot Score. WAF Attack Score identifies variation of attacks that WAF Managed Rules do not catch. Bot Score identifies bots, while Threat Score measures IP reputation across Cloudflare services.
+The WAF Attack Score is different from Bot Score. WAF Attack Score identifies variation of attacks that WAF Managed Rules do not catch, while Bot Score identifies bots.
diff --git a/src/content/docs/waf/troubleshooting/faq.mdx b/src/content/docs/waf/troubleshooting/faq.mdx
index 4435c0cad208ff1..3853c3a15929e1d 100644
--- a/src/content/docs/waf/troubleshooting/faq.mdx
+++ b/src/content/docs/waf/troubleshooting/faq.mdx
@@ -85,7 +85,7 @@ There is no functional difference between known and verified bots. However, the
 
 Cloudflare issues challenges to website visitors to protect against malicious activity such as bot attacks and DDoS attacks. Key reasons include:
 
-- **High Threat Score**: IP addresses with a high-risk score trigger challenges.
+- **High threat score**: IP addresses with a high-risk score trigger challenges.
 - **IP reputation**: If your IP has a history of suspicious activity, it may be flagged.
 - **Bot detection**: Automated traffic resembling bots is filtered by Cloudflare.
 - **Web Application Firewall (WAF) custom rules**: Site owners may set rules targeting specific regions or user agents.
@@ -107,16 +107,16 @@ The examples below illustrate a few possible approaches.
 
 **Example 1**
 
-Exclude multiple IP addresses from a blocking/challenging rule that assesses Threat Score.
+Exclude multiple IP addresses from a blocking/challenging rule that assesses attack score.
 
 - Basic rule, no exclusion:
 
-  - **Expression**: `(http.host eq "example.com" and cf.threat_score > 5)`
+  - **Expression**: `(http.host eq "example.com" and cf.waf.score lt 20)`
   - **Action**: Block (or a challenge action)
 
 - Rule that excludes IP addresses from being blocked/challenged:
 
-  - **Expression**: `(http.host eq "example.com" and cf.threat_score > 5) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})`
+  - **Expression**: `(http.host eq "example.com" and cf.waf.score lt 20) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})`
   - **Action**: Block (or a challenge action)
 
 - Two rules to skip remaining custom rules for specific IPs and block the rest.
@@ -128,7 +128,7 @@ Exclude multiple IP addresses from a blocking/challenging rule that assesses Thr
 
   2. Rule 2:
 
-     - Expression: `(http.host eq "example.com" and cf.threat_score > 5)`
+     - Expression: `(http.host eq "example.com" and cf.waf.score lt 20)`
      - Action: Block (or a challenge action)
 
 **Example 2**
diff --git a/src/content/partials/waf/security-level-description.mdx b/src/content/partials/waf/security-level-description.mdx
index 0533cd8a1a6766b..19aebda9277ba4b 100644
--- a/src/content/partials/waf/security-level-description.mdx
+++ b/src/content/partials/waf/security-level-description.mdx
@@ -1,6 +1,5 @@
 ---
 {}
-
 ---
 
-Cloudflare's Security Level uses the threat score (IP reputation) to decide whether to present a [challenge](/waf/reference/cloudflare-challenges/) to the visitor. Once the visitor enters the correct challenge, they receive the appropriate website resources.
+Cloudflare's Security Level uses the threat score (IP reputation) to decide whether to present a [challenge](/waf/reference/cloudflare-challenges/) to the visitor. Once the visitor enters the correct challenge, they receive the appropriate website resources.
diff --git a/src/content/partials/waf/security-level-scores.mdx b/src/content/partials/waf/security-level-scores.mdx
index b9b0e84695fbadf..e57080b0a1fab0e 100644
--- a/src/content/partials/waf/security-level-scores.mdx
+++ b/src/content/partials/waf/security-level-scores.mdx
@@ -15,4 +15,5 @@ When you select _I'm Under Attack!_, which enables [Under Attack mode](/fundamen
 Only use [Under Attack mode](/fundamentals/reference/under-attack-mode/) when a website is under a DDoS attack. Under Attack mode may affect some actions on your domain, such as your API traffic.
 
 To set a custom security level for your API or any other part of your domain, create a [configuration rule](/rules/configuration-rules/).
+
 :::