Intrusion Prevention rules can be prone to false positive detections. To ensure these incidents are minimized, rules for important applications are first shipped in "Detect Only" Mode as part of the process.

We monitor this for some time and when confirmed to have no false detections, the rules are then converted to "Prevent" Mode in the next rule update. This process is only done for rules affecting server applications.