Date of publishing to the public. Has been revised since then, last updated 4 days later on 24 October 2025.

In cybersecurity, there are entry points and end points. End points are mostly the devices we use to access the applications, whereas entry points are specific paths used to access the applications internally (such as the APIs). Also includes third person wording, but the article overall includes many examples of first and third person writing, making it a mix of both.

First person (we)

Title, includes the key words and main idea of the article: A critical research study on OWASP CRS in ModSecurity.

Active voice (describes the attackers who use certain techniques to evade the applications being used within the research).

Passive voice (explains the creation of the experiment)

Active voice example (also states the basis of this research is to criticize and improve the OWASP CRS with ModSecurity).

Passive voice (and explains the "working together" of ModSecurity and OWASP CRS for the sake of the research).

Paranoia levels allow CRS strictness to decrease or increase based on application risk tolerance, a necessary process for anomaly scoring and operating through the CRS altogether, as it configures the security intensity.

An extremely important part of CRS mechanisms is "anomaly scoring," which provides balance between accessibility and usability versus security with false positives in the system.

The fundamental detection used by the OWASP CRS, providing background information for the reader to better understand the article. Perhaps the authors are members of the community, wishing to perform under the same guidelines in terms of making things easy for someone like me to understand.

Defines the discourse community of OWASP, and why I view them as a primary community I wish to be a part of.

Background of most of the Key Words - WAF, ModSecurity, and OWASP CRS, foundations of the research prior to this section.

The latest version of the CRS used for their research, providing contribution to the OWASP as well.

Returning to what I said earlier, despite drastically increasing the protection provided by these applications, none of the models are 100% threat-proof, which emphasizes the need for continued testing to further increase the odds, despite never reaching 100%.

Ties back to the updating of the rules, and the necessity, as a basis for running these applications.

Explaining the shift from their previous research to new explanations on related, yet different gathered research.

Related to the main topics of the article, but somewhat off topic, as well as more complex.

Related to the updating of the CRS as stated previously.

Every year the OWASP CRS is updated based on these analysis, just as their OWASP Top 10 is. The community is ever-advancing to stay up to date on the latest cyber threats, making it a prime place to learn and understand how to counter-act these attacks.

The CRS has limitations in security, meaning it does not cover extreme situations and despite the research showing it increases the protection on websites, it does not solve every single problem presented by hackers.

Highlights the remainder of the paper, which is related work to the ModSecurity and OWASP CRS applications for the WAFs, as well as other relations to the security rules presented by the CRS, as well as results, discussions, and summaries.

Introduction of ModSecurity and OWASP CRS (Core Rule Set), a big part of my discourse community.

Important key words of the article, makes it easier to look out for these as the key components of their research.

Heavy emphasis on WAFs for fixing the gaps within the vulnerabilities and minimizing risks.

WAFs (Web Application Firewalls) are what the article has led up to as the "answer" to the growing problems of complexity within cybersecurity.

Collaborative article.

Essentially a summary of the article, and the research methods used and data gathered.

The reason cybersecurity is needed, and why I want to pursue it. I enjoy the idea of making the digital world safer in the future, and the article higlights the risks that come with transitioning to appplications.

Tests overall show that the CRS (Core Rule Set) implemented by OWASP increased the detection precision with the ModSecurity web application firewall by an astronomical amount, from 60% to 97%.

The central idea of the article and what I find interesting about it. My discourse community for OWASP (Open Web Application Security Project) is centralized around helping those in the community of cybersecurity, meaning they are always under criticism and analysis for truthful information.