Review our WAF logs and the suggested rules from Github issue that will rate limit individual IPs that attempt to hit the same endpoints in rapid succession
Add rule to allow specific cgi-bin for our Shib endpoints only
Write scripts to help test these behaviors on Staging