A method by a web application layer proxy for predictively activating security rules to protect one or more web application servers from attacks by one or more web application clients. The method includes applying a set of security rules to web application layer requests received from the one or more web application clients that are intended for the one or more web application servers, determining a set of recently triggered security rules, where the set of recently triggered security rules includes those security rules in the set of security rules that were triggered within a most recent period of time, applying a prediction model to the set of recently triggered security rules to determine one or more security rules that are predicted to be triggered, and activating the one or more security rules.