Systems and methods for security engine audit rules to prevent incorrect network address blocking are disclosed. An entity such as a service provider may determine network traffic logs caused or generated by malicious web traffic and network communications, such as during a computing attack by a bad actor. The service provider may implement automated blocking controllers, which use detection rules to detect the malicious network traffic, and thereafter generate a network address blocklist that is distributed to devices, components, and servers of the service provider for network address blocking. To ensure the integrity of the detection rules, audit rules and a dynamic exclusion macro may be executed to detect when a detection rule is behaving abnormally and/or leading to anomalous results. If a detection rule is not properly blocking network addresses, the rule may be removed from execution until recovery.