A false-positive rate is a metric, one of the accuracy numbers a thorough DDoS test is built to measure. It is the fraction of legitimate traffic that a mitigation control wrongly blocks or challenges while filtering an attack. Every defensive layer (rate limiting, WAF rules, bot management, IP reputation, geo-blocking) trades sensitivity against collateral damage: tighter thresholds catch more attack traffic but also reject more real users.
Why it matters in DDoS testing
A mitigation that blocks the attack while also blocking paying customers is a self-inflicted outage. The false-positive rate is what makes a control's threshold tuning measurable rather than guessed. A test drives realistic legitimate traffic alongside the simulated attack, then measures how many genuine requests the active rules drop, so operators can find the threshold that filters the flood without rejecting the user base behind a carrier-grade NAT or a shared corporate egress IP.
How detection sensitivity differs across mitigation platforms is examined in AWS Shield vs Cloudflare DDoS protection.