Auto Escalation is the default for every threat type
InfoWhen a threat rule is set to Auto Escalate, PhishFence doesn't apply a fixed punishment. Instead it checks how many detections the user has triggered in the last 24 hours and escalates accordingly.
The escalation thresholds
InfoPhishFence counts all detections for that user in the past 24 hours and applies the highest matching threshold:
Why a 24-hour window?
InfoThe rolling window means a user who triggers one detection and stops isn't immediately punished beyond a deletion and flag. But a user who keeps reoffending within the same day is treated as a persistent threat and escalated fast.
Why use Auto Escalation instead of a fixed action?
InfoFixed actions treat every detection the same regardless of how many times it happens. Auto Escalation gives first-time offenders a lighter touch while making sure repeat offenders are removed quickly — no manual intervention needed.
Override individual threat types when you need to
ActionGo to the dashboard → Server Settings → Detection Rules. Any threat type can be pinned to a specific action (Instant Ban, Kick, Timeout, Delete Only, Flag & Alert, or Disabled) independently of the others. Everything left on Auto Escalate uses the 24-hour incident count logic above.
Disabling a threat type turns it off completely
ImportantSetting a rule to Disabled means PhishFence will not scan for that threat type at all in your server. This is different from lowering the response — it removes detection entirely.