diff --git a/coraza-spoa/overrides.conf b/coraza-spoa/overrides.conf
index f278298..62aeca4 100644
--- a/coraza-spoa/overrides.conf
+++ b/coraza-spoa/overrides.conf
@@ -13,14 +13,6 @@
 # Per-customer false-positive tuning lives in a future per-customer
 # override mechanism; v1 is server-wide.
 
-# ---------------------------------------------------------------------------
-# 913xxx — Scanner User-Agents
-# (sqlmap, nikto, nmap-scripts, dirbuster, masscan, gobuster, ZAP, w3af, etc.)
-# Legitimate browsers and apps never send these UAs. Pure recon/exploit
-# tooling. Highest signal-to-noise rule family in CRS.
-# ---------------------------------------------------------------------------
-SecRuleUpdateActionById 913100-913199 "ctl:ruleEngine=On"
-
 # ---------------------------------------------------------------------------
 # 930120 — LFI: explicit traversal to sensitive system files
 # (/etc/passwd, /proc/self/, /.ssh/, /etc/shadow, /etc/group, etc.)
@@ -88,6 +80,13 @@ SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
 # Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate
 # on customer mix. Promote individually after observation:
 #
+#   913xxx (Scanner UAs)— matches legitimate ActivityPub federation
+#                         (Mastodon's "...Bot" UA) and SiteLockSpider (a
+#                         paid customer-security service some sites use).
+#                         Observed on whp01 burn-in 2026-05-13:
+#                         20/185 hits = ~11% FP rate on HPR + greggfranklin
+#                         + suchascream. Detection adds anomaly score
+#                         either way; enforce upside is low.
 #   941xxx (XSS)        — Divi rich-text editor saves, TinyMCE submissions
 #   942xxx (SQLi)       — WP admin queries reflected in params
 #   920xxx (other)      — most 920xxx rules; 920440 specifically promoted above