Programmable Mitigation
Programmable mitigation inspects requests against custom conditions and applies actions such as blocking or rate limiting at the edge. It complements the managed AI-WAF: where the AI-WAF applies managed threat policies, programmable mitigation lets you express edge rules keyed on request attributes.
The page has two tabs: Web Access Control and Rate Limiting.
Programmable Mitigation is available on the Pro plan and above. On a lower plan you can open the pages, but Add … Rule shows an Upgrade required prompt instead of the rule editor — see Plans & settings.

Web Access Control
Restrict requests by specific key values, such as IP address or user agent.

The rule table shows ID, Name, Description, Website, Operation. Click Add Web Access Control Rule to define a rule that matches on a request signal (IP, path, user agent…) and takes an action, then apply it to a website.
Rate Limiting
Restrict requests that excessively access the website — throttle abusive request rates.

Click Add Rate Limiting Rule to cap how often a client may hit a website (or path), and choose what happens when the limit is exceeded. Use it to blunt brute-force and scraping bursts.
This is the programmable, rule-based rate limiter. There's also a per-website Rate Limit under the site's Access Control configuration — use whichever fits: site-scoped config vs. reusable programmable rules.