There are some significant improvements in v13.1.0.1: First of all, in Configuration utility the feature is now called "Source-based Brute Force Protection" not "Session-based Brute Force Protection." As you noted, ASM monitors user name, Device ID, and IP addresses which can be "sources" of brute force attacks. ASM counts the failed login attempts per Username, Device ID, and IP Address sources, as configured by you. A separate count is kept for each of these sources. When one of the source’s counters is higher than the threshold, the enforcement mitigation is applied. We ease into the mitigation actions--starting with Alarm only, then Alarm and client-side identity check, which forces the client to identify itself, then Alarm and CAPTCHA, and finally escalate to Alarm and Drop. There are some nifty new features, such as a Honey Pot page, which can be configured to keep attackers busy. Does this help?