Described embodiments provide systems and methods for learning across multiple application delivery controllers and updating settings across the application delivery controllers. A profile can be generated based on selection of a set of intermediary devices managed by a device. The set of intermediary devices configured to load balance data of an application hosted in different computing environments. Activity can be identified at the intermediary devices with use of a firewall. The activity having an appearance of a malicious attack on at least one intermediary device of the set. The device can determine if the activity is permissible or a violation based on a comparison of an aggregation of data records for the identified activity and a threshold. The device can provide a notification to at least one intermediary device of the set to configure the at least one intermediary device to allow the activity or prevent the activity.