"a secondary function being to tell businesses who deploy the tool that they're under attack"
Businesses that take security seriously should be able to recognise for themselves that they're under attack. Practically none can though. I can't count the number of monitoring appliances I've encountered, generating logs that never get examined until after a data breach is all over.
Monitoring should be a continuous activity, referenced to an established pattern of normal activity (and not just left to unsupervised "tools"). I've rarely succeeded in persuading clients to perform the necessary baselining to recognise normality. Consequently they fail to identify departures from it when under attack (supposing they're even looking anyway).