I will answer this in two parts.
First, exactly what you asked. Yes, there is an email throttling feature. Go to Components, Admin Tools, Control Panel and click on the Options button in the toolbar. Click on the Email Sending tab. Set "Blocked request email throttling" to Yes. The next three options control the maximum rate. Please note that this is not an absolutely accurate limit, though. When there are hundreds of simultaneous requests the parallelism of their execution, and the fact that there's a small but measurable lag between writing to the database and reading the same data back from it may cause the limit to be overshot.
Now, the second part of the reply starts with the question "But why?". Sending emails on blocked requests is not a feature you are supposed to have permanently enabled in production. It is meant as a troubleshooting tool, i.e. it's great to use when first setting up Admin Tools, or when you're trying to identify and address a weird issue you can't easily reproduce yourself / you need more information than the Target URL gives you. Then, you're supposed to turn it off again by removing your email address from the respective fields in Configure WAF.
Since you are expecting a flood of probes, some of which might trigger Admin Tools (remember that most won't; they will be blocked by your web server, OS, or Joomla! itself since most "pen testing" consists of running an automated suite in Nessus the majority of whose attacks are between 5 to 20 years out of date and meant to root out ancient software used in production) I would recommend that you go ahead and disable those emails right now.
Also remember that emails are NOT the only troubleshooting tool at your disposal. You can always set up Admin Tools to log blocked requests in an automatically rotated log file. This is far less troublesome and can be indispensable for troubleshooting weird issues. Emails are convenient, but I wouldn't use them outside of setting up a site for the first time, which is when I need to go through every blocked request to ensure it's not a false positive.
I hope that helps :)
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
