diff --git a/internal/enginenetx/statsmanager.go b/internal/enginenetx/statsmanager.go
index cf0bee348..51b1c0def 100644
--- a/internal/enginenetx/statsmanager.go
+++ b/internal/enginenetx/statsmanager.go
@@ -681,3 +681,9 @@ func (mt *statsManager) LookupTactics(domain string, port string) ([]*statsTacti
 	}
 	return out, len(out) > 0
 }
+
+// IsTCPEndpointAccessible returns whether a given TCP endpoint has recently been accessible.
+func (mt *statsManager) IsTCPEndpointAccessible(address, port string) bool {
+	// TODO(bassosimone): implement
+	return true
+}
diff --git a/internal/enginenetx/statspolicy.go b/internal/enginenetx/statspolicy.go
index e6728c5db..6e9da1723 100644
--- a/internal/enginenetx/statspolicy.go
+++ b/internal/enginenetx/statspolicy.go
@@ -43,21 +43,19 @@ func (p *statsPolicy) LookupTactics(ctx context.Context, domain string, port str
 		maybeEmitTactic := func(t *httpsDialerTactic) {
 			// as a safety mechanism let's gracefully handle the
 			// case in which the tactic is nil
-			if t == nil {
-				return
+			if t != nil {
+				// handle the case in which we already emitted a policy
+				key := t.tacticSummaryKey()
+				if uniq[key] > 0 {
+					return
+				}
+				uniq[key]++
+
+				// 🚀!!!
+				t.InitialDelay = happyEyeballsDelay(index)
+				index += 1
+				out <- t
 			}
-
-			// handle the case in which we already emitted a policy
-			key := t.tacticSummaryKey()
-			if uniq[key] > 0 {
-				return
-			}
-			uniq[key]++
-
-			// 🚀!!!
-			t.InitialDelay = happyEyeballsDelay(index)
-			index += 1
-			out <- t
 		}
 
 		// TODO(bassosimone): as an optimization, here we could mix cached tactics
@@ -70,7 +68,7 @@ func (p *statsPolicy) LookupTactics(ctx context.Context, domain string, port str
 		}
 
 		// fallback to the secondary policy
-		for t := range p.Fallback.LookupTactics(ctx, domain, port) {
+		for t := range p.onlyAccessibleEndpoints(p.Fallback.LookupTactics(ctx, domain, port)) {
 			maybeEmitTactic(t)
 		}
 	}()
@@ -99,3 +97,22 @@ func statsPolicyFilterStatsTactics(tactics []*statsTactic, good bool) (out []*ht
 	}
 	return
 }
+
+// onlyAccessibleEndpoints uses stats-based knowledge to exclude using endpoints that
+// have recently been observed as being failing during TCP connect.
+func (p *statsPolicy) onlyAccessibleEndpoints(input <-chan *httpsDialerTactic) <-chan *httpsDialerTactic {
+	output := make(chan *httpsDialerTactic)
+	go func() {
+		// make sure we close the output channel
+		defer close(output)
+
+		// avoid including tactics using endpoints that are consistently failing
+		for tx := range input {
+			if tx == nil || !p.Stats.IsTCPEndpointAccessible(tx.Address, tx.Port) {
+				continue
+			}
+			output <- tx
+		}
+	}()
+	return output
+}