There’s very little that can be achieved via the admin AJAX endpoint – there’s nothing to attack there really, unless you have added a plugin that provides custom AJAX-based login/registration, or comments. Shield should normally still be protecting those functions regardless of whether it’s AJAX or not, so anything trying to brute force it will get blocked eventually. The admin-ajax.php endpoint typically doesn’t require any special handling.
If you’re using ShieldPRO you can take advantage of the rate limiting feature, however, which is a generalised mechanism for protecting against brute force attack. Feel free to reach out to us directly to discuss if it’s something that interests you.
Thanks, and glad to hear you’re liking Shield Security so far!