Today’s bots are no longer just simple scripts. They use AI to mimic human behavior and adapt in real time, rotating IPs, simulating mouse movements, and even misclicking CAPTCHAs to slip past defenses. That’s why PayPal, a global fintech leader with over 400 million users, turned to DataDome to stop threats at the edge—before they reach critical systems—and stay ahead of AI-driven fraud.

In our recent webinar with About Fraud, “Detect Bad Intent Early to Stop Downstream Fraud”, Dan Ayash, PayPal’s Director of Advanced Cybersecurity Solutions, shared how PayPal uses DataDome to clean traffic upstream before it causes problems for their fraud team later on.

“To fight AI-driven bots, you have to understand what they’re trying to do, not just who they are. That is what DataDome helps us do.To fight AI-driven bots, you have to understand what they’re trying to do, not just who they are. That is what DataDome helps us do.”

The challenge: Blocking bots before they reach critical systems

As attacks became more frequent and more evasive, PayPal’s internal defenses were seeing the strain. Fraudsters, who used to just flood known endpoints like login and checkout, were now testing every possible entry point, including registration flows and even low-value paths, to find weak spots.

Dan Ayash knew that defending only the application layer was no longer sustainable. “The sooner you block malicious traffic, the better your systems perform, and the less chances attackers have to adapt,” he explains. Dan then made a strategic decision: stop bots at the edge, as close to the adversary as possible. 

“We integrated DataDome at the CDN level, outside our infrastructure,” Dan explains. “We wanted to be closer to the adversary so we could block the noise before it reached our systems.”

This architectural change enabled Dan and his team to intercept and evaluate traffic at the edge, long before it hit the company’s core infrastructure, gaining visibility and control when threats are easier to detect.

Automated upstream traffic filtering reduced the load on internal systems and made downstream models more effective. With less noise to analyze, detection accuracy improved, and legitimate users experienced fewer unnecessary challenges.

The solution: AI-powered protection that adapts in real time

Hackers are no longer content with launching brute force campaigns; they adapt their behavior and tactics in real time. 

“If ten years ago we saw thousands of IPs, now it’s millions,” says Dan. “Attackers rotate IPs and change user-agent strings constantly. The protocol is stateless, and they use that to their advantage. Every request can look different.”

At this level of sophistication, traditional bot detection, which asks “Is this traffic human or automated?” begins to show its limitations. That’s when Dan and his team realized the real question wasn’t who was behind the traffic, but what they were trying to do.

Focusing on intent, not just identity, meant looking beyond static rules and signatures. It meant understanding behavior in context: Does this session resemble account validation? Is this login attempt part of a larger credential stuffing pattern? Does this cart activity signal abuse or legitimate interest?

DataDome’s real-time, AI-driven detection engine played a key role in answering those important questions. By analyzing traffic at the edge based on behavior and intent, Dan could make smarter, earlier decisions before threats reached sensitive endpoints.

“When you clean the top of the funnel, every downstream layer gets smarter. They’re seeing clearer traffic and can better distinguish between legitimate and abusive behavior,” Dan says. “That improves our visibility, helps our models learn faster, and reduces friction for real users.”

One of the strengths of DataDome is its ability to probe intent silently by sending background browser challenges from Device Check and assessing how sophisticated the actor is. “We can do that without introducing new friction, and that is a real advantage,” Dan adds.

The results: Security without sacrificing user experience

At PayPal’s scale, bot protection is only part of the story. The other half is maintaining user trust by ensuring that fraud detection doesn’t block legitimate transactions or create unnecessary friction. As a global provider of digital financial services, PayPal must secure every interaction and ensure a seamless experience for real users. 

Achieving this balance requires close coordination between the cybersecurity team, which typically focuses on risk mitigation and early threat blocking, and the fraud and business teams, which are equally attentive to conversions and customer impact. “Fraud teams and cybersecurity teams speak different languages,” says Dan. “It only works when we sit down, share data, and look at the outcomes together.”

That’s why, for Dan and his team, DataDome has been evaluated on its ability to block attacks, but also on how it affects downstream systems and business performance. By filtering threats upstream, the platform streamlines the overall user experience. Cleaner traffic reaches core systems, fraud models work better, fewer genuine users get falsely challenged, and everyone is better equipped to do their job.

There is also a measurable business benefit: reduced operating costs. By blocking unwanted traffic before it reaches PayPal’s infrastructure, the team lightens the load on internal systems and third-party services, lowering both infrastructure and vendor costs.

“[Bots] are no longer overwhelming PayPal’s infrastructure, so costs are going down,” Dan notes.

Looking ahead: Agentic AI in the hands of fraudsters

Fraudsters are already using AI to mimic human behavior and enhance their attacks—and the next phase is even more advanced: deploying AI agents to act autonomously on their behalf. Behind Dan’s forward-looking approach is a simple principle: to defend against agentic AI, where attackers adapt in real time and launch coordinated, autonomous attacks, you have to think like the ones building it.

“You don’t need to become a developer,” said Dan. “But you do need to understand how fraudsters use these tools. What would it take for AI to evade detection? How would it behave? Once you understand that, you’re in a much better position to defend against it.”

This mindset is increasingly important as bad actors adopt the same tools as security teams, from automated MCPs to AI-based scripts. For Dan, the future of cybersecurity doesn’t lie solely in detection. It’s about anticipation.

With DataDome, PayPal gets real-time analysis, intent-based detection, full visibility at the edge, and a great user experience. A smarter way to protect against smarter threats.

Want to learn more about how PayPal stays ahead of AI-driven fraud?

Watch the full webinar to learn how to detect bad intent early, stop fraud before it starts, and scale secure growth, without adding friction for real users.

Curious how your defenses compare?

If you’re wondering how your own website holds up against bots, try our Vulnerability Scan today, for free.