Intermediate techniques to stop bots

CAPTCHA challenges and alternatives

CAPTCHAs ask users to complete a task that should be easy for humans and hard for bots—selecting images of traffic lights, typing distorted characters, or checking a box.

Why traditional CAPTCHAs are effectively obsolete: In 2024, researchers at ETH Zurich demonstrated that an AI model (YOLO) could bypass Google’s reCAPTCHAv2 with a 100% success rate after being trained on just 14,000 labeled images (arxiv.org). Beyond AI bypasses, commercial CAPTCHA-solving services defeat challenges in under a second for fractions of a cent. CAPTCHAs now frustrate real users more than they stop bots.

Modern bot management platforms like DataDome replace traditional CAPTCHAs with device verification. DataDome’s Device Check assesses behavior and context without adding friction, presenting visible challenges to less than 0.01% of requests.

Device fingerprinting

Device fingerprinting collects attributes from a visitor’s browser and device (screen resolution, installed fonts, WebGL renderer, timezone, language settings) to create a unique identifier. Even if a bot rotates its IP address, its fingerprint stays consistent.

Advanced bot management solutions go further. DataDome’s device fingerprinting analyzes over 250 signals per request, including behavioral micro-signals that no headless browser can fully replicate. This depth separates basic fingerprinting (which sophisticated bots can spoof) from fingerprinting that actually catches them.

Honeypots

Honeypots are hidden elements, like invisible form fields, fake links, and decoy pages that real users never interact with but bots do. Any entity that triggers a honeypot immediately reveals itself as automated.

Honeypots catch careless bots at near-zero cost. But they do nothing against bots sophisticated enough to render JavaScript and interact only with visible elements. They’re a useful supplement, not a standalone defense.

Advanced bot management techniques

These techniques define modern bot protection. No single one is sufficient alone, but together they create defense-in-depth across the full threat spectrum.

Behavioral analysis (AI/ML-based)

Behavioral analysis uses machine learning to model what normal human interaction looks like (mouse movements, scroll patterns, keystroke dynamics, navigation sequences) and flags sessions that deviate. Unlike static rules, behavioral models adapt as bot tactics evolve.

This is the core of what makes advanced bot management different from legacy tools. A behavioral engine doesn’t need to recognize a bot’s signature. It recognizes that the behavior isn’t human.

Real-time threat intelligence

Real-time threat intelligence aggregates data from billions of requests across all protected sites to identify emerging attack patterns. When a new bot technique appears on one website, every other protected site benefits from updated detection immediately.

DataDome processes over 5 trillion signals per day across its customer network. A new attack vector identified on a retail site in Europe triggers updated protection for a financial services company in North America within milliseconds.

Multi-layered verification

No single detection method catches every bot. Multi-layered verification combines fingerprinting, behavioral analysis, invisible device verification, and reputation scoring applied in sequence. If a bot evades one layer, it hits the next.

API-specific bot protection

APIs present unique challenges. There’s no browser to fingerprint, no mouse to track, no page to render. API-specific protection analyzes request patterns, payload structures, authentication behavior, and session context to identify automated abuse. Many security stacks protect web and mobile, but leave APIs completely exposed.

Dynamic and risk-based challenges

Instead of applying the same challenge to every visitor, dynamic challenges adjust based on risk score. A low-risk session sees zero friction. A suspicious session faces an invisible challenge. A high-risk session gets visible verification. This minimizes false positives while maximizing detection.

Custom rules engine

Every business has unique traffic patterns and attack surfaces. A custom rules engine lets security teams create specific protections: Rate limits on particular endpoints, allowlists for partner bots, and targeted blocks based on business logic. All without modifying application code.

Mitigation responses: What to do when you detect a bot

Blocking isn’t always the best response. Sophisticated bot operators monitor success rates. If requests suddenly start failing, they know they’ve been detected and change tactics immediately. A smarter approach uses varied responses.

• Blocking. Deny the request outright. Use for clearly malicious traffic (DDoS, known attack signatures).
• Challenging. Present a verification step (invisible or visible) that forces the bot to prove it’s human. Useful for uncertain traffic.
• Throttling. Slow down requests without blocking them. The bot operator may not realize they’ve been detected.
• Honey trapping. Serve the bot fake data, like wrong prices, fake inventory, decoy content. The bot thinks it’s succeeding while your real data stays protected.