What bots actually cost you - and how StyloBot stops them.
Not every bot is a scraper. The attacks that empty your accounts, deplete your inventory, and trigger your WAF bill look different from each other and need different responses. Below is what turns up in production traffic and how StyloBot defends against each.
Recent threats (this site)
Threat Intelligence
| Time | CVE | Severity | Path | Bot | Threat | Status |
|---|---|---|---|---|---|---|
| 10:02:22 | - | high | /cookies | ClaudeBot | 0.00 | Detected |
| 10:00:38 | - | high | /dashboard/signature/kdinI2wdo5QZK70BkuyL2w | bingbot | 0.00 | Detected |
| 09:52:32 | - | high | / | US Bot | 0.00 | Detected |
| 09:46:04 | - | high | /dashboard | Claude's Code Caper | 0.00 | Detected |
| 09:30:10 | - | high | /dashboard/signature/DhiGSI42dMAh849rexBbng | Claude's Code Caper 2 | 0.00 | Detected |
BotDetection:ThreatIntel:Enabled = true
and turn on individual providers under
BotDetection:ThreatIntel:Providers:<name>:Enabled.
See docs/architecture/threat-intel.md.
| Provider | Mode | Enabled | Cache | Last refresh | Interval | Quota | Breaker |
|---|
BotDetection:ThreatIntel:Providers:<name>.
FOSS default: every provider disabled, master switch off - operator opts in per-provider.
Top source countries
Countries
| Country | Total ▼ | Bots | Humans | Bot % | SPLIT | |
|---|---|---|---|---|---|---|
|
GB | 42395 | 88 | 42307 | 0% |
|
|
US | 4428 | 1257 | 3171 | 28% |
|
|
CN | 864 | 144 | 720 | 17% |
|
|
FR | 775 | 187 | 588 | 24% |
|
|
DE | 480 | 105 | 375 | 22% |
|
|
SG | 391 | 117 | 274 | 30% |
|
|
NL | 334 | 55 | 279 | 16% |
|
|
FI | 290 | 47 | 243 | 16% |
|
Credential stuffing
Attackers replay leaked email/password pairs against your login endpoint, looking for reused credentials. 0.1–2% succeed. Each success becomes a takeover that costs you fraud chargebacks, support hours, and customer churn.
Average cost of an account takeover breach: $4.88M (IBM Cost of a Data Breach 2024). Average time to identify: 194 days.
How StyloBot detects it
- → Fail2ban-style escalation on repeated POST /login 4xx responses. Throttle at 5 failures/10min → block at 15 → hard block at 50, with decay.
- → Session-vector velocity: credential stuffers cycle sessions rapidly; inter-session L2 delta crosses a threshold long before the attack succeeds.
- → TLS + header fingerprint rotation tracked across sessions. Attack tools (curl_cffi, Go http/2) leave signature patterns humans do not.
- → Leiden clustering groups IPs that share behavior even when UAs and source IPs differ. Botnets surface as graph communities.
Response policies
throttle-stealth (silent latency injection) on suspected stuffers;
challenge for low-confidence cases; block for confirmed.
Transition rules tuneable per-endpoint via the control plane.
API abuse & scraping
Automated clients pull your product catalog, pricing, inventory, user profiles - anything behind a pageable API. Your egress bill climbs, your data ends up on a competitor's site, and your rate limiter is the only thing standing in the way.
Bots account for ~42% of internet traffic; ~30% is specifically "bad" (Imperva Bad Bot Report 2024).
How StyloBot detects it
- → Transport-aware behavioral analysis: API-call sessions have a distinct Markov signature (ApiCall → ApiCall → ApiCall, high velocity, low page interleave) vs. human browsing.
- → Response-behavior detector catches bots that ignore 429s and keep pounding - a tell no legitimate client exhibits.
- → Headless browser fingerprints: Playwright, Puppeteer, and Selenium each leave TLS/TCP/H2 signatures and client-side canvas/audio anomalies.
- → Datacenter IP + reputation signals from GeoDetection - most scrapers run from AWS/GCP/Hetzner, not residential ISPs.
Response policies
throttle-stealth deliberately degrades the scraper's throughput without
tipping them off. redirect-honeypot sends confirmed bots to a trap
endpoint. logonly available for shadow-mode tuning.
Inventory hoarding & scalping
E-commerce drops, concert tickets, limited sneaker releases - bots buy everything in seconds and resell. Your real customers never saw the inventory. Your brand takes the reputational hit; the scalper keeps the margin.
How StyloBot detects it
- → Inter-session velocity: inventory bots show near-identical behavioral vectors across hundreds of "unique" sessions. L2 magnitude of the session-to-session delta gives them away.
- → Timing entropy: human purchase flows have irregular dwell times; scalper scripts are metronomic. The temporal-features dimensions in our 118-dim session vector catch this.
- → Checkout-specific Fail2ban rules for rapid repeated cart-add / buy-now attempts from the same session-family.
Vulnerability scanning
Nmap, Nikto, sqlmap, WPScan, Burp - most breaches start with a bot walking your attack surface looking for unpatched software, exposed admin panels, or leaked secrets in /.git/. Stopping the scanner is the cheapest defense you can buy.
How StyloBot detects it
- → SecurityTool detector fingerprints 40+ known scanner signatures (user-agent, header order, request-sequence patterns).
- → Fail2ban on 404 floods - automated path enumeration is a clear signal; escalate fast, decay slowly.
- → Honeypot endpoints - bait paths like
/admin,/.env,/wp-login.phpthat only scanners hit. One touch flips the session toblockglobally.
Carding & BIN enumeration
Attackers validate stolen card numbers by running small authorizations against your payment endpoints. Your Stripe/Adyen/etc. bill spikes, your fraud score drops, and legitimate customers start seeing declines because the acquirer throttles you.
How StyloBot detects it
- → Per-endpoint velocity tuning: lower thresholds on
/payment/auththan on/products. Configured per-target via the control plane, no code changes needed. - → Session-based authorization-attempt counting catches carders even when they rotate IPs between attempts.
- → Behavioral-waveform detector: card-validation scripts produce a distinct per-request timing waveform.
One detector will not stop these. A layered runtime has a chance.
StyloBot combines fast-path protocol analysis, behavioral session vectors, and a fail2ban-style escalation model, all configurable per-endpoint and per-user via the control plane. Optional deeper analysis handles edge cases. Every decision is explainable. Every action leaves an audit trail. Raw traffic does not need to leave your perimeter.