It is often quoted that “Security through obscurity is bad practice.” We see this differently. In the highly adversarial game of bot detection and mitigation, obfuscation plays a key role in delivering the defender’s ultimate quest: long-term efficacy. Our overarching goal is to make our customers’ applications and APIs difficult and expensive to attack. Obfuscation is a vital component of this strategy.
Long-term efficacy is most often eroded by attackers’ retooling – adapting their bot’s presentation and rendering the bot mitigation defense useless. The likelihood and time required for an attacker to retool is directly proportional to how easy it is to reverse engineer your defences. TL;DR: Try not to be cheap and easy to attack.
The Defender’s Strategy
The path towards achieving long-term efficacy is long and challenging, with lots of obstacles and traps for those looking to defend against persistent bot attacks. A successful strategy relies on layers of overlapping defences – often referred to as “defence in depth” where your overall defence is dependent on not just one technique or defensive measure, but many interlocking defences that reinforce each other.
Obfuscating defensive detection scripts is crucial to the overall bot detection strategy. These scripts, which contain highly sensitive detection methods, are delivered and executed inside the attacker’s environment. Bot operators are constantly reverse engineering these scripts to uncover the new tricks used by their adversaries.
The fact that bad actors typically collaborate in communities of like-minded groups only exacerbates the problem. As a defender, once your bot detection model is published on the internet, your ability to deliver short, medium, or long-term efficacy is compromised. In turn, this reduces the ROI on your solutions’ R&D efforts, customer success outcomes, and ultimately long-term value.



