Bot mitigation is a means to an end. The real problem is actually human versus human. Bots (scripts) are just the tool of choice. A physical bank robber relies on a weapon, a bag, a mask and a getaway car. A fraudster uses data, scripts and/or pre-built ecosystems.
Organizations and analysts struggle to differentiate between the good/bad bot protection solutions. And there is a significant difference between vendors. Everyone claims to help with web scraping and account fraud, but very few do it well enough to disrupt serious sophisticated fraudsters.
The ability of a bot mitigation solution to sustain its defense, under motivated resistance, is the true differentiating aspect in this market. Motivated fraudsters will persist in their attempts to evade detection.
Assessing the market
When assessing bot mitigation solutions, we have to understand a few things:
- The sophistication of the malicious automation tools and fraud ecosystems available on the market
- How sustainable each defensive model is.
- How challenging is it for a fraudster to reverse engineer the solution?
- How does the solution respond in the battle?
Top five things to consider in a bot mitigation solution:
To truly understand the differences between the various solutions in the market, these are the five areas that I would focus on:
- Understand the client-side inspection process. What is it? How does it function? Is it static or dynamic? How does it respond to retooling?
- Understand the defensive obfuscation methods used at each layer of the solution.
- What is the data collection and processing strategy, how is it leveraged and how is it useful?
- What happens when you identify a bot? What are y0ur mitigating options?

