Classical WAAP assumes the attacker is a script or a hand-driven session. Signatures match known payloads. Bot fingerprints catch obvious automation. That work is still essential, and TR7 WAAP keeps doing it. But the modern attacker is different. Vision language models — GPT-4V, Claude Vision, Gemini and their open-source descendants — read rendered pages as well as a human reads them. AI agents drive browsers at scale, click through application flows, submit forms, harvest content. Scraper farms randomize cadence, rotate identities and drift their behavior toward something that looks like a real user.
The defenses other WAAP vendors offer for this surface are incomplete. Most don't have anti-OCR at all. Bot management products treat AI traffic as another bot family — useful, but blind to the screen-grab path. RBI products that exist are usually cloud-only and not integrated with the WAAP that protects the underlying service.
TR7 takes the new threats one by one and adds the layer that addresses each. Anti-OCR rendering for the screen-grab path. Agent-aware classification for AI traffic that is sometimes good (search indexing) and sometimes hostile (training-data theft, automated abuse). Scraper-class behavior detection in the 11-factor scoring engine. Forensic watermark that travels with every served page, so a leaked screenshot still points back to a session. All of it on the same platform that already runs your WAAP — the layers engage where the service needs them.
These layers sit on top of TR7 WAAP. They are designed for the threats classical WAAP rules don't see. The combination — anti-OCR + agent-aware + scraper detection + forensic watermark + WAAP integration — exists in no other WAAP product.
Modern attackers capture the rendered page and run vision language models or OCR engines to extract the underlying text. TR7's anti-OCR rendering shapes the output to resist automated extraction — text is delivered as visual elements that look right to a human and break automated pipelines. A human reading the page sees normal, readable content. A machine running OCR or VLM extraction on the screenshot finds recovery unreliable.
Not all AI traffic is hostile. Search engine indexing crawlers, accessibility assistants and legitimate enterprise agents have a place. Training-data scrapers, automated account takeover agents and credential testers do not. TR7 classifies AI agent traffic distinctly from human users and from classical bot families, and policy decides per use case — allow, throttle, challenge or block.
Modern scraper farms randomize cadence, rotate identities and drift behavior. The 11-factor scoring engine — already used for bot management across the platform — recognises scraper-class signatures: sequential traversal patterns, atypical request timing rhythms, content-following access paths. Operator-visible weights and tunable thresholds; no black-box ML.
Every served page carries an embedded marker — visible or steganographic — tied to a session, user identity and timestamp. The watermark is shaped to survive screenshot, OCR re-extraction and AI rewriting. When sensitive content surfaces outside the application, the trace points back to where the leak originated.
All four layers above run inside the same TR7 WAAP that already protects the application. One vService, one policy framework, one operator console. The classical WAAP foundation is still there for yesterday's attacks; these layers handle the AI-era part. No separate AI-defense appliance to license, no second policy engine, no second audit trail.
Every capability below is part of TR7's WAAP platform. The combination — not any single feature — is what makes it unique.
Output is shaped to resist OCR and VLM extraction pipelines. Text is delivered as visual elements that read normally to a human but fail under automated OCR. A page that survives a competitor's scraper survives a competitor's vision model too.
Traffic from AI agents is classified distinctly from human traffic and from classical bot families. Known good agents (search indexing, accessibility tools, legitimate AI assistants) can be allowed. Hostile agents (training-data scrapers, automated abuse) can be blocked, throttled or challenged. Per-vService policy controls the decision.
11-factor scoring engine recognises sequential traversal patterns, content-following access paths, abnormal request rhythms and other signatures of scraper farms — even when each individual source looks like a real user. Operator can see which factors contributed; weights are tunable.
Watermark is shaped to remain identifiable after screenshot capture, OCR re-extraction or AI-based content rewriting. A leaked artifact still points to the originating session, user and timestamp.
Sensitive services that warrant it run through the ZeroLeak isolation gateway — application renders on the TR7 platform, browser sees only the rendered output. Combined with anti-OCR rendering, the screen-grab path becomes unreliable for sensitive data.
Device-trust signals from TR7's endpoint security layer feed agent and access decisions. A request from a known managed device with healthy posture scores differently than a request from an unmanaged endpoint that looks suspiciously script-like.
Rate-limit, challenge or block AI traffic based on any traffic attribute — including values parsed from JSON request bodies. Throttle agent traffic by claimed identity, by data volume requested, or by access pattern.
AI-era detections map to the same security taxonomy as the rest of WAAP — SIEM correlation, incident response and compliance reports see AI attacks in the language your security team already uses.
For the technical mechanism behind anti-OCR rendering — how text is shaped, how OCR pipelines fail, how the human reading experience stays uncompromised — see the Anti-OCR capability page in Features.
AI-era detections, anti-OCR engagement, agent classification decisions and watermark events all log to the same console used for WAAP, ADC and ZTA. One operator view across the whole platform.
Anti-OCR rendering, agent classification, scoring and watermarking all run on your hardware. No third-party AI defense in the path of your sensitive data.
AI scrapers throttled, training-data crawlers blocked and abusive AI agents dropped are all excluded from the bandwidth meter, like everywhere else on the platform.
This is the place to be specific. The combination below is the unique-to-TR7 cluster — not any one feature, but the five together as one platform.
TR7 is the only WAAP vendor that ships anti-OCR rendering as a product feature. Cloud-only RBI products focus on browser isolation; classical DLP products focus on endpoint agents. Neither addresses the AI pipeline that screenshots a rendered page and runs OCR/VLM extraction on the image. TR7 does.
Watermarking that survives screenshot, printing, copy and AI-rewriting — embedded in every served page, tied to session and user. No other WAAP vendor offers this. The closest comparison is in DRM products for media, which solve a different problem.
Most bot management products treat AI agents as a new bot family or a single category. TR7 separates known good agents from hostile agents and applies different policies — useful for organizations that want indexing to work while training-data theft is blocked. The classification is operator-visible, not a black-box model output.
Most competitor bot scoring is opaque ML. TR7's scoring uses 11 named factors with operator-tunable weights — the same engine that scores classical bots also scores AI agents and scraper farms. The factors are inspectable, and the weights can be tuned for a specific application's normal AI traffic profile.
Other WAAP vendors that want AI-era coverage point to separate products: a bot management service, a browser isolation product, a fraud-detection platform. TR7 ships these layers inside the same WAAP that already protects the application. One vService, one policy view, one audit trail.
Admin panels, customer-data dashboards and regulated portals where attackers screenshot and run OCR/VLM to extract text. Anti-OCR rendering makes the extraction pipeline unreliable; ZeroLeak isolation ensures the rendered page is the only artifact reachable from the client.
Articles, product catalogs and structured content harvested at scale by AI training scrapers. TR7 classifies the agent class, the operator decides whether to allow, throttle, license or block. Forensic watermark identifies the source if content reaches places it shouldn't.
Some AI agents you want (search indexing, accessibility assistants, partner integrations). Some you don't (training-data theft, automated account abuse). Agent-aware classification lets the same policy framework give a different answer to each.
AI-driven account-takeover agents browse login pages, solve simple CAPTCHAs and abuse high-rate credential testing. Scraper-class behavior in the 11-factor scoring catches the pattern that single-IP rate limiting misses.
When a sensitive screenshot surfaces — on social, in a news story, on a security forum — forensic watermark identifies which session and which user produced it. The investigation starts with evidence, not guesswork.
AI-era threats meet data residency requirements. TR7's AI-era layers run on your hardware — no third-party AI defense service in the path of citizen or regulated data.
Capabilities referenced by this solution — the technical pieces that compose the controls described above.
Server-rendered pages with pixel-level modifications — readable on screen for the user, nonsense to OCR engines and AI vision models when extracted as an image.
Run the protected app inside a fully isolated session on the platform — the user sees only the rendered pixels. No HTML, no JavaScript, no cookies on the endpoint.
Letters on the page are silently swapped with visually-similar siblings; the area around the cursor reveals the originals. The human reads naturally — an AI fed a screenshot reads different words.
A visible per-user watermark plus an invisible trace ID embedded into the pixels — when a screenshot leaks, the source can be identified even after cropping, scaling, or being photographed.
Every user session runs in its own isolated browser context — no shared cookies, storage, or process state — with a strict domain allowlist and rendering-level anti-automation defences built in.
Request a live demo of TR7's AI-era protection. We'll run a vision language model against a TR7-rendered page, walk through agent classification on real traffic and show watermark tracing on a screenshot that's already left the application.