Automated traffic now matches or exceeds human traffic on most public-facing sites. Scrapers harvest content and pricing; credential-stuffing bots test stolen passwords against login endpoints; carding bots validate stolen card numbers at checkout; AI scrapers crawl APIs to train language models. The traffic looks plausible: real-browser fingerprints, residential IP ranges, human-like request timing. And the cost of running these campaigns drops every year.
The industry's answer has been bot management platforms; almost all of them cloud SaaS. To work, they need your traffic, your fingerprints and your decisions to live on their network. For regulated industries or sovereign deployments, that's a structural problem. And most of these platforms work as black boxes: a score arrives, an action is taken, but the operator cannot inspect what the model actually weighed.
TR7 takes a different position. Bot defense runs on your platform; the scoring engine evaluates 11 named factors; the operator sees which signal weighed how much. The same content-aware rule engine that powers WAAP and API security applies here too — a bot rule can act on a value inside a JSON body without a single line of script.
Each of these is valuable alone. Together, they redefine what bot defense looks like when it does not depend on someone else's cloud and does not hide its logic from the operator.
Most modern bot management platforms are SaaS — your fingerprints, your traffic and the resulting decisions live on their network. TR7 runs on your hardware. The bots arriving at your edge are scored and acted on inside your perimeter.
The bot score combines 11 named factors with named weights — TLS fingerprints, IP reputation across 23 categories, request rhythm, request shape, behavioral baseline and more. An operator can see which factors contributed to a decision, tune individual weights and explain a block in a security review. No opaque model output you cannot interrogate.
The same content-aware rule engine used for WAAP and API security applies to bot policy. Rate-limit, challenge or block on header values, cookie contents, URL parameters and even values parsed from JSON request bodies. Example: a rule that throttles when the body's 'action' field is 'add_to_cart' and the source IP behavior matches scraper patterns. All configured visually; no scripting.
The login endpoint of a site needs a different bot policy than the public-assets endpoint of the same site. Bot policy attaches to the vService, so each application surface gets the sensitivity it actually needs. One ruleset for /login, another for /api/v1/search, another for /assets/*.
Challenged requests, throttled scrapers, dropped credential-stuffing attempts and silent-dropped carding bots are all excluded from the bandwidth meter. The harder your bot defense works, the bigger the gap between throughput and billable bandwidth.
Every capability below ships as part of the platform and attaches to your existing vServices.
Named signals combined with an exponential scoring curve tuned for low false positives — TLS fingerprints, IP reputation across 23 categories, request rhythm, request shape, behavioral patterns, recent error rates, session-creation rate, and more. Operator can see, tune and explain.
Source IPs classified across 23 categories — known scrapers, residential proxy pools, datacenter ranges, Tor exits, known bot operators and others. Categorisation feeds the score and can be acted on directly in policy.
The scoring engine learns your application's normal traffic patterns over time. Anomalies stand out against the baseline rather than against an arbitrary global threshold.
Signature-based detection for known bot families with characteristic fingerprints. Behavioral detection for unknown bots, evasive scrapers and slow attempts. Both feed the same scoring decision.
Rate-limit, challenge or block on any traffic attribute — header values, cookie contents, URL parameters, parsed JSON body values. Visual configuration; no proprietary scripting.
Choice of action per policy. Block obvious malicious automation. Challenge ambiguous traffic with CAPTCHA. Throttle suspected scrapers without blocking outright. Silently drop credential-stuffing traffic so the attacker doesn't receive useful feedback.
Credential-stuffing patterns on login endpoints recognised as distinct from generic abusive automation. Distributed low-and-slow attempts, impossible travel and abnormal session-creation rates surface here, not just under generic bot scoring.
Each vService can run a different bot policy. License capacity scopes to deployment size (1, 10, 100 vServices or unlimited).
The same scoring engine and rule logic run inside TR7's access management layer. SSO portals, login flows, identity-aware proxies and clientless gateway sessions get the same bot defense as public WAAP-protected applications — without standing up a separate bot engine for each surface.
For B2B and corporate-access scenarios where users connect from devices managed by TR7's endpoint security layer, device-trust signals — known device, current posture, compliance state — feed the bot scoring engine as an additional weighted factor.
AI scrapers crawling for training data have characteristic patterns — high-volume sequential traversal, atypical user-agent strings, unusual API call shapes. The behavioral engine recognises these patterns; policy decides whether to allow, throttle or block per use case.
Bot signals feed WAAP rules and L7 DDoS thresholds; WAAP and DDoS signals feed bot scoring. A source seen abusing one application surface raises the score on every other surface immediately.
Bot signature library and IP reputation feeds update continuously — no manual download cycle, no version skew between sites.
Bot detections map to the same security taxonomy as the rest of WAAP — CWE codes, CAPEC patterns, MITRE ATT&CK techniques. SIEM correlation and incident response use the same language.
Every bot decision logs with the contributing signal breakdown — which factor weighed how much, why the score landed where it did. Investigations and tuning happen in the same console as WAAP and delivery.
Bot traffic is not one thing. TR7 Bot Management covers the modern spectrum of automation that targets web applications and APIs.
Bots harvesting content, pricing, product catalogs, listings or other public data at scale. Detected by request rhythm, IP reputation, behavioral baseline drift and characteristic request shapes.
Bots testing stolen username/password pairs against login endpoints. ATO detection plus per-endpoint policy identify and stop distributed credential-stuffing campaigns that single-IP rate limits miss.
Bots validating stolen card numbers at checkout endpoints. Recognised by characteristic request rhythm against payment APIs and abnormal failure-to-success ratios.
Automated competitors copying product listings, descriptions, reviews and pricing data. Behavioral baseline catches scrapers that mimic human pace by alternating fast and slow request rates.
Crawlers harvesting content to train language models without permission. Recognised by high-volume sequential traversal patterns and atypical client signatures; policy decides allow / throttle / block per use case.
Bots submitting fake registrations, comment spam, fake reviews and abusive form submissions. Combined detection through bot scoring and content-aware rules on form-body shape.
High-volume bot traffic acting as application-layer DDoS — credential-stuffing waves, scraper farms, coordinated IoT botnet floods. Bot signals feed the L7 DDoS layer for combined mitigation.
Bots probing the application for known CVEs, exposed admin endpoints, default credentials and misconfigured services. Combined detection through bot signals and WAAP signature engine.
Real shoppers spike during flash sales; carding bots try to hide in the spike. Per-vService policy, behavioral baseline and content-aware rules separate real customers from credential-stuffers and carding bots without blocking actual buyers.
Login endpoints under constant credential-stuffing pressure. ATO detection recognises distributed low-and-slow attempts that single-IP rate limits miss; CAPTCHA challenge is applied selectively, not to every legitimate user.
Articles, videos and image libraries crawled by competitors and AI training scrapers. Behavioral baseline catches scrapers that mimic human pace; policy decides whether scrapers get blocked, throttled or allowed under licensing.
API endpoints subject to scraping, credential testing and resource abuse. Per-endpoint bot policy plus the content-aware rule engine handle abuse without affecting legitimate API consumers.
Public-sector services targeted by automated form-abuse and bot-driven fraud. On-prem deployment keeps citizen-data flows inside the perimeter; audit logging supports investigation.
When B2B users access from devices managed by your endpoint security layer, device-trust signals feed the bot score — known managed device + good posture lowers suspicion. Bots arriving from unmanaged endpoints still get full inspection.
Capabilities referenced by this solution — the technical pieces that compose the controls described above.
Trust earned at login doesn't carry forever. Every session stays under evaluation, every step of the way.
Observe behavior instead of blocking instantly — isolate sources that exceed a threshold and release them automatically.
3000+ rules, OWASP / API Top 10 / CWE taxonomy, 14 correlation axes, per-host-group + cross-group rollups.
Generation, delivery and verification — all inside the ADC. Zero calls to any third-party cloud service.
Stop credential stuffing, brute-force and session hijacking attempts based on combined risk decision — not a single signal.
One IP, one account, one API key — you decide which dimension to limit.
Three tiers of graduated friction — warn, challenge, lock — across IP, username, or both. Self-hosted CAPTCHA, no external cloud.
From session ID generation to cookie security, IP+UA binding to idle and absolute timeout — protect every session under one policy graph.
Request a live demo of TR7 Bot Management. We will run scoring on real traffic, walk through the 11 factors and show how content-aware rules act on JSON body values without scripting.