Fastly Next-Gen WAF

Detecting and Mitigating Bad Bots

Web Application Firewall (WAF)Bot protectionSecurity

Fastly provides the bot visibility and blocking capabilities needed to keep your web applications and APIs safe from malicious bot activity.

On this page

The Bot Threat

Web applications and APIs are the digital gateways to your company’s most valuable assets. However, the rise of automated traffic tools has allowed malicious actors to create bots to attack your applications and access these assets, negatively impacting revenue and customer experience. Even though your applications can benefit from good bots, over 30% of internet traffic comes from bad bots, capable of executing various attacks like content scraping, credential stuffing, DDoS, and more. These attacks lead to significant financial losses due to account compromise, data theft, fraud, and increased infrastructure costs.

A proactive bot mitigation strategy empowers teams to understand and block bot activity before it impacts applications and APIs. 

Use Cases

  • Credential stuffing: Safeguard customer and corporate accounts and save traffic resources by blocking malicious automated credential testing on your login pages.

  • Account takeover: Reduce fraudulent activity and protect your brand reputation and customer relationships.

  • Gift and credit card fraud: Prevent brute-force testing of stolen credit card or gift card numbers that lead to fraudulent purchases. 

  • Content scraping: Maintain your competitive edge and SEO rankings by preventing bots from scanning and copying your unique content to be used on other sites.

Meeting the Bot Challenge with Fastly 

Organizations globally trust Fastly’s Next-Gen WAF to proactively protect their apps and APIs from bot attacks. Our patented approach to attack detection is built for the modern internet, providing teams with a scalable global mitigation strategy. 

With the Next-Gen WAF, security teams can execute four pillars of a proactive bot mitigation strategy:

  1. Determine intent of automated traffic: Identify the intent of automated bot traffic and block those with malicious intent.

  2. Classify malicious bots from good/benign bots: Make informed decisions on blocking or allowing automated bot traffic based on your preferences.

  3. Reject bad traffic and manage good traffic: Block bad bot traffic and manage good traffic (i.e. traffic shaping, rate limiting) from partners, specific IP lists, or specific types of configurable bots.

  4. Implement bot traffic thresholds: Leverage thresholding and rate limiting based on your team’s risk acceptance to prevent blocking legitimate requests.

Bot traffic detail 2023

Example of a visualization in the Fastly console of determining and classifying requests based on the User Agent string along with other web request context.

Key Benefits

  • Reduce fraud and resource abuse

  • Protect brand reputation

  • Maintain competitive advantage

Bot Protection for Modern Applications 

Legacy WAFs struggle in the evolving internet and developer environment - their lack of flexibility, advanced detection methods, and DevOps integrations makes blocking malicious bot attacks even more difficult for modern security teams. 

Unlike these legacy WAFs, our detection engine, SmartParse, does not rely on regular expression pattern matching and instead takes a contextual understanding of each request. This results in a substantial reduction of false positive rates.

Fastly’s thresholding, rules, and signals provide you with a deeply customizable way to label and block traffic based on various criteria, including IPs, country of origin, submission behavior, and additional signals from our Network Learning Exchange (NLX).

Our flexible deployment options allow you to protect heterogeneous environments, including at the network edge. Extensive DevOps integrations, developer tools, and APIs plug into developer workflows, so teams can focus on shipping features instead of constantly fighting bad bots. 

To protect your web applications and APIs from bot activity, Fastly provides the bot visibility and blocking capabilities needed to keep your properties safe.


"It's really helped us secure our platform and make it more reliable. We're a popular platform, which means we attract a lot of malicious actors who try to poke holes in our security. Even if that doesn't take us down, all those requests pollute our data and increase load on our servers. With the Next-Gen WAF, once we turn it on it starts blocking things immediately, right there at the edge. It's identifying all these malicious actors and they're not making their way to our code at all. It's all being blocked right there at the edge. It's been shockingly easy to use, too."

Brian Benns

Senior Site Reliability Engineer

Read the Case Study

Multi-layered Security with Fastly

Effectively managing bot attacks requires a multi-layered approach. While our Next-Gen WAF provides more granular visibility and control over your specific use cases and needs, Fastly’s DDoS mitigation and edge rate limiting act as frontline defenses, filtering malicious traffic at the edge before it gets to your origin. 

Massive scale attacks, often caused by botnets, are mitigated for all Fastly customers and their traffic at no extra cost. DDoS protection is handled at the edge of our network, with detection and defense capabilities built into our kernel and network application layer processing stack. Our resilient, software-defined network allows us to run functions in a more distributed fashion across our servers in parallel. This modular system allows us to rapidly enhance detection and mitigation capabilities as new classes of attacks emerge, without needing to develop an entirely new mechanism to respond.

Edge rate limiting is a fast, effective way to prevent abusive use of web applications or services, like that found in scraping bots. It aims to protect your site and preserve your performance and uptime for an uninterrupted user experience.

Get Started Today

To learn more about how Fastly can detect and stop bad bots for you, please contact us today.

Fastly Next-Gen WAF Datasheet

Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.

Fastly Next-Gen WAF Architecture and Deployment Overview

Details on the patented architecture of our WAF and deployment options available.

Analyst Report
Gartner® Peer Insights “Voice of the Customer”: WAAP

Fastly is the only vendor to be named a Customers’ Choice for five consecutive years.

Fastly DDoS Mitigation Datasheet

Our DDoS mitigation service protects against Layer 3-4 and complex Layer 7 DDoS attacks.

Ready to get started?

Get in touch.