The Bot Mitigation Industry Is In For A Rude Awakening

The DDoS mitigation business has become a commodity. The CDN WAF business is the great product of yesterday. And the bot mitigation industry, which also includes the online fraud market, is the hottest segment in our ecosystem. There are winners and losers, with startups comprising most of the winners – we’ll keep their names confidential for the time being. Regardless of who’s leading the industry, every company in bot mitigation has developed technology to defend against bots. The strength of their business models is built on a single premise: bots do not behave like humans.

Therefore, through machine learning and intelligence gathering of signals and patterns, bot mitigation platforms defend by distinguishing bot sessions from human sessions. The bot mitigation industry has also developed features and engines to deal with bots, such as keeping a database of bot signatures, protection via polymorphism, fingerprinting of devices, human-device interaction, mouse-eye coordination, and so on. These features and engines help identify threats such as fraud, scraping, skewing, sniping, carding, card cracking, account take-over, token cracking, and so on.

But let’s be crystal clear: the biggest strength of the bot mitigation industry is also its biggest weakness. Yes, today’s bot mitigation platform are doing an adequate job of detecting bot sessions from human sessions. However, in a few short months, bots are no longer going to act like bots anymore. In fact, bots are going to act more human than humans themselves.

In many ways, the bot business is a chess game of intellectuals, and the ones with the biggest brains will win. For the outlaws using bots, their cybercrimes are paying off to the tune of tens of billions of dollars annually. Bot operators and online bank robbers are more profitable than many security startups. This means online bank robbers have unlimited resources to attract the brightest minds and mathematicians in countries outside the US. And you can bet the threat actors are going to use the same techniques such as machine learning, fingerprinting and big data to find out how humans behave online. Once they figure it out, bots and humans will become indistinguishable.

It’s time for bot mitigation players to start thinking outside of the box. Bot mitigation will need to do more to adapt to this upcoming threat. If not, entire business models and features like the Akamai Bot Manager will soon be rendered useless.

Digiprove sealCopyright secured by Digiprove © 2016

12 thoughts on “The Bot Mitigation Industry Is In For A Rude Awakening”

  1. Hi @bizety3:disqus

    Whilst I agree that the current BOT Mitigation solutions can do very little to tackle human BOTs vs Automated BOTs, I completely disagree that the human element will make solutions like Distil/ABM irrelevant. Of course, ABM is pretty limited when it comes to aspects like brute force attacks, one thing you should not do is underestimate the power of Akamai when it comes to upselling and cross-selling into existing clients. They have featured on MQ purely on the basis of selling Kona into existing clients. And of course, they have just bought a BOT Mitigation startup as per your “prediction”! 😉

    More importantly, for the bad boys, BOTs is all about scale! The only way to do that is through automated BOTs. Humans cannot scale for that aspect. 1 Million BOT attacks may cost only $100! How many humans can you get for that kind of money to do your dirty job. I am sure you can do the math! 🙂

    • Thanks for the great feedback. If you can’t tell by now, my opinions change weekly for the better, as I consume more research and talk to more startup security founders. As of 2 days ago, I believe bot mitigation as a product, WAF, DDoS Mitigation, and every existing point product will die in 2 years due to AI. I’m debating right now whether I should publish this only for paid subscribers or just do a a public post.

Leave a Comment