From a young age, I discovered I’m really good at breaking things. This passion landed me a job as a red teamer at a major Australian bank where I soon realized there were fundamental problems within the existing application security (AppSec) market. It’s what inspired me to build an amazing team of other breakers to design a bot defense solution that’s actually useful for online businesses.
With 31 vendors in the bot management space according to the latest Forrester Now Tech report, it’s clear that the bad bot problem hasn’t truly been solved. This isn’t surprising, as security products made by people that don’t know how to break defenses are destined to fail.
5 Reasons Why Bot Management is Broken
Anti-bot solutions on the market today haven’t been able to keep pace with adversaries because there are inherent issues with the way bot management solutions originated and evolved.
#1: Only reactive blocking vs. proactive defense against automated threats
Since most bot management solutions were born out of Web Application Firewalls (WAFs) and first-generation bot tools, they’re reactive by nature. In our experience, up to 90% of bad bots are not stopped by these reactive rule-based detection systems, as over 5 billion bad bots per month go undetected by bot management solutions that we stop. This is a significant problem because reactive solutions will never be agile or quick enough to respond to reverse engineering and retooling attempts.
#2: Too expensive and difficult to use
The anti-bot market seems to believe that the more complex a solution is, the more secure it is. This kind of thinking forces customers to take on a nearly full-time job or pay for expensive managed services to manually create, configure, and manage rules, policies, and risk scores, and perform ongoing maintenance. And when an attack isn’t thwarted, the customer is blamed, not the anti-bot solution.
#3: Does not offer long-term protection
Effectiveness tends to wane over time for most anti-bot providers. These vendors spend months or years enhancing their defense solutions, only to be bypassed in days (or less). For example, a skilled attacker can reverse engineer their obfuscation methods in only 20 minutes. Our 2021 State of Bot Mitigation survey found that only 15% of bot management solutions retained their effectiveness one year after initial deployment.
#4: Negatively impacts user experience and conversion rates
It’s a bit comical to think how the anti-bot industry relies on CAPTCHAs; admitting their bot detection can’t accurately detect bots. They even go so far as to ask users, point-blank, if they’re a robot. CAPTCHAs cause friction and frustrate users – discouraging consumers and harming conversions rates. Given how heavily solutions rely on CAPTCHAs one would assume they are effective in stopping bad bots, but bot operators easily work around them.
#5: Does not provide visibility into your data
Most bot management tools offer an illusion of visibility, but only show what threats are blocked. This approach yields limited data access and retention history, making these tools prone to false positives. As a result, customers can’t hold their vendors accountable. Lack of visibility makes it difficult to troubleshoot when “normal” traffic is affected, and it removes the context of an attack, eliminating the ability to understand what the attack was trying to accomplish.
Ultimately, even with bot management solutions in place, online businesses are left vulnerable and unprotected – with an alarming rate of false negatives to prove it.
85% of our customers were using another bot management solution prior to contacting us. They came to us with far more false negatives than they ever imagined.
While security and tech professionals have dealt with these problems and accepted them as the status quo, we’ve been determined to find a better way.
Kasada’s Product Vision
Providing a fundamentally different solution requires thinking differently about the problem.
That’s why I decided to create Kasada and set our vision on three aspirations:
Contrary to popular belief, application security doesn’t have to be so difficult.
Imagine a solution that stops credential stuffing, inventory denial, scraping, bot attacks, and automated fraud out of the box – one that is easy to use without rules, policies, configurations, or ongoing bot management by your team.
As a talented team of breakers and bot experts, we make it easy for you to get superior defense against automated threats so you can maximize your resources and spend time on other priorities.
The best security is invisible. It doesn’t disrupt a user’s experience, it allows them to purchase that limited edition product at a fair price, and it keeps their accounts and data safe.
The majority of competitive solutions rely on a CAPTCHA to determine whether the request is a human or a bot. This can be exploited, and it also provides an unsatisfactory experience for users.
Our solution is a black box from an attacker’s perspective. We invest a significant amount of research into developing innovations to make it frustrating, time-consuming, and expensive for highly motivated adversaries to conduct automated attacks. While at the same time, security is unnoticed by legitimate end-users.
Transparent and Visible Data
We believe customers should easily see all of their traffic, not just what was blocked.
In our experience, customers want a complete 360° view of their Internet traffic, online infrastructures, applications, and APIs. We believe the most impactful way to provide that information is through data that tells a story – providing actionable insights into the context of an attack, rather than simply showing them stats about an attack (like the top 10 IP addresses).
By having this deep understanding of “good” and “bad” traffic, our customers can make their best decisions and hold us accountable to our promise to provide the most effective solution on the market.
What’s Next For Kasada – Beyond Bot Management
Kasada will continue to redefine AppSec using the three tenants of our vision and deliver modern solutions the industry craves.
Over the years, we’ve built an amazing company with deep roots in red teaming that gives us a unique perspective on how adversaries break systems. What gets me up in the morning is seeing how differentiated our approach is and how it delights many of the greatest online businesses in the world – just as I had imagined when founding Kasada.
In addition to bot management, Kasada’s value is extended to offloading, and in many cases, replacing WAFs.
Another highly relevant use case is Kasada’s ability to detect many of the Open Web Application Security Project (OWASP) Top 10 web application security risks, automatically preventing zero-day attacks from being exploited – see our posts on identifying and stopping SQLi, Log4j, and Spring4Shell.