Bots can be harmless. However, many have malicious intentions. Bots make up 42% of all internet traffic today, and 65% of these are ‘bad bots’. These bots are not only wielding automated attacks to breach accounts — they are also draining your marketing budget. Bots are being used to sign up for accounts at scale and eat up your company’s sign-up bonuses, offers, and loyalty points. And the numbers don’t lie – bot attacks are taking a serious toll on businesses. A 2024 Fastly survey revealed just how widespread and damaging these attacks have become:
GenAI is reshaping cybercrime—and making bots more dangerous
It’s not just the quantity of bad bots that’s concerning; it's also the growing sophistication. Unless you’ve been a tad out of the loop, you’ve likely seen how GenAI is revolutionizing business. From AI-powered agents handling customer support to marketing teams generating personalized content at scale, the benefits are undeniable. But there’s a dark side. AI adoption in cybercrime is expected to grow at a staggering 37% CAGR between 2023 and 2030, making it easier than ever for attackers to run automated attacks and cause more damage.
These same AI advancements are being used by cybercriminals to supercharge their automated attacks, some without even writing a line of code themselves. Bots are now easier to create than ever and are vastly more adept at mimicking human behavior, allowing them to evade conventional security controls. As bots become more advanced, we have to get cleverer about how we fight them. Spoiler alert: this means layering modern defenses – there’s no silver bullet. Also, to fight AI, we need to use AI. We’ll get into this in a bit...
CAPTCHAs — Not all bot detection is created equal
When you think of bot detection, you probably cringe – because, chances are, the first thing that comes to mind is the traditional CAPTCHA.
You’ve seen them before – checking a box, deciphering distorted text, or selecting every image with a stoplight. While these simple CAPTCHAs can be effective against basic bot attacks, they also slow down real users, creating frustration (who hasn’t struggled through endless grids of bicycles?)
And here’s the real kicker – modern bots are outsmarting them. Advanced automation and AI-powered bots can now solve image-based CAPTCHAs faster and more accurately than humans. That means traditional CAPTCHA isn’t just frustrating – it’s also failing. We need better, layered defenses that distinguish humans and good bots from malicious ones with minimal friction to the user and harness the power of AI to fight the threat of AI.
Let’s look at how Auth0 and AWS together help you do that.
How Auth0 fights back against malicious bots
Auth0 bot detection – a first line of defense for automated attacks
As AI-powered attacks evolve, we’ve re-engineered our fourth-generation Auth0 Bot Detection engine to strengthen protection against malicious traffic without compromising the user experience. Auth0 Bot Detection continuously monitors Identity threats across hundreds of millions of users, enabling us to detect bad bots and respond in real time. It features advanced machine learning models, making it even more effective at spotting and stopping bots.
Detect automated attacks like fake signups and credential stuffing, and respond with user-friendly challenges like Auth Challenge or out-of-the-box third-party bot challenge integrations like Google reCAPTCHA, hCaptcha Enterprise, or Friendly Captcha.
Leverage machine-learning models, including a model designed for signup attacks. Tailored models greatly improve detection and prevention of bots across the user journey, while reducing bot challenges presented to real customers.
Auth0 Bot Detection, on average, is shown to block less than 1% of legitimate users (based on overall Auth0 customer traffic).
Layer in these additional Auth0 defenses to defend against automated attacks:
Passkeys offer a passwordless login option that lets users log in to apps, platforms, and devices quickly and helps prevent phishing. In theory, passkeys mean bot detection, and CAPTCHA could be skipped, but bot detection remains the most viable first level of defense for the login box as not all users or organizations add MFA (multi-factor authentication) in every app.
Adaptive MFA reduces MFA fatigue by only prompting extra verification with risks like untrusted IPs, new devices detected, or ‘Impossible Travel' (detects suspicious login attempts by analyzing the distance and time between consecutive sign-ins). If an automated attack succeeds in guessing a user’s username and password, MFA is the second line of defense in preventing an incident.
Breached Password Protection blocks known breached credentials at sign-up, login, or password reset. It detects the use of compromised credentials, and then blocks and notifies the user in real-time.
Credential Guard allows up to 10x faster detection of compromised credentials with a dedicated security team and support for 35+ languages and 200+ regions. Cut detection time from months to hours. Our dedicated security team infiltrates criminal undergrounds and the dark web to find compromised credentials.
Brute Force Protection and Suspicious IP Throttling block high-velocity attacks on accounts inflicted by bots.
Security Center enables faster detection and response to attacks with a dashboard of near real-time observability tools. Get intelligent insights into identity events, anomalies and efficacy. Set custom threshold alerts. Easily Integrates with SIEM tools.
Log Streaming allows streaming relevant Auth0 activity to 3rd party SIEM and SOAR tooling to enable faster detection and response. Automate response to security threats, outages, new sign-ups, and more with custom business logic.
Combine Auth0 with AWS for defense in depth
Auth0’s bot protection and Identity security capabilities, together with AI-powered threat detection from AWS, bolster your organization’s defenses even further.
AWS provides a suite of services to detect anomalous behavior throughout your GenAI stack, whether you’re building business apps that use generative AI or protecting your systems against generative AI threats. Here are some of the solutions available from AWS:
Auto Scaling Groups
Auto Scaling Groups in AWS automatically adjust the number of AWS instances based on traffic demand – but it also helps mitigate bot attacks by scaling resources to handle unexpected surges caused by malicious bot traffic.
AWS WAF (Web Application Firewall)
AWS WAF provides bot detection by analyzing incoming traffic. It helps protect web applications by filtering out harmful bot traffic before it reaches critical resources, reducing the risk of credential stuffing, scraping, and other automated attacks.
AWS Shield
AWS Shield defends against distributed denial-of-service (DDoS) attacks, including bot-driven attacks. AWS Shield Advanced offers enhanced protection by integrating with AWS WAF to detect and block sophisticated bot traffic targeting your applications.
Wrapping up
While AI is exacerbating the threat of bot attacks, it can also be leveraged in the fight against them.
That’s where Auth0 and AWS come in. Together, we provide a multi-layered security approach utilizing AI to protect every aspect of your user journey, ensuring only legitimate users gain access to your systems while blocking malicious automated activity. All in a way that minimizes user friction and reduces the load on DevOps and SecOps teams.
Learn more about how Auth0 and AWS here.