Likely Bots
Last update:2026-03-25 18:14:10
Overview
Intelligently identify and manage stealth automated programs that mimic human behavior and are intended for business abuse, such as fake transactions, coupon hoarding, and scalping, or for data theft, such as scraping pricing, content, or user information. It supports one-click blocking, continuous monitoring, and secondary challenge verification, including JavaScript challenges and interactive challenges, to help strengthen business security while preserving the access experience for legitimate users.
Detection Logic
When the Likely Bots policy is enabled (Log, Deny, JavaScript Challenge, Interactive Challenge), the system utilizes a heuristics + machine learning engine to perform multi-dimensional inspection on access requests. Based on a comprehensive scoring system weighted across different dimensions, it outputs a Bot Score and Bot Tags.
- Bot Score: Each access request that passes through Bot detection generates a unique score—the higher the score, the more likely it indicates a Bot. For details, please refer to the Bot Score section in the related documentation.
- Bot Tags: Provides you with more information on why a particular Bot Score was assigned to a request, making subsequent analysis and traceability easier. For details, please refer to the Bot Tags section in the related documentation.
Requests with a score in the range of 80-99 are classified as Liekly Bots, indicating highly suspicious automated traffic.
Note: For this category of confirmed suspicious traffic (validated through extensive analysis across global traffic), the system supports Automated Protection policies. For example, it can automatically apply verification measures, such as interactive human verification challenges, or block the request directly. This helps defend against automated threats while reducing operational burden.
Traffic with scores below this range is more likely to come from legitimate human users. To avoid unnecessary impact on normal business operations and user experience, the system does not currently apply aggressive actions, such as automatic blocking, to this traffic, but continues to monitor it.
Likely Bots Detection Dimensions Include:
- IP Intelligence: Detection of cloud provider IPs, proxy IPs, and high-risk IPs based on threat intelligence.
- User Agent: Use of outdated browsers or operating systems, discrepancies between the client type stated in the request header and the User-Agent, forged User-Agents, etc.
- TLS Fingerprint: Detection of tool fingerprints, HTTP library fingerprints, browser fingerprinting, etc.
- Request Header Characteristics: Browser request header completeness, detection of abnormal keywords, etc.
- Group Behavior Characteristics: Detection of abnormal aggregation behaviors by malicious actors, including IP, User-Agent, fingerprint, access path, and more.
Response Actions
You can continuously Log, instantly Deny, or apply secondary challenge verification to Likely Bots, including JavaScript challenges and interactive challenges.
| Action | Description |
|---|---|
| Not Used | This policy will not be used for traffic inspection, and traffic will still flow into other inspection modules. |
| Log | Only log this type of request; the request will be forwarded as normal. |
| Deny | Deny the request and respond with 403. |
| JavaScript Challenge | Returns a JavaScript challenge page. The system will automatically detect whether the client is a real browser environment rather than an automated tool. The user is required to wait a few seconds to complete the challenge, and upon success, will be automatically redirected to the target request. |
| Interactive Challenge | Returns an interactive CAPTCHA page. The client must check a checkbox to complete verification. Upon successful validation, the policy restriction will be lifted. |
Steps
- Log in to the console and go to the subscribed security product page.
- Go to Security Settings–>Policies.
- Select the domain you wish to configure the security policy and click
to enter the Security Policy editing page. - Open the Bot Management tab and enable the master switch if it is turned off.
- Go to Likely Bots, directly set the response action, including Not Used, Log, Deny, JavaScript Challenge, or Interactive Challenge.
- Click Publish Changes at the bottom to publish the configuration. Changes take effect within 1–3 minutes.
Protection Recommendations
- If you want to maintain a good user experience and avoid blocking traffic too aggressively, JavaScript Challenge is recommended. The challenge is completed automatically without requiring user interaction. Users only need to wait a few seconds before access is granted.
- If you need a higher level of security, Interactive Challenge is recommended. Visitors must actively complete a page interaction, such as checking a box, to pass verification before they can continue.
- If you require the strongest level of protection and want to completely block malicious crawlers and scripts without giving them any opportunity to proceed, you can choose to “Deny” requests directly. This helps prevent malicious actors from bypassing challenge mechanisms, although a small number of false positives may occur. Use this option only when such impact is acceptable.