Support FAQ

What is a bot?

An internet bot is a software program that makes requests or takes actions online without a person driving each step. It might fetch pages, call APIs, submit forms, check prices, test logins, or monitor uptime. The automation is the defining feature. Whether the bot is useful or harmful depends on its purpose, behaviour, and whether the site owner has accepted that use.

This distinction matters because blocking all automation would break normal web operations. Search engines need crawlers. Monitoring tools need to test availability. Approved API clients need to move data between systems. At the same time, the same automation model can be used for credential stuffing, scraping, click fraud, spam, inventory hoarding, and Layer 7 denial of service.

Useful, abusive, and grey automation

Most bot decisions sit somewhere between a clean allow and a clear block. A search crawler that identifies itself, respects robots.txt, and keeps to a reasonable crawl rate is useful. A script testing stolen usernames and passwords against a login API is abusive. A competitive price crawler may not be attacking the site, but it can still drain bandwidth, distort analytics, or take commercial data the business does not want copied.

One practical way to classify bots is by the decision they deserve:

  • Allow useful automation such as verified search crawlers, uptime checks, approved API clients, and link preview services.
  • Manage grey automation such as aggressive SEO tools, partner feeds, AI crawlers, and comparison services with route rules, crawl limits, or commercial agreements.
  • Block or challenge abusive automation such as credential stuffing tools, fake account creation, spam, click fraud, scraper campaigns, scalper bots, and bot-driven DDoS traffic.

The category is not fixed forever. A legitimate crawler can become a performance problem if it ignores crawl limits. A bot claiming to be Googlebot may be a scraper spoofing the user agent. A partner integration can become risky if its credentials leak or it starts hitting routes outside its agreed scope.

How bots are built

Simple bots use HTTP libraries in languages such as Python, JavaScript, or Go. They send requests, parse responses, handle cookies, and repeat the workflow at a speed a human could not maintain. These bots are cheap to build and are common in scraping, account testing, and API abuse.

More capable bots use headless browsers or browser automation frameworks such as Playwright, Puppeteer, or Selenium. They can execute JavaScript, render dynamic pages, store session state, and follow multi-step flows. That makes them useful for legitimate testing, but also for attackers trying to make automation look like a normal browser session.

Attackers often add proxy networks and anti-detection tooling. Residential proxies make requests appear to come from ordinary home or mobile connections. Anti-detect browsers try to alter device, browser, TLS, and header signals so the bot does not look like a script. This is why a single IP address, user agent, or request count rarely tells the whole story.

Why bot traffic keeps growing

Automated traffic grows because the economics are simple. Cloud infrastructure is cheap, automation frameworks are easy to use, and leaked credentials, scraped data, ad inventory, gift cards, limited stock, and account access all have resale value. AI tooling also lowers the effort needed to create scripts, understand page flows, and adapt to errors.

For defenders, the impact is not only security. Bad bots can slow pages, increase origin load, contaminate analytics, burn advertising spend, lock out users, drain inventory, and force support teams into account recovery work. In account systems, a small number of successful automated logins can matter more than a large number of noisy failures.

Managing bots in practice

Effective bot management is a request decision, not a hunt for one magic signal. Useful evidence includes route, rate, user agent, headers, cookies, TLS and HTTP fingerprints, browser behaviour, API shape, credential risk, proxy status, account history, and what the request is trying to do.

The response should match the risk. A verified crawler can be allowed. A heavy but non-hostile crawler can be rate limited. An uncertain browser can be challenged. A credential stuffing run should be blocked or slowed before it reaches the login system. The aim is not to punish every unusual request. It is to keep useful automation working while making abusive automation expensive, visible, and easier to stop.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.