Questions to Ask Your Bot Detection Vendor Now

Enterprise leaders have a lot to consider when vetting bot and online fraud detection—from compatibility and ease-of-use to pricing transparency and support. But there are certain key questions that will help you identify the best protection for your business and customers. Forgetting to ask any of the following 6 questions might cost you time and resources later.

Key questions to ask your vendor:

1. How many PoPs do you have, and where are they located?
2. Do you provide real-time reporting of KPIs for each stakeholder?
3. Does your bot detection screen API Ajax traffic and protect against malicious API abuse without false positives?
4. What type of integrations does your product support?
5. Does your bot management leverage client-side detection, server-side detection, or both?
6. What endpoints is your product designed to protect (mobile app, website, API, etc.)?

1. How many points of presence (PoPs) do you have, and where are they located?

Right Answer:

Many, Widespread PoPs – For consistent, real-time availability, an enterprise-level solution should have a minimum of 20 PoPs, spread across several different regions.

Why it Matters:

Availability, Speed, UX – The more points of presence a vendor has and the more widespread their coverage, the better latency between your servers and their endpoints. Each region should be set up to provide high availability through autoscaling.

For example, DataDome has 25+ PoPs across North America, Europe, Asia, and beyond because our solution relies on real-time detection. Our server availability must match our customers’ capacity requirements and variations.

2. Do you provide real-time reporting of KPIs for each stakeholder?

Right Answer:

YES—Easily Accessible Real-Time Reporting – It is crucial to have live reporting that is easy to view and expand for details on demand, as well as KPI metrics for each stakeholder and timely event notifications.

Why it Matters:

KPI & ROI Tracking, Benchmarking, Troubleshooting – Efficient reporting tools provide proof the solution is working, as well as visibility into the most common threats to your enterprise, where they come from, when different attacks take place, and how your threats measure up to industry benchmarks.

Click image to request a live demo.

Enterprise users rave about our real-time dashboard because it shows all traffic, classified in real time, as well as KPI metrics like:

• Bot vs. Human Traffic
• Threat Analysis (Credential Stuffing, Card Cracking, Scraping, etc.)
• Breakdown of Traffic by Endpoint, Response Type, and Threat Type
• Real-Time False Positive Ratio to Monitor the Solution’s Performance

You also want to be able to easily share reports and investigate specific incidents to adjust your protection response (via custom rules) whenever necessary.

Your ability to drill down into every single request, access all collected signals, and understand the detection engine with machine learning (ML) explainability are all essential, and must be made easily available by your provider.

3. Does your bot detection screen API Ajax traffic and protect against malicious API abuse without false positives?

Right Answer:

YES—We Implement Client-Side Logic & Manage Ajax Calls for You – A true solution handles API Ajax/XHR traffic and automatically displays a CAPTCHA if a bot is detected, requiring no intervention from your team.

Why it Matters:

Your Time & Resources, Site/App Performance, CX – Some vendors leave it up to your team to code what happens in the event that an Ajax call comes from a malicious bot. This can be complex and costly for your organization, and can leave you vulnerable to suboptimal site performance.

4. What type of integrations does your product support?

Right Answer:

ALL the Integrations – Your solution should offer easy and quick server-side integrations (Cloudflare, Apache, Nginx, etc.), client-side integrations (JavaScript tag, SDK documentation for Android and iOS), integration with your CDN (CloudFront, Akamai, etc.), and third-party integrations (logs, apps, and SIEM/SOC). All integrations must provide the same capability: Detect and block malicious traffic.

Why it Matters:

Efficiency, Flexibility, Agility, Freedom – Easy integration is everything. It provides flexibility and agility for your organization, allowing your team to save time, streamline processes, and avoid getting trapped in a limited compatibility environment.

5. Does your bot management leverage client-side detection, server-side detection, or both?

Right Answer:

BOTH—Client & Server Side Detection – The solution must combine client-side and server-side integrations to enable full machine learning behavioral detection.

Why it Matters:

Full Protection, Advanced Threat Detection – Client-side and server-side integration are both crucial for running machine learning behavioral detection and protecting your application without human interaction. Installing a server-side module on your API allows the solution to collect HTTP information and enforce blocking decisions, while integrating a client-side module on mobile and web apps allows it to:

• Collect device properties and behavioral data (sensor data).
• Handle the display of the CAPTCHA to any visitor whose API was blocked by the server-side module.

6. What endpoints is your product designed to protect (mobile app, website, API, etc.)?

Right Answer:

ALL the Endpoints – A complete solution is built to safeguard every endpoint—mobile apps, websites, APIs, etc.—with unique machine learning models for account creation, login, cart, payment, etc. to ensure the most accurate level of 360° protection.

Why it Matters:

Full Protection, Risk & Vulnerability Avoidance – The security of your online ecosystem is only as strong as its weakest link. That means every endpoint must be fully secured with real-time bot protection. No wonder why enterprises say they are prioritizing mobile app and API bot protection in 2022, not just protecting their websites.

Don’t fall behind or put your business and customers at risk with a limited bot detection vendor that can’t cover all your current and future endpoints.

The Takeaway:

When a company chooses to switch to DataDome from a competing bot detection provider, it often comes down to how the other vendor answers one or more of the six questions above. Discuss these requirements with any bot protection vendor you consider—soon, so you don’t wind up regretting it later. If you’d like to explore how an ideal solution works, we offer a free 30-day trial, so you can see your threats and traffic in real time.