Skip to content

The history of the bot-mitigation industry, 2010-2026

· 22 min read
Copyright: MIT
history anti-bot industry
BOT MITIGATION wordmark with an orange 2010-to-2026 timeline arrow

Around 2010 there was no such thing as a bot-mitigation company. There were WAF vendors, there were CDNs with rate limiters, and there were the big DDoS-scrubbing shops. If you ran a website and a swarm of scripts was scraping your prices or stuffing stolen passwords into your login form, the answer was a rule you wrote yourself: block this user-agent, throttle this IP range, add a CAPTCHA. The signal everyone leaned on was the IP address and the User-Agent string, both of which an attacker controls completely. The defense was static, the attacker was adaptive, and the gap between them was wide open.

By 2026 that gap is the business model for a market worth somewhere north of three billion dollars a year. A handful of companies will sell you a JavaScript tag that fingerprints the browser at a depth the page author never sees, a server that scores every request in microseconds, and a cookie that carries a signed verdict between the two. Most of the names that built this from scratch no longer exist as independent companies. They were bought by CDNs, by application-delivery vendors, by a French defense conglomerate, and by each other. This post traces how that happened.

The route runs through five startups that defined the category between 2011 and 2015, the two infrastructure giants that decided detection belonged at the edge, and the consolidation wave from 2019 onward that folded most of the independents into larger platforms. It closes on 2026, where the question is no longer “bot or human” but whether an AI agent acting on a real customer’s behalf should be let through at all. The through-line is a steadily rising cost of imitation: every signal a defender adds is one more thing an attacker has to forge convincingly, and the list of signals has only grown.

2010-2013: the problem gets a name and a market

The thing that turned scraping and credential abuse from an IT annoyance into a fundable category was the realization that the attack traffic looked exactly like the legitimate traffic, on purpose. A scraper that sends a real Chrome User-Agent over a residential IP is, at the HTTP layer, indistinguishable from a shopper. Rate-limiting catches the lazy version of that attack and nothing else. Whoever could tell the two apart at scale had a product.

Distil Networks was the first to plant a flag. Founded in April 2011 in Arlington, Virginia, by Rami Essaid, Engin Akyol and Andrew Stein, it launched as a cloud service whose whole pitch was bot detection and mitigation rather than a feature bolted onto something else. The early customers were digital publishers worried about content theft, which tells you how the problem first showed up commercially: someone was scraping your articles and republishing them, and you wanted it stopped. Distil maintained a fingerprint database of known bad bots and tracked non-human traffic in real time. Over its life it raised around 60 million dollars from Foundry Group, Bessemer and others, and for a few years it was the name most people reached for when they said “bot management.”

The same year, on the opposite coast, Shape Security incorporated with a very different center of gravity. Its co-founder Sumit Agarwal had been Deputy Assistant Secretary of Defense at the Pentagon, where he watched attackers take passwords leaked from one breached site and replay them against unrelated sites to see which ones still worked. He gave that attack a name, credential stuffing, and the name stuck hard enough that it is now the standard term in every breach report. Shape positioned itself around fraud, not scraping. The company described inventing the “botwall” in 2011, and it went after the highest-value targets it could find: banks, airlines, large retailers, the places where a successful login was worth real money. That choice shaped its whole telemetry approach and, eventually, its billion-dollar exit.

Worth being precise about the credential-stuffing date, because sources disagree. Several put Agarwal’s coinage around 2011, contemporaneous with his Pentagon tenure and the founding of Shape. What is not in dispute is that the term and the company came out of the same observation: password reuse is near-universal, breached credential dumps are enormous, and replaying them is cheap. Shape’s later research put the login success rate of a stuffing run at roughly two percent, which sounds small until you multiply it by a dump of a million credentials and get twenty thousand compromised accounts from one campaign.

A third strand was forming in ad fraud, which matters because it fed people and ideas into the broader anti-bot world. White Ops was founded in 2012, with the DNS researcher Dan Kaminsky among its founders, to fight fraudulent ad impressions generated by bot farms. Its public reputation came from two takedowns done with the FBI and Google: Methbot in 2016 and 3ve in 2018, the latter a scheme that at its peak ran across more than 1.7 million infected machines and counterfeited over 10,000 websites to manufacture billions of fake ad requests a day. White Ops was not a web-application bot vendor in the Distil sense, but its detection lineage and, later, its corporate shell both became central to the industry’s consolidation.

2014-2015: the client-side sensor and the all-in-one cloud

The first generation watched requests from the server side and matched them against signatures of known-bad behavior. The second generation moved the sensor into the browser itself, which is where the modern shape of the industry comes from.

PerimeterX, founded in San Mateo in 2014 by Omri Iluz, Ido Safruti and Ophir Ashkenazi, made the client-side bet explicit. Instead of fingerprinting bad bots from historical signatures that go stale the moment an attacker changes one header, it dropped a JavaScript tag on the page that collected behavioral and device signals directly: mouse movement, click and keystroke timing, device type, window size, fonts, and dozens more environmental tells. The idea was a dynamic behavioral fingerprint of the actual visitor rather than a static blocklist of past offenders. This is the pattern every modern vendor now follows. The tag runs in the browser, gathers signals the server can never see on its own, packs them into a payload, and ships them back for scoring.

DataDome took the opposite architectural emphasis at almost the same moment. Founded in Paris in 2015 by Benjamin Fabre and Fabien Grenier, it grew out of their previous company, which had used bot technology to analyze online conversations. Having sold that, they recognized the same techniques were being weaponized against digital businesses, and built a detection engine designed to make a decision on every single request, in real time, server-side, fast enough to sit inline in front of a live site. DataDome leaned on the speed and breadth of the first-request decision: even before any JavaScript runs, the server already has the IP, the full header set and order, the TLS handshake and the HTTP/2 frames to score against. The client-side signals refine that verdict; they do not gate it.

Two places to look at a request server-side, first request IP / ASN reputation header order + casing TLS ClientHello (JA3/JA4) HTTP/2 SETTINGS frame decided before any JS runs client-side, the JS tag canvas / WebGL render mouse + key timing navigator / screen props automation-tool tells refines the verdict, sets a cookie *The two vantage points every modern vendor combines. Server-side signals are available on the very first request and cost the attacker a forged network stack; client-side signals need code execution and cost the attacker a convincing browser.*

Kasada, founded in Sydney in 2015 by Sam Crowther, came at the same problem from the economics. Crowther had been a red-teamer at a large Australian bank and had seen how cheap it was to defeat conventional defenses. His design point was to make the attack expensive rather than merely to detect it. The Kasada client ships an obfuscated JavaScript payload that runs an asymmetric proof-of-work challenge in the browser, work that is cheap for one real visitor and punishing for an attacker trying to run millions of sessions. Alongside the cost imposition, the payload probes hard for the tells of automation frameworks and patched runtimes. The proof-of-work idea was not new to computer science, but using it as a primary anti-bot lever, rather than a CAPTCHA fallback, was a distinct bet on the attacker’s balance sheet. It is the bet that the rest of the industry has, in 2026, broadly come around to.

By the end of 2015 the category had its founding generation. Distil owned the early mindshare, Shape owned the high-value fraud accounts, PerimeterX championed the client-side sensor, DataDome championed the inline server-side decision, and Kasada championed cost imposition through proof-of-work. Each of those five emphases survives in the products of 2026, often inside the same product, because they turned out to be complementary rather than competing.

2016-2018: the edge providers move in

A startup selling a JavaScript tag has a structural problem. It sees only the traffic that reaches the customer’s origin, and it sits one hop away from the network where the most useful low-level signals live. The companies that already terminated TLS for half the internet did not have that problem. When Akamai and, a little later, Cloudflare decided bot detection belonged at the edge, the independents suddenly had very large competitors who could fingerprint the TLS handshake and the TCP stack natively.

Akamai launched Bot Manager in 2016 as a feature of its edge platform, initially aimed at scraping, content aggregation and the general nuisance traffic its customers already saw. Then in December 2016 it bought Cyberfend, a small machine-learning detection shop whose technology was already running on heavily-trafficked properties, and folded it in to produce Bot Manager Premier with a sharper focus on credential stuffing. That acquisition pattern, a big platform buying a small detection specialist to upgrade an existing product, became the template for the next eight years. The detail of how Akamai’s resulting system works, the _abck and bm_sz cookies, the sensor_data telemetry payload and the bot-score header, is covered in the history of Akamai Bot Manager; for the purposes of this story the point is that an edge giant now competed directly with the startups, with a network-level vantage they could not match.

Cloudflare’s move was slower and more public, in keeping with its habit of writing up its own engineering. Its Bot Management product onboarded its first machine-learning model in 2018, trained initially on common bot user-agents, and the company has documented its detection stack in unusual detail since. By 2020 it described five complementary mechanisms running together: a set of gradient-boosted machine-learning models built on the CatBoost library scoring requests in well under a millisecond, a heuristics engine added in 2019 that the company said classified roughly 15 percent of all global traffic as bots, an unsupervised behavioral-analysis layer for bots never seen before, a verified-bots system that lets the likes of Googlebot through after reverse-DNS and ASN checks, and a JavaScript fingerprinting challenge. The output is a single bot score from 1 to 99. The internals of that scoring path are the subject of Cloudflare Bot Management scoring; what matters here is the architecture, because the same five-part structure of network signals, behavioral models, a known-good allowlist and a browser challenge now describes essentially every serious vendor.

Foundings and exits, 2011-2026 2011 2015 2019 2023 2026 Distil + Shape founded DataDome + Kasada founded PerimeterX founded (2014) Akamai buys Cyberfend (2016) Imperva buys Distil; F5 buys Shape HUMAN + PerimeterX merge (2022) Thales buys Imperva (2023) *The independents clustered into a four-year founding window, then exited across a four-year consolidation window. The orange points are acquisitions, not foundings.*

This period also settled what the signals actually are. Server-side, the durable fingerprints turned out to live below HTTP: the exact bytes and ordering of the TLS ClientHello, captured as JA3 and later JA4, and the HTTP/2 SETTINGS frame and pseudo-header order, which together expose whether the thing claiming to be Chrome actually shares Chrome’s network stack. A Python script with a real Chrome User-Agent fails both checks instantly. Client-side, the durable fingerprints are the rendering quirks of canvas and WebGL, the contents of the navigator object, and the long tail of properties that headless Chrome historically got wrong. None of these are documented by the vendors as a field-by-field spec, and where this post discusses a specific payload the exact layout is inferred from researcher write-ups and the vendors’ own product docs rather than published internals. The point is the trend, and the trend is that the number of things you have to forge convincingly went from roughly two in 2010 to several hundred by 2018.

2019: the consolidation wave opens

Two deals in the second half of 2019 turned the independent-startup era into an acquisition era, and they happened within weeks of each other.

In July 2019, Imperva acquired Distil Networks. Imperva was an established, formerly public application-security company, and Distil was only its fifth acquisition since 2002, which the company itself framed as a signal of how serious automated abuse had become. Distil’s bot-management product became Imperva’s bot capability and was eventually rebranded under the Imperva line. The first of the founding generation had been absorbed into a WAF vendor that wanted bots as a checkbox alongside its core application firewall.

Then in December 2019, F5 announced it would buy Shape Security for roughly one billion dollars in cash, closing the deal in early 2020. This was the big one. Shape had spent eight years building telemetry around the highest-value fraud targets, and by the time of the acquisition F5 cited numbers that explain the price: Shape’s platform was blocking up to a billion fraudulent transactions a day, protecting 200 million legitimate logins, running a mobile SDK on more than 200 million devices, and defending more than half of all online banking in North America. F5 terminated traffic for a huge share of enterprise applications and wanted fraud detection riding on that flow. The product became F5 Distributed Cloud Bot Defense, and Shape’s telemetry approach lives on inside it; F5 Shape Defense covers what that JS agent collects. A billion dollars for an eight-year-old company told every remaining independent and every potential acquirer exactly what this category was worth.

The logic underneath both deals is the same one that drove Akamai and Cloudflare to build natively. Bot mitigation is most effective when it sits inline at the point where traffic is already being terminated and inspected, and it is most valuable when bundled with the WAF and API protection a customer is already buying. A standalone JavaScript tag is a feature in search of a platform. The platforms went shopping.

2020-2022: rebrands, mergers, and the fraud convergence

The next chapter is the one where the ad-fraud lineage and the web-application lineage merged, both in name and in fact.

White Ops renamed itself HUMAN Security in early 2021. The new name fit what it cared about: the product question it cared about was whether the entity behind a request was a human being, and its differentiator was the scale of signal it saw across the advertising ecosystem it had grown up policing. Then in July 2022, HUMAN and PerimeterX announced a merger. PerimeterX brought the client-side application-security sensor and the account-abuse and carding defenses; HUMAN brought the ad-fraud detection and the collective-signal network built from watching trillions of interactions. The combined company kept the HUMAN name, with HUMAN’s Tamer Hassan as CEO and PerimeterX’s Omri Iluz as president of the enterprise-security business. The merged entity reported more than 450 employees and over 100 million dollars in annual recurring revenue, backed by a 100 million dollar growth round and a matching debt facility from Blackstone Credit.

That merger is the cleanest illustration of a convergence that had been coming for years. Web scraping, credential stuffing, fake-account creation, scalping, and ad fraud are technically the same problem wearing different hats. They are all automation pretending to be a person, and the same signals that catch a scraper catch a credential-stuffer. The walls between “bot management,” “fraud prevention” and “ad verification” were always somewhat arbitrary, and by 2022 the vendors stopped pretending otherwise. The rebrand from PerimeterX to HUMAN and what changed underneath is detailed in the PerimeterX to HUMAN rebrand.

Meanwhile the holdouts stayed independent and grew. DataDome closed a 35 million dollar Series B in 2021 led by Elephant and a 42 million dollar Series C in 2023 led by InfraVia, keeping its single-product, inline, server-side-first identity intact while most of its early peers were being absorbed. The depth of DataDome’s first-request model, the ddjskey JavaScript tag, the cookie lifecycle and the scoring pipeline, is the subject of a cluster of posts including DataDome’s detection model and the DataDome scoring pipeline. Kasada, similarly, stayed its own company, raising additional rounds led by EQT and others and continuing to push the proof-of-work-and-anti-instrumentation approach documented in Kasada’s KPSDK. The lesson of these two is that a focused, well-engineered independent could still win deals against the bundled platforms, precisely because some customers wanted the best detection rather than the most convenient bundle.

2023: a defense conglomerate buys in

The consolidation reached its strangest milestone in 2023, when the chain of ownership ran all the way up to a state-adjacent defense contractor.

Imperva, which had bought Distil in 2019, was itself taken private by Thoma Bravo in 2019. In July 2023, Thales agreed to buy Imperva from Thoma Bravo for approximately 3.6 billion dollars, and the deal closed in December 2023, ahead of schedule. Thales is a French aerospace and defense group, and Imperva was its second-largest acquisition ever after Gemalto, the move that put its cybersecurity arm among the larger players globally. So the bot-detection technology that started as Distil, a content-theft tool for digital publishers in 2011, now sits inside a company that also builds avionics and signals-intelligence systems. The journey from a startup protecting news articles to a line item in a defense conglomerate’s data-security division took twelve years.

By the end of 2023 the map looked roughly like this. F5 owned Shape. HUMAN owned PerimeterX. Thales owned Imperva, which owned Distil. Akamai had Bot Manager, built on Cyberfend. Cloudflare had its homegrown stack. Google had reCAPTCHA, which had quietly become one of the most widely deployed bot signals on the internet through its v3 risk-scoring model. And DataDome and Kasada remained independent. The founding generation of five was down to two still standing alone, and the category had stopped being a market of pure-play startups and become a set of features inside larger security and infrastructure platforms.

Who owns what, 2026 F5 ← Shape Security ($1B, 2020) HUMAN ← PerimeterX (merger, 2022) Thales ← Imperva ← Distil ($3.6B, 2023) Akamai ← Cyberfend (2016) still independent: DataDome Kasada built in-house: Cloudflare Google (reCAPTCHA) *The five founding independents reduced to two. The orange boxes are the acquirers that did the consolidating.*

2024-2026: from “bot or not” to agent trust

The shape that held for a decade started to crack in 2024, and the thing cracking it was the AI agent.

For fifteen years the question a bot-mitigation system answered was binary, then ternary. First it was “bot or not.” Then, as legitimate bots like search crawlers and monitoring tools became important to let through, it became “good bot, bad bot, or human.” Both of those assume the only thing you ever want to let through unattended is a known crawler with a stable identity you can verify by reverse DNS. The arrival of capable LLM-driven agents broke that assumption. An AI agent booking a flight or filling a cart is automation, it does not look like Googlebot, and it may be acting legitimately on a real customer’s behalf. Blocking it is sometimes the wrong answer, and a system that can only say “human or bot” cannot tell the difference between an agent doing a user’s bidding and a scraper stealing inventory.

Forrester made the rename official. In October 2025 it retired the “bot management” category name and introduced “bot and agent trust management,” defining the software as something that analyzes the intent of automated traffic, builds ongoing trust relationships with good bots and agents, and rejects or misdirects malicious ones. The operative word is intent. It is no longer enough to know that a request came from an AI agent; you have to know whether that agent is acting for a particular customer or partner you already have a relationship with. The market that began by asking whether traffic was automated now has to ask whether automation is authorized, which is a different and harder question.

That shift connects to a parallel effort to give good automation a verifiable identity rather than forcing it to masquerade as a browser. Work on signed-agent and bot-authentication schemes is moving through the standards community, the idea being that a legitimate agent should be able to prove who it is with a cryptographic signature instead of being fingerprinted into a corner. If that takes hold, the long-running cat-and-mouse of fingerprinting and forgery gets a relief valve for the cases where both sides actually want the automation to succeed. The adversarial core does not go away, because scrapers and fraudsters will never volunteer a verifiable identity, but the population of “good automation” gets a way out of the fingerprinting arms race.

The detection internals, meanwhile, kept deepening along the lines set in the 2010s. The durable server-side signals in 2026 are still TLS and HTTP/2 fingerprints, now stressed by two developments. Chrome began randomizing its TLS extension order, which broke the original JA3 hash and forced the migration to JA4 and its relatives. And the rollout of post-quantum key exchange, with the X25519MLKEM768 hybrid becoming common in browser handshakes, changed the byte-level shape of the ClientHello that every fingerprinting system keys on. Client-side, the detection of automation frameworks moved from checking a handful of navigator.webdriver-style flags to probing the Chrome DevTools Protocol itself, including the well-known Runtime.enable leak that betrays an instrumented browser. The signal count keeps rising, and the cost of convincingly imitating a real human session keeps rising with it. That is the whole game, compressed: every signal added is a tax on imitation, and the bill has only gone up.

What the history actually shows

The clean story is that an industry matured and consolidated, which is true but not the interesting part. The interesting part is that nobody bought these companies for their brands. F5, Akamai, Imperva and Thales bought detection capability and, more than that, bought telemetry, the accumulated view across millions of sites and billions of daily interactions that lets a model say “this exact behavior pattern showed up on forty other customers last hour and it was a credential-stuffing tool.” A bot-mitigation product is only as good as the breadth of traffic it learns from, which is why the edge providers had a structural advantage and why the acquirers paid for installed base as much as algorithms. The moat was never a clever fingerprint. It was the data exhaust of everyone else’s traffic.

The second thing the history shows is how stable the technical core has been under all the corporate churn. The signals that mattered in 2015, the network-stack fingerprint below HTTP and the browser-environment fingerprint above it, are the same signals that matter in 2026, just measured more precisely and combined with behavioral models that did not exist a decade ago. Kasada’s 2015 bet that the right lever is the attacker’s cost, not merely detection, is now conventional wisdom across the field. The arms race did not produce a winner; it produced a steadily rising price of admission for anyone who wants to pass as human, paid request by request, on a cycle that has run for fifteen years and shows no sign of finding a stable equilibrium.

And the third thing, the one visible only from 2026, is that the binary that named the whole industry is dissolving. A category called “bot management” assumed automation was the enemy and a human was the customer. The customer is increasingly an agent the human sent, the question has shifted from detection to authorization, and the companies that spent a decade learning to tell humans from bots now have to learn to tell authorized automation from the other kind. The fingerprint that catches a scraper still catches an agent, which is exactly the problem. Telling them apart is the next decade’s work, and it is not obvious that the tools built to answer “bot or not” are the right tools to answer “allowed or not.”

Sources & further reading

Further reading