How each bot-management system decides what to block, and what IP class legitimate large-scale data collection tends to require. Read-only technical reference - never a per-site bypass.
Enterprise bot management at the CDN edge
Akamai Bot Manager is an enterprise bot management product delivered through Akamai's global CDN edge platform, meaning detection runs at the edge server before a request ever reaches the site's origin. Because Akamai already fronts a large share of major e-commerce, travel, and classifieds sites, Bot Manager is one of the most commonly encountered enterprise defenses - in our registry it appears on 46 of the sites we checked, including marketplaces and classifieds such as eBay, AliExpress, Autotrader, Rakuten, and realestate.com.au. It is a managed, continuously updated detection layer rather than a single challenge page, and site operators tune how aggressively it responds.
CDN with bot management & challenge layer
Cloudflare Bot Management is the bot detection and mitigation layer built into Cloudflare's CDN and reverse-proxy platform, so it inspects every request at the network edge before traffic ever reaches the origin server. Because Cloudflare fronts a large fraction of the public web, this is one of the most commonly encountered anti-bot systems; in our registry it appeared on 33 of the sites we checked, including large consumer marketplaces and delivery platforms such as Cars.com, Carvana, Crunchbase, Uber Eats, and DoorDash. It combines network-level reputation, client fingerprinting, machine-learning scoring, and a managed challenge system into a single enforcement point.
Enterprise bot defense & fraud prevention
HUMAN (formerly PerimeterX) is an enterprise bot defense and fraud prevention platform whose Bot Defender product protects web, mobile app, and API traffic. It integrates at the edge - via CDN workers, reverse-proxy middleware, or SDKs - and pairs that server-side enforcement with a client-side JavaScript sensor that collects telemetry from every visitor. It is widely deployed on large retail, e-commerce, and real estate properties, which is consistent with its presence on multiple high-traffic sites in our registry.
Enterprise bot & online-fraud protection
DataDome is an enterprise bot and online-fraud protection platform that sits inline in front of websites, mobile apps, and APIs, evaluating every request in real time at the edge. It deploys as modules or integrations at the CDN, web server, or application layer, plus SDKs for native mobile apps, and returns an allow, challenge, or block decision within milliseconds. It is especially common on European e-commerce, classifieds, and marketplace properties - in our registry it appears on sites such as Leboncoin, Allegro, Etsy, Idealista, and Fnac.
Bot mitigation with client interrogation
Kasada is a commercial bot mitigation platform that protects websites, mobile apps, and APIs by interrogating the client before traffic reaches the origin. It deploys inline at the edge - via CDN integration, reverse proxy, or native SDKs for mobile - so every request can be vetted before application logic runs. Its signature approach is deep client interrogation with an invisible-by-default posture, relying on silent inspection rather than user-facing puzzles in the normal flow.
CAPTCHA / risk-scoring challenge layer
Google reCAPTCHA is Google's widely deployed CAPTCHA and risk-scoring service, embedded by site owners as a JavaScript widget or invisible script on forms, logins, signups, and other sensitive flows. It sits at the application layer as a challenge and scoring gate: the protected site receives a token or score from Google and decides server-side whether to allow, add friction to, or reject the request. It appears across many verticals, including sites in our registry such as Funda, Resy, and LinkedIn.
CAPTCHA / challenge layer
hCaptcha is a CAPTCHA and challenge service that websites embed at sensitive interaction points - logins, signups, form submissions, checkouts - to distinguish human visitors from automated clients. It is operated as an independent alternative to Google reCAPTCHA and is used across a wide range of consumer platforms, either directly by site owners or through integrations with edge and bot-management layers. Beyond the familiar image-labeling puzzles, it offers passive and invisible modes plus an enterprise tier where the challenge is only one output of a broader risk-scoring system.
Virtual waiting room / traffic gating
Queue-it is a virtual waiting room platform that sits in front of a website or specific high-demand pages, typically during product launches, ticket onsales, and registration events. Instead of letting a traffic spike hit the origin directly, it redirects visitors into a managed queue and releases them back to the site at a controlled rate. It is best understood as traffic gating and fairness infrastructure rather than a classic WAF-style blocker, though it layers bot-mitigation features on top of the queue.
WAF with advanced bot protection
Imperva (historically Incapsula) is an enterprise cloud security platform that combines a web application firewall, CDN, DDoS mitigation, and advanced bot protection, the latter built in part on technology from Imperva's acquisition of Distil Networks. It deploys as a reverse proxy in front of the origin: a site's DNS points at Imperva's edge network, so every request is inspected and classified before it can reach the protected application. It is common on enterprise, e-commerce, financial, and reservation-style properties, and appears in our registry on sites such as Resy.
Web application firewall with bot control
AWS WAF is Amazon Web Services' managed web application firewall. Site operators attach it to AWS edge and origin services such as CloudFront distributions, Application Load Balancers, and API Gateway, where it evaluates every HTTP request against a configurable web ACL before the request reaches the application. Its optional Bot Control managed rule group extends the base firewall from generic request filtering into dedicated bot detection and mitigation.
Where this comes from. Each technology is documented from how it is publicly known to work plus which sites in the registry were observed running it, reviewed July 2026.
Responsible use. This describes the defenses that exist, not how to defeat them. Respect each site's robots.txt, Terms of Service and applicable law.
Browse the full site registry to see what any popular site runs, hand the target to Data Works, or run it yourself on real 4G/5G carrier IPs.