Defending Against Bot Attacks: Art of War

12 min readMay 18, 2020

Whether you are building a large application, or a small form for your running club, bot attacks are an annoying reality. If you’ve found your way to this page, it’s likely that your beloved sites and APIs are under some form of attack. I’ve written this guide to teach you some of the defensive moves I’ve learned over the last decade working as a software engineer for security companies (BlackBerry), companies with large volume bot detection issues (Facebook) and most recently a small startup with direct security focus (UnifyID).

Understand the Terrain / Vocabulary

Quickly square on some definitions that I’ll use below. If your use case doesn’t fit into these definitions, this post may not help you, however feel free to comment below as I’d like to include most variations in my guide.

  • You — The reader of this document. I’ve written it so that it should be useful for software developers like myself, but made it simple enough that brave PM’s or non-engineering types should be able to understand ;)
  • App — You’ve got an app, whether it is a Web-App, a Desktop App, a Mobile App or some combination.
  • Data — Your app needs this to function, and it’s either too dynamic, user specific, private, or too large to bundle with your app
  • API — This is the battlefield. Your App needs to get to your data, and so it must travel the Internet to get it. Your API is the gate that protects your data and ideally…




Kevin Lohman, Software Engineer, Father, Story Teller, and former US Navy Sailor (who never set foot on a ship)