stylobot
Multi-Wave Detection With Explicit Escalation
StyloBot does not market a single magic detector. It combines cheap protocol checks, behavioral evidence, cross-request correlation, and optional deeper analysis into one runtime decision.
The open-source stack is enough to evaluate real production traffic. Enterprise layers add more control, persistence, and operational reach.
runs in your VPC, your data stays there
signals, deltas, action, policy
layered protocol + behavior signals
HMACed IDs + stripped UAs
How the engine sees you, right now
Top Bots
| Name | Bot % | Conf | Threat | Hits | 1h | Seen | |
|---|---|---|---|---|---|---|---|
|
US Bot | 130 | 2h 20m | ||||
|
|
GPT's Grumpy Giggles | 59 | 11h 35m | ||||
|
Bytespider | 28 | 14h 20m | ||||
|
|
googlebot | 25 | 1h 23m | ||||
|
DE Bot | 7 | 8h 36m |
Protocol and Signature Checks
User-Agent and Known Tool Matching
Catch obvious automation, scanners, and commodity scraping tools before the runtime spends time on subtler questions.
Header and Browser Fingerprint Validation
Compare what the client claims to be with the headers and browser behaviour it presents. Spoofing usually leaks somewhere.
Infrastructure Signals
Datacenter IP ranges, stale versions, and hostile-source indicators help separate likely automation from ordinary consumer traffic.
Behavior and Consistency
Request Sequence Analysis
Examine cadence, transitions, and per-session flow. Real users browse with friction and variation; bots tend to reveal a program.
Cross-Signal Inconsistency
Catch impossible combinations such as mismatched OS, browser, protocol, or client capability claims. Bots often forge one layer and forget the rest.
Browser Execution Proof
Optional client-side checks help distinguish a real browser from a headless impersonator when the application can support that signal.
Aggregation and Escalation
Heuristic Aggregation
The main runtime combines detector output into bot probability, confidence, and risk band. This is the decision core that keeps the hot path fast and explainable.
- Detector contributions stay visible.
- Confidence is separate from probability.
- Reputation can promote repeat offenders into the fast path.
Deep Analysis for Borderline Cases
Optional LLM-backed analysis exists for requests that justify slower reasoning. It is an escalation path, not the identity of the product and not something every request should pay for.
- Use for ambiguous spoofing and novel patterns.
- Keep the main request path bounded.
- Prefer local or controlled model deployment where possible.
Cross-Request and Cluster Intelligence
Bot Cluster Detection
Group confirmed bad signatures to expose product families, shared infrastructure, and coordinated campaigns. This sharpens later decisions on related traffic.
Country and Infrastructure Reputation
Reputation adds supporting context for borderline requests and decays over time so old conditions do not poison new traffic forever.
Community Affinity
When a request shares traits with known hostile clusters, the runtime can raise scrutiny without treating that single overlap as a final verdict.
Advanced Enterprise Layers
Deeper Fingerprinting and Shared Persistence
Enterprise builds extend the runtime with stronger persistence, richer fingerprint layers, and operational tooling for teams managing multiple gateways.
Controlled Model Integrations
When deeper model analysis is useful, enterprise deployments can plug in approved providers without turning the product into a generic model-marketing page.
Optional Threat Intelligence
Project Honeypot
External IP reputation can add another signal for known hostile sources. Treat it as one input in the graph, not a substitute for local evidence.
Recent additions
- Friendly-bot throttle-status policy: legitimate crawlers (Googlebot, Bingbot) routed through a rate-limit lane instead of blocked.
- Deceptive-bot
(!)marker: bots claiming to be browsers but failing protocol checks get an explicit deception flag in the dashboard. - Drift-gated naming: bot display names only update when behaviour drifts, preventing flicker in the dashboard.
- Ambiguity-persistence: repeat boundary-probing requests are tracked as a signal in their own right.
- Slow-path coordinator: expensive identity verification is admission-controlled so it cannot DoS the fast path.
What these detectors catch
Google's web crawler. Honest user-agent, datacenter origin, no Sec-Fetch headers, predictable timing. We route it through the friendly-bot throttle-status policy -- never blocked.
Puppeteer, Playwright, and chrome --headless sessions. Looks like Chrome at the UA level but diverges from a real browser's protocol fingerprint. Watch-level by default.
Command-line HTTP clients (curl, wget, http). Honest Accept: */* and tiny header set. Useful in scripts, expected in many CI pipelines -- info-level until the request shape suggests scanning.
Pipeline Order
Cheap checks first. Context second. Escalation last.
Fast checks cut obvious traffic
Known tools, malformed clients, and hostile infrastructure get caught early.
Behavioral and sequence analysis refine the call
Session cadence and cross-signal consistency determine whether suspicion hardens or falls away.
Aggregation outputs risk, confidence, and action
The system produces a traceable decision: signals, detector deltas, aggregation, and policy action.
Escalation handles the hard residue
Only the tricky traffic earns slower, deeper analysis.
Confirmed patterns become cheaper to stop next time
Reputation and cluster context make repeat offenders faster to classify.
Common Runtime, Different Surface Area
StyloBot and StyloWall share the same runtime mindset: evidence-first traffic decisions, local control, and low-latency enforcement.
StyloBot
Focused on HTTP and application-layer bot traffic. Use it to protect login, checkout, API, and content routes where browser behavior matters.
Request Early AccessStyloWall
Extends the same operator mindset toward broader network services and protocol surfaces beyond the web stack.
Inspect the Runtime, Then Decide How Hard to Enforce
The detector stack is useful because it makes the decision path visible.