Traffic Classifications (referred to as Threat Profiles) categorize all traffic as valid (VAL), bot (BOT), or nonstandard (NSD). Each category reflects HUMAN’s decision about the authenticity of a specific interaction.
This traffic is further labeled with reason codes that provide insight into why HUMAN responded with the given classification. Each reason code corresponds with a more readable “threat category”.
Below is a table with each reason code, the corresponding “threat category”, and a brief explanation of what it means.
Bot - Traffic results from automation or a compromised device
Abnormal Entity Behavior
The traffic showed inauthentic behavior only exhibited by automation. This includes unnatural mouse movements, keystrokes, and anomalous visitation patterns (e.g. timed page loads or diurnal activity).
API Abuse and Signal Evasion
The traffic attempted to directly access the application API outside of the intended flow of the application, or attempted to block the signal collection.
Brute Force Attack
The traffic is making an anomalously large number of requests in a short period of time.
Known Botnets and Malware
The traffic shows signs of originating from a known botnet or malware.
The traffic originates from a known spider or crawler. Bots with this label are generally considered “safe” or “good”.
Replay Attack or Manipulated Request
The traffic showed signs of manipulating or tampering with the HTTP requests to your application.
The traffic showed signs of belonging to a more sophisticated bot. These signs include spoofing devices or browsers running automation tools such as Puppeteer or Playwright, or accessing your application using a headless browser.
Non Standard - Traffic that exhibits suspicious or anomalous behavior, but does not meet the precision threshold to be marked BOT.
Abnormal Entity Behavior
The traffic showed inauthentic behavior only exhibited by automation. This includes unnatural mouse movements, keystrokes, and anomalous visitation patterns (e.g. timed page loads or diurnal activity). However, the traffic did not meet the precision threshold to be marked as a bot.
The traffic originated from a deprecated or legacy device.
The user attempted to make themselves anonymous. This includes traffic originating from an undeclared VPN or a data center.
The traffic originates from an IP that has a high rate of abuse and malicious activity.
There is evidence to suggest that the device is infected based on its activity in Ad Fraud or other nefarious purposes. It is uncertain if the particular action is performed by the user or by the malware on the device.
Valid - Valid traffic that does not show any signals indicating automation or malicious behavior
There were no observed irregular behavior or signals to suggest bot activity.