Automated threats targeting identity and access management (IAM) systems are more sophisticated than ever. Malicious bots are responsible for a significant portion of online attacks, including account takeovers (ATO), credential stuffing, and fake account creation. As these threats evolve, traditional IAM controls like password policies and even multi-factor authentication (MFA) are proving insufficient on their own.
Identity and access management leaders must recognize that bot management is no longer a peripheral security concern but a core component of a modern IAM strategy. Building a strong business case for a dedicated bot management capability is essential to prevent avoidable financial and reputational losses. Furthermore, as AI agents become primary users of web applications and APIs, organizations without advanced bot management will be unprepared to manage the new risks they introduce.
Introduction
The internet is saturated with bots, with some estimates suggesting nearly half of all traffic is automated. While some bots are benign, a growing number are malicious, designed specifically to exploit vulnerabilities in web applications. IAM systems, which control access to sensitive user accounts and data, are a primary target.
The most common bot attacks targeting IAM include:
- Credential Stuffing: Attackers use lists of stolen usernames and passwords from third-party data breaches to gain unauthorized access to user accounts. This attack vector is highly effective due to widespread password reuse.
- Brute-Force Attacks: Automated scripts attempt to guess passwords for known usernames, often targeting login endpoints for platforms like WordPress and Magento.
- Fake Account Creation: Bots create fraudulent accounts at scale, which can be used for spam, malware distribution, or to abuse promotional offers.
Recent attacks on major Australian retailers like The Iconic and Dan Murphy's demonstrate the real-world consequences. These incidents, driven by credential stuffing, resulted in significant reputational damage and financial loss, forcing the companies to issue refunds and publicly address security concerns.
Analysis
Defending IAM systems requires understanding why traditional methods are failing and what modern bot management solutions offer.
Why Traditional IAM Defences Fail
Attackers have evolved their techniques to bypass legacy security controls. Simple IP-based rate limiting and reputation lists are no longer effective due to the powerful combination of residential proxies and anti-detect browsers:
- Residential Proxies: Attackers route their traffic through a vast network of IP addresses belonging to real residential internet connections. This makes malicious traffic appear legitimate and allows attackers to bypass IP-based blocking and geolocation restrictions. Our own tests show that even the best IP intelligence services fail to detect the vast majority of residential proxy traffic.
- Anti-Detect Browsers: These specialized browsers allow attackers to spoof their digital fingerprints, mimicking legitimate user devices and browser configurations. This defeats many JavaScript-based challenges and fingerprinting techniques.
These tools, often used with automation suites like OpenBullet, enable attackers to launch "low and slow" distributed attacks that are nearly indistinguishable from human traffic. For more information on these tools, see our guide to enterprise bot management.
The Flawed Logic of CAPTCHA
For years, CAPTCHA has been the go-to solution for distinguishing humans from bots. However, it is a flawed and increasingly ineffective control. Our research shows that visible CAPTCHAs have a severe negative impact on user experience and conversions. Studies have found that CAPTCHAs can reduce form conversions by up to 40%, as frustrated users abandon purchases or sign-ups.
Furthermore, modern bots can solve CAPTCHAs with high accuracy, often more effectively than humans, by using CAPTCHA-solving farm services. Relying on CAPTCHA creates friction for legitimate users while providing a false sense of security. Modern bot management focuses on invisible challenges and behavioural analysis to validate users without disrupting their journey.
Modern Bot Management Capabilities for IAM
An effective bot management solution provides a multi-layered defence that goes beyond simple signatures. Key capabilities include:
- Advanced Rate Limiting: Instead of relying on IP addresses, modern solutions group requests using more stable identifiers like TLS/HTTP2 fingerprints, device characteristics, or a combination of headers. This allows for the detection of distributed attacks originating from a single malicious tool, even as it rotates through thousands of IPs.
- Network and Device Fingerprinting: By analyzing the unique characteristics of a client's TCP and TLS implementation, it's possible to identify the underlying software making the request, regardless of the user-agent header. This helps distinguish between real browsers and automated scripts.
- Behavioural Analysis: Advanced systems model normal user behaviour—such as mouse movements, typing speed, and page navigation—to identify anomalies that indicate automation.
- Residential Proxy Detection: Specialized techniques are required to identify traffic coming from residential proxy networks, which is a strong indicator of malicious intent.
- Breached Credential Integration: By checking login attempts against databases of known breached credentials, security teams can apply additional scrutiny to high-risk authentication events.
These countermeasures work together to create a comprehensive defence against automated threats targeting user accounts.
The Next Frontier
The next frontier of automated threats comes from the rise of agentic AI. As reasoning models like DeepSeek become more accessible, we are entering an era where AI agents are becoming primary consumers of APIs and web applications.
These are not the rigid scripts of the past. AI agents can reason, plan, and adapt their behaviour in real-time based on a system's responses. They can analyze an entire API surface in seconds and generate complex interaction patterns that human developers would rarely attempt.
This presents a new challenge for IAM. Our current bot management systems are designed to detect patterns that deviate from human norms. But what happens when AI agents can perfectly mimic human behaviour while operating at machine speed? The line between human and automated traffic blurs.
IAM leaders must invest in bot management solutions that can evolve to address this new reality. The future of bot management will not be about blocking bots but about safely interacting with AI agents. This requires a shift from static, rule-based security to contextual analysis that understands and adapts to agent behaviour, distinguishing between legitimate AI assistants and malicious ones. Organizations that fail to prepare for this shift risk having their defences systematically dismantled by AI-driven attacks.
