Empowering You for a Secure 2024: Your Journey with DataDome in Review & Ahead – Source: securityboulevard.com

2023 in Review

As we know all too well at DataDome, bots are always evolving to perform more attacks and bypass security measures. They come with proxies and a multitude of tools to bypass security, like automated CAPTCHA solvers and CAPTCHA farms. And in 2023, bot threats continued to increase in size and sophistication. Whether it was stealing Taylor Swift tickets from eagerly awaiting fans, or scraping bots becoming highly distributed and advanced, or even generative AI models like ChatGPT sending hordes of scrapers to gather training data, bad bot activity is reaching every corner of the internet.

But as quickly as they’re developing attacks, DataDome is creating and improving defenses. We strengthen our ML models to detect new threats by studying the tools bot developers use, ensuring we stay ahead of malicious actors—and by utilizing every new signal, detection model, and upgrade we put in place this year. We increased the number of signals we compute every day from 3 trillion to 5 trillion. Our real-time at-the-edge protection still returns decisions in less than 2 milliseconds, keeping bad bots out and allowing validated human users through to your endpoints.

Throughout 2023, we detected—and more importantly, blocked—the following for our customers:

• ~316 billion malicious attacks.
• ~8.6 billion account takeover attacks—approximately one every nine login attempts.
• ~400 million fake account creations—one every eight sign-up attempts.

We know you’re busy, so here’s an overview of how we’ve enhanced our bot and online fraud management solution to ensure our customers are protected from the latest sophisticated threats.

Released new products to protect against more sophisticated threats.

• Device Check is the first truly invisible challenge on the market, particularly effective against highly distributed threats.
• We also opened early access to select customers for ad fraud prevention and account fraud protection. These features will be enhanced over the course of 2024 to help our customers stop ad and account fraud in their tracks.
• In the ad fraud prevention program, multiple customers found that significant portions of their ad spend—up to nearly 50% in some cases—were being wasted by malicious bots. This information, along with our solution, helped them on the path towards saving millions of marketing dollars.

Added features to support the needs of our enterprise customers.

• SSO now allows customers to create and manage their own instances, and allows auto-provisioning of users in enterprises using SAML.
• Workspaces are a new standardized offering so customers can manage multiple tenants, each with its own instance, to customize protection across every facet of your business.
• We also introduced an audit trail feature to track changes to your organization’s protection configurations, and successfully completed our SOC 2 Type 2 audit.

Enhanced our solution’s performance, analytics, and ease of use.

• Two new pages on the DataDome dashboard offer a view of threats in real time and provide insights into the performance of DataDome CAPTCHA on your endpoints.
• Our points of presence around the globe increased in number to 26, helping increase our solution’s availability while lowering latency.
• Over 50 integrations, including 25+ server-side integrations, are now available for our customers. We added integrations for Akamai EdgeWorker, Apigee X, Edgio, Fasterize, Kong, and OpenResty this year, among others.
• We optimized the code for our client-side JavaScript tag, reducing total blocking time by 91% and the tag size (gzipped) by 53%. These optimizations help improve Core Web KPIs and preserve page load times for our customers.

Released Bot Security Reports to show businesses’ readiness against simple bot attacks.

• Our BotTester tool can test any business’ website against small volumes of different types of bot requests to identify key vulnerabilities.
• Bot Security Reports for the U.S., UK, France, and Germany all indicate that the majority of websites are not protected against basic bot attacks.

Received recognition for our solution from our customers and trusted voices in cybersecurity.

• We ranked as a G2 GridⓇ Report for Bot Detection and Mitigation Leader all year.
• We also received Cyber Defense Magazine’s award for Most Innovative in Bot Management for the third year running.
• We became the first (and only) bot and online fraud management specialist to achieve the AWS Security Competency designation.

Looking Forward to 2024

DataDome has laid the foundations for the future of online fraud defense, building ad fraud and user fraud prevention into our solution to protect more businesses moving forward. In fact, today we also announced our new DataDome Companion—a custom ChatGPT application that allows you to generate custom rules fast.

As we move into 2024, DataDome remains committed to stopping bad bots and online fraud with speed and accuracy—without damaging UX. We’re using an additional 2 trillion signals every day to identify sophisticated bot traffic, and Device Check helps us test suspicious requests invisibly. And with extra integrations, SSO improvements, and better support for multiple instances, we’re doing everything we can to set our customers up for success in 2024.

Over the next year, we’ll continue to expand our capabilities to offer our customers the most holistic, advanced bot mitigation solution on the market. To learn more about how DataDome’s powerful ML-powered, human-supported bot and online fraud detection engine can protect your business from bad bots and online fraud, try it for free or book a demo today.

Released new products to protect against more sophisticated threats.

DataDome CAPTCHA: Easy on Humans, Tough on Bots

Towards the end of 2022, we released DataDome CAPTCHA—the only user-friendly, 100% secure, and readily privacy-compliant CAPTCHA on the market. Our CAPTCHA sought to solve the main issues with traditional CAPTCHAs: easy to bypass, lack of user privacy, poor user experience, and lack of transparency. As of April 2023, 100% of DataDome customers are utilizing DataDome CAPTCHA to protect their businesses.

The DataDome CAPTCHA is integrated with our bot protection solution to weed out bad bots from the start and ensure as few real humans see the challenge as possible. Typically, only 1 in 10,000 human requests are challenged with a visible CAPTCHA. When a user is presented with DataDome CAPTCHA, they’re met with a simple-to-understand, quick-loading puzzle piece challenge. Our CAPTCHA loads in .09 seconds and only takes around 2.2 seconds to solve, compared to reCAPTCHA’s more than 20 seconds to pass (typically 30 seconds based on our measurements).

Device Check

Device Check became available for all DataDome customers in December 2023. Early access began in February 2023, open to select customers across different industries. These customers all had specific use cases where Device Check benefited them in two ways:

• Detection of highly sophisticated bots from the first request.
• Client-side validation that allowed for additional responses to tailor access based on each client.

Device Check is an improvement to the way DataDome tests potential threats, and is the first truly invisible challenge. It is particularly effective against distributed bot attacks, as it blocks them from the very first request without impacting the user experience (UX). Now, we are seeing over 11 million Device Check responses in a day—that’s 11 million bad bots stopped without damaging UX.

We look forward to seeing how Device Check helps our customers keep their users happy while stopping even more bots and fraudsters than before.

Early Access: Ad Fraud & Account Fraud Protection

We are working on ways to apply DataDome’s powerful, accurate detection to many more use cases, like ad fraud and account fraud. In 2023, we opened two early access (EA) programs for select customers to test these features.

Ad Fraud Prevention

Many customers are struggling with bad bots that drain their marketing budgets with fake ad clicks. That’s why DataDome introduced a new EA product to prevent this type of bot-driven ad fraud. Ad fraud prevention can identify and classify illegitimate automated traffic and, through meticulous monitoring, analyze attributes of the campaign—such as traffic source, time patterns, and user behavior. With our detailed ad reporting, these EA customers have gained valuable insights into the efficiency of their ad campaigns—by campaign—and are able to take steps to optimize their marketing ROI and ad spend.

The results have been stunning: multiple early customers were able to identify that significant ad spend (between 13% and 48%) was wasted on malicious bots and not real users, and that performance varied widely among different ad networks and campaigns—including Facebook, Google, TikTok, and more. With this information, DataDome was able to help them realize the potential to save millions of marketing dollars.

Account Fraud Protection

Account fraud has been a problem for online businesses for a long time and has continued to increase exponentially in the past few years due to automated bot-driven account takeovers (ATO), credential stuffing attacks, and fake account creation. This has resulted in significant financial damage from costly chargebacks, stolen stored value, credit card processing fees, and redemptions abuse.

DataDome introduced a user fraud solution to identify suspicious behavior, new account abuse, and accounts that have been taken over. It instantly assesses risk and enforces security policies that stop malicious activity and block requests. DataDome customers can now block malicious or anomalous account activity on first request in real time, and new customer identity signals for specific accounts, users, devices, and sessions can be monitored and tracked.

For example, one major retailer that struggled with massive fake account creations on their website to book in-store appointments used DataDome to stop these fraudulent requests from bad bots—which accounted for 75% of all appointment requests! This amounted to hundreds of thousands of fake bookings blocked, saving significant downstream disruptions and resources for the retail stores.

Like any major web property, we’re constantly trolled with password lists. Account takeover is a real risk, so it’s nice to get rid of that.

—VP of Engineering at a Leading US Travel Booking Site

Added features to support the needs of our enterprise customers.

DataDome has been focused on ensuring enterprise customers have the support they need with our solution. To that end, we improved SSO and added workspaces.

Best In Class SSO Support

We enhanced SSO to allow customers using SSO to configure their DataDome instance(s) on their own. Our enterprise customers have hundreds of DataDome users, so we opened up the possibility of auto-provisioning users in an enterprise environment who are using SAML to manage their user profiles, automatically importing them into DataDome’s dashboard instance for ease of configuration and user access management.

For more information about how DataDome supports SSO, see our documentation.

Workspaces

Enterprises have different protection needs across business units, brands, or products—and every facet of your business deserves the best. DataDome Workspaces allow for multiple teams within any DataDome customer’s organization—with completely separate needs—to manage their own Workspace, providing a tailored view for each facet of your business. This customization helps provide laser-focused fraud detection for each Workspace.

Audit Trail

We know that sometimes, several people need to work together to solve a problem. That’s why, in February, we introduced the audit trail feature in the DataDome dashboard. Audit trail helps you understand what changes have been made to your account by displaying what changed and who made those changes. This is a fantastic tool for enterprises to prevent or repair any misconfigurations, particularly with events like the addition of custom rules.

SOC 2 Type 2 Compliant

In March, one year after completing our SOC 2 Type 1 report, DataDome successfully completed our SOC 2 Type 2 audit. The SOC 2 Type 2 report demonstrates how our security controls, particularly for user data, align with AICPA’s SOC 2 standard. Customers can review the report to learn how we protect customer data using things like security policies, encryption protocols, access controls, vulnerability management, etc.

Enhanced our solution’s performance, analytics, and ease of use.

Dashboard Upgrades

We introduced two powerful new pages on our dashboard to help our customers understand the traffic coming to their websites, mobile apps, and APIs—and how DataDome is stopping malicious traffic.

Real-Time Threats

Accurate bot management is not about what happened 10 minutes or two hours ago—it’s detecting and responding to what is happening right now. We added the real-time threat dashboard in February to give customers better insight into each threat type, and to help them see the instantaneous nature of DataDome’s protection.

CAPTCHA Analytics

DataDome CAPTCHA is fully integrated with our powerful bot and online fraud detection solution, helping ensure the use of CAPTCHA is frictionless for all users—while still blocking more bots than alternative tools.

Added in June, the CAPTCHA analytics page on our dashboard shows real-time metrics, the false positive ratio for your business, CAPTCHA bots blocked, and the median time to solve the challenge. You can drill down into each detail, gathering as much information as you want about how your users (and bots) are interacting with CAPTCHA on your protected endpoints.

26 Global PoPs: Low Latency, High Availability

By July 2023, we increased the number of global points of presence (PoPs) we utilize to 26. Each PoP increases our solution’s availability, performance, and user experience, and lowers overall latency. As our solution inspects every single request to our customers’ websites, apps, and APIs in real time, strategic placement of PoPs is crucial to our under-two-millisecond response time.

New Integrations

DataDome ended 2023 with over 50 integrations, including 25+ server-side integrations, across a swathe of architectures. Here are a few we added:

• Akamai EdgeWorker: A CDN and compute-at-the-edge platform, joining the list of other CDNs we integrate with, like Cloudflare, AWS CloudFront, etc.
• Apigee X: An API gateway provided by Google that can be hosted on any Google Cloud Platform Region.
• Edgio: A CDN and compute-at-the-edge platform, joining the list of other CDNs we integrate with.
• Fasterize: A SaaS web performance software working to reduce website loading times.
• Kong: An API gateway that centralizes API management within organizations. DataDome works on both open-source and enterprise editions.
• OpenResty: A web application server that extends Nginx, bundled with LuaJIT, Lua libraries, and third-party modules.

Optimized Client-Side JavaScript Tag

Our client-side JavaScript (JS) tag collects signals to aid in bot detection, such as browser fingerprints, device details, behavior like mouse movements, and specially crafted JS challenges. While the tag’s impact was already negligible for our customers, we wanted to push harder to further optimize the tag. We refactored and optimized our code, split and obfuscated our logic, and offloaded the computation of some signals outside the browser main thread.

From June to November 2023, we reduced:

• Total Blocking Time from 110 to 10 milliseconds. Note that TBT is not latency.
• JS tag size (gzipped) from 58 to 26 kilobytes.

These optimizations improve Core Web KPIs, preserve page load times, and help reduce the ecological footprint of bandwidth usage behind the scenes.

Released Bot Security Reports to show businesses’ readiness against simple bot attacks.

We also released the BotTester tool on our website in 2023. This tool is very simple: you provide a URL for your business’ website, and DataDome looks for vulnerabilities without causing harm. We test URLs using small volumes of different types of bot requests—and if any are not blocked, the website is considered at risk from similar bot attacks.

Because the BotTester tool is not demanding on the infrastructure of a website—nor is it damaging in any way—it offered us the perfect avenue for gathering information on websites around the world and their various vulnerabilities to bot attacks. We surveyed over 9,500 US-based transactional websites, classified by size (number of employees) and industry, and created a Bot Security Report using the data.

Our key findings about the readiness of these websites to stop simple bot attacks were shocking.

• 2 in 3 U.S. websites are unprotected against simple bot attacks, letting through every single type of bot we tested.
• Gambling websites are (comparatively) the most protected. Only 31% of gambling sites failed all of our tests.
• Bigger businesses were only marginally more protected. 60% of businesses with more than 10,000 employees failed all tests, compared to 75% of businesses with fewer than 50 employees failing.
• 1 in 3 websites had some sort of specialized bot protection software. However, even the best-performing tool we saw still failed to detect 48% of our simple bots.
• Traditional tools like reCAPTCHA were easily bypassed by our simple bots, even when combined with bot protection software.

We also created BotTester reports for the UK, France, and Germany. Interestingly, the key findings—particularly that the majority of websites are not protected against basic bot attacks—did not vary much between regions.

Received recognition for our solution from our customers and trusted voices in cybersecurity.

DataDome is making waves in the bot mitigation industry. Here are the highlights:

• We ranked as Leader in the G2 GridⓇ Report for Bot Detection and Mitigation every single quarter (spring, summer, fall, winter). In the winter grid (shown below), we moved up to #1.
• We received Cyber Defense Magazine’s Top Infosec Innovator Award for Most Innovative in Bot Management—for the third year running.
• We enjoyed our second year in the Inc 5000.
• We ranked in the Deloitte Technology Fast 500.

And so many other awards we can’t fit them all…

AWS Security Competency

As of September, DataDome is the first (and only!) bot and online fraud management specialist to achieve the AWS Security Competency designation. This designation is only granted to AWS partners who show technical expertise, cybersecurity customer success, and excellence in delivering solutions across industries and use cases. This competency adds to the list of other solutions we’ve built in partnership with AWS.