Bot Management Demo — Cheat Sheet

~15–20 min · Glance once, click, talk · Deeper details in Bot_Management_REFERENCE.docx

Pre-demo setup checklist

1. Open (~4 min)

These three points usually come up on their own. Raise them yourself first so it feels like a conversation, then roll into the demo.

"So before I pull anything up, let me set the table a little. When bots come up, most teams kind of shrug it off. They figure it's not really their problem. And honestly, most companies have no idea until they actually go look. But if you've got a login page, a pricing page, an API, anything like that, something automated is already poking at it. The real question was never whether bots are hitting you. It's whether you can look at your traffic right now and tell the bots from your real customers. Most teams can't, and that's the whole gap we close."

"Now usually right about here someone asks, okay, but doesn't the WAF already do this? Good question, and it's worth pulling apart. Think of it this way. The WAF is looking at what's inside a request and asking, is this thing trying to hurt me? Bot Management is looking at how the request behaves and asking, is a real person doing this, or is it a machine? Two totally different questions. A request can be perfectly clean, nothing nasty in it at all, and still be a bot quietly scraping your prices all day long. So these two aren't competing, they cover for each other."

"And every so often someone on Pro tells me they figure they're already good. And fair enough, Pro handles the easy stuff really well. The lazy scripts, the default user agents, the basic headless browsers, it'll catch all of that. Where it runs out of road is the smarter traffic. A bot dressed up to look like a real browser, one that keeps changing its fingerprint, or traffic coming through residential proxies so it looks like somebody sitting at home. If you've got anything valuable tucked behind a login, that's exactly the stuff that slips past Pro."

"So let me show you how we actually pull this off, because this is kind of the fun part. The old way to spot a bot was to check the User-Agent header. That's basically the little ID card the browser holds up to say, hey, I'm Chrome. Problem is, that ID card is trivially easy to fake. One line of code and a bot is happily telling you it's Chrome when it's nothing of the sort."

"So we threw that out. Instead, we score every single request from 1 to 99, based on signals an attacker can't just rewrite on a whim. A 1 is almost certainly a bot. A 99 is almost certainly a real person. And everything in between, you get to draw the line wherever you want and write the rules that fit your business."

"Alright, enough talking. Let me just show you."

2. Bot Analytics page (~4 min)

▶ CLICK: Security → Analytics → Bot analysis tab

a) Likely automated vs. Likely human counts

"Right at the top, traffic is split into 'Likely Human' and 'Likely Automated.' High-level view of every request that hit this site in the last 24 hours — already sorted so you can see how much is just background noise."

b) Detection sources — ML vs. Cloudflare service

"Check out the Bot Score Source. A huge chunk of scoring comes from a machine-learning model that's basically seen it all. Cloudflare sits in front of about 20% of the internet, so we spot a brand-new attack pattern the second it pops up anywhere — and protect your site instantly."

c) SWITCH TO EVENTS TAB — JA3 / JA4 Fingerprint cards

"If you want the 'how' behind the magic, look at these JA4 fingerprints. Think of it as a digital serial number for the software. Unique hash of how a visitor introduces themselves during the handshake — encryption style, signature, the whole thing. Even if a bot rotates its IP or lies about its name, its digital DNA stays the same."

3. Live proof — three requests (~5 min)

"I'm going to send three requests to my own site from a terminal. To a human they look like normal traffic. But Cloudflare is going to react differently to each one — watch the status codes change in real time."

→ Switch to terminal. Big font on projector.

TEST 1 — Real browser → 200

Open in Chrome:  https://nginx.tarheel.us/
"Real browser. Real TLS handshake. Real human signals. 200 OK — gets through clean."

TEST 2 — Python scraper → 302

curl -sI -A "python-requests/2.31.0" https://nginx.tarheel.us/ | head -3
"This one's honest about being a script. The User-Agent literally says python-requests. We don't have to block it — we just send it somewhere else. 302 redirect — off to a honeypot, a cached page, a doc, wherever. Costs us nothing to serve."

TEST 3 — Empty User-Agent → 403

curl -sI -A "" https://nginx.tarheel.us/ | head -3
"No legitimate browser or library ships with an empty User-Agent. Someone's actively hiding. 403 Forbidden — blocked outright."
PUNCHLINE:

"Three requests. Three different outcomes — 200, 302, 403 — and we never touched an IP address. Cloudflare made each decision in single-digit milliseconds based on what the request actually is, not where it came from."

"And here's the kicker — if we'd run these with -v instead of -I, the TLS line on all three would be identical. You can fake your User-Agent. You can't fake your TLS fingerprint."

4. Show the JA4 in the dashboard (~3 min)

"If we'd run those with -v you'd see the TLS handshake on every one was identical. Let me show you what Cloudflare actually recorded for those three requests under the hood."

▶ CLICK: Security → Analytics → Bot analysis tab → expand any sampled log → Request analyses panel

Point at:

"The three requests we just ran share the same JA4 fingerprint. Different User-Agents, identical fingerprint. And all of this was computed before the request even reached our security rules — it's in the metadata of every request, on every plan with the add-on."

5. Block by JA4 — the payoff (~3 min)

"Here's what most teams do today — a bot misbehaves, they look at the IP, they block the IP. Bot rotates IPs, they block more IPs. Whack-a-mole, forever."

"Watch what we do instead."

▶ CLICK: Security → WAF → Custom Rules → Create Rule

Set:

"You're not blocking an IP. You're blocking the bot's engine. Same bot tomorrow on a different IP, different VPN — still blocked. They'd have to rewrite their TLS stack to change the fingerprint."

"That's the difference. IPs are license plates. JA4 is the engine serial number."

If asked: "Why Cloudflare and not Akamai / DataDome / PerimeterX / Imperva?"

  1. Network advantage — Cloudflare sees ~20% of internet traffic. The ML model is trained on a data set no competitor has.
  2. Same edge as everything else — no separate inline agent, no traffic mirroring, no sidecar. If you're on Cloudflare, scoring is already running.
  3. TLS fingerprinting is structural — JA3/JA4 can't be spoofed without rewriting the client's TLS stack. Strongest single signal in bot detection today.
  4. Verified bot list is cryptographic — no false-positives on Googlebot. Competitors often rely on User-Agent matching, which is trivial to spoof.
  5. One platform, one rule language — combine bot score with WAF, Rate Limiting, Access, API Shield. Not five vendors stitched together.

6. Close (~1 min)

"If you're already on Cloudflare, bot scoring is running right now — on every request hitting your zones. The only thing left is writing the rules that act on it."

Quick answers (if asked)

Will it block Googlebot?
No — verified bots are allowed automatically. Cryptographically verified, not header-based.

How accurate is the score?
Trained on ~20% of internet traffic. 1–30 = almost certainly bot. 70–99 = almost certainly human. 30–70 is the gray zone — use Managed Challenge.

Can attackers fake JA4?
Theoretically, by rewriting their TLS stack. In practice almost nobody does — it's hard, breaks easily, attackers find easier targets.

What about headless Chrome / Puppeteer?
Distinct fingerprints. Headless Chrome has missing browser APIs and a different TLS fingerprint than regular Chrome. We catch all major headless frameworks.

Does this work for APIs?
Yes — bot score works on any HTTP request. API Shield adds API-specific protections (schema validation, sequence checks, mTLS) on top.

How much?
Bot Fight Mode: free. Super Bot Fight Mode: included on Pro/Business. Full Bot Management: Enterprise add-on.

How long to deploy?
If already on Cloudflare — minutes. Scoring is already running, you just write rules. From scratch, a few hours to a day.

Will it slow down my site?
No. Scoring runs in the same pipeline as the WAF — single-digit milliseconds. No detour, no extra hops.

What's the false positive rate?
Industry-low. The model is conservative — it'd rather let a borderline request through than block a real customer. Most false positives are legitimate automation (uptime monitors, your own scripts) — allowlist by IP or fingerprint.

How is this different from a CAPTCHA?
Bot Management is invisible — most users never see anything. CAPTCHAs interrupt every user. When we do challenge, we use Turnstile (invisible CAPTCHA replacement), not picking out fire hydrants.

How do I tune it without breaking anything?
Start in log-only mode. Watch the score distribution for a week. Identify your own automation (monitoring, partners). Allowlist them. Then move to enforcement.

Does it work with Workers?
Yes — Workers can read cf.bot_management.score and react. Useful for custom block pages, dynamic responses, API logic.

What about logged-in users?
Bot score still applies, but session signals are factored in. A user logged in and active for 20 minutes is treated differently from a fresh low-score request to /login.

How do I block AI scrapers (OpenAI, Anthropic, Perplexity)?
AI Crawl Control — separate from regular Bot Management. Cloudflare maintains a list of identified AI crawlers. Allow, Block, Challenge, or Charge per AI bot. Available on all plans including Free.