Cloudflare Docs
Bots
Visit Bots on GitHub
Set theme to dark (⇧+D)

Plans — Bot Management for Enterprise

To learn more about features and functionality, select a plan.

Free Pro Business Bot Management for Enterprise

Bot Management for Enterprise Features

Plan name Bot Management for Enterprise
Availability Added to Enterprise plans by your account team
Enablement Quick onboarding with help from our Solutions Engineering team
Type of bots detected Simple and sophisticated bots, headless browsers, and domain-specific anomalies
Actions Customer chooses from several options, including block, CAPTCHA challenge, and JS challenge
Analytics Dedicated Bot Analytics tool, available in the Firewall
Additional control Ability to restrict by path, IP address, and more. Access to bot score, JA3 fingerprint, and bot tags fields.

Bot detection engines

Heuristics

The Heuristics engine processes all requests. Cloudflare conducts a number of heuristic checks to identify automated traffic, and requests are matched against a growing database of malicious fingerprints.

The Heuristics engine immediately gives automated requests a score of one.

Machine learning

The Machine Learning (ML) engine accounts for the majority of all detections, human and bot. This approach leverages our global network, which proxies billions of requests daily, to identify both automated and human traffic. We constantly train the ML engine to become more accurate and adapt to new threats. Most importantly, this engine learns from traffic across all Cloudflare domains and uses these insights to score traffic while honoring our strict privacy standards.

The ML engine produces scores 2 through 99.

Anomaly detection

The Anomaly Detection (AD) engine is an optional detection engine that uses a form of unsupervised learning. Cloudflare records a baseline of your domain’s traffic and uses the baseline to intelligently detect outlier requests. This approach is user agent-agnostic and can be turned on or off by your account team.

Cloudflare does not recommend AD for domains that use SSL for SaaS or expect large amounts of API traffic. The AD engine immediately gives automated requests a score of one.

JavaScript detections

The JavaScript Detections (JSD) engine identifies headless browsers and other malicious fingerprints. This engine performs a lightweight, invisible JavaScript injection on the client side of any request while honoring our strict privacy standards. We do not collect any personally identifiable information during the process. The JSD engine either blocks, challenges, or passes requests to other engines.

JSD is enabled by default but completely optional. To adjust your settings, open the Bot Management Configuration page from Security > Bots.

Notes on detection

Cloudflare uses the __cf_bm cookie to identify bots. For more details, refer to Cloudflare Cookies .

How do I get started?

To get started, review our setup guides . If you have any questions, visit the community to engage with other Cloudflare users.