Separating fraudsters from legitimate users with Shape Security and Fastly

Fastly logo


  • Digital transformation exposes organizations to new threats and new types of attacks, including business abuse and e-commerce fraud
  • For cybercriminals, apps represent the single most lucrative class of targets—projected to surpass $48 billion by 2023
  • When web attacks are blocked, attackers quickly move to other channels such as mobile APIs; any solution must address all platforms


  • Slash fraud and abuse
  • Prevent reputational damage
  • Improve application performance and uptime
  • Accelerate processing on backend systems
  • Increase security
  • Reduce bandwidth costs

It’s not unusual for 70 percent or more of an organization’s daily log-in attempts to be from non-human visitors. Unfortunately, non-human in this case typically means nefarious, bot-based attack traffic. With all the millions and millions of stolen and leaked credentials that are available across the digital underworld, it’s no big feat to code a bot (and simpler still to pay a small fee to leverage pre-made attack tools) to cycle through those records, one at a time, over and over, throwing username and password combinations at every login server they can find in a relentless wave.

All those automated login attempts are bad enough just in terms of the constant, steady drain on bandwidth and server resources, but things can quickly turn catastrophic if such a bot were to get a positive hit and was able to log-in with stolen credentials.

Shape Security has pioneered a suite of innovative solutions that identify all manner of harmful, bot-driven network traffic and block it before it becomes a drain on your resources (or worse). Here, we explore one popular deployment option, using Fastly CDN to automate and accelerate analysis of your login traffic.

Shape Security for Innovative Traffic Analysis

Artificial intelligence (AI) and machine learning (ML) are what set Shape apart from others in the field. To websites and mobile applications, attackers appear to be identical to genuine users. Worse yet, they rapidly evolve their tools and methods and even use imitation attacks to render it nearly impossible for apps or even humans alone to tell the difference between real and fake.

Shape solutions leverage AI and ML, among other technologies, to accurately determine in real-time if an application request is from a fraudulent source—and if so, to effectively mitigate. When these countermeasures are deployed, 5-10 percent of attackers typically attempt to retool and start a new attack; but Shape adapts and maintains full efficacy even as attackers evolve.

Shape uses a patented two-stage process to deliver highly accurate real-time detection and mitigation, as well as provide sustained protection against attacker retooling. Stage 1 evaluates each transaction across a set of proprietary risk factors that include network, activity, user, device and account factors so that unwanted and fraudulent transactions can be mitigated in real time. Stage 2 counters the attackers’ evolution with an after-action machine learning and human analysis to continuously improve effectiveness.


Shape Security defense diagram

Powerful threat assessment with Fastly and Shape Log Analysis

Shape delivers an industry-leading  security stack for Fastly customers, combining security and performance to protect some of Fastly’s most sophisticated infrastructures and some of the world’s largest brands. The core of this joint solution is built around Fastly’s commitment to accelerating and optimizing web performance, and includes a non-invasive configuration that allows any Fastly customer to receive a glimpse into the types of attack traffic that are currently bypassing their existing security perimeter. The user simply sends Shape two weeks of their Fastly log data (containing no PII) as follows.

For Shape to launch its AI/ML at your potential threats, it first needs to expose the AI/ML to your server logs, where it (again, non-invasively) analyzes HTTP and application logs to understand if attackers are trying to bypass security measures. Once the logs are provided, Shape will thoroughly analyze data points in Layer 7 traffic to identify fraudulent transactions and will report on all campaigns that are attacking specific parts of an application.

To avoid complications of compressing, securing, and manually sending log data to Shape, customers are encouraged to use the real time log streaming configuration capabilities of their Fastly deployment. This simple “flip of the switch” configuration ensures fast, error-proof log delivery and is the first step in securing against attacks at the application level.

Read How to Setup Shape Log Analysis in Fastly ›

"To avoid complications of compressing, securing, and manually sending log data, customers are encouraged to use the real time streaming configuration capabilities of their Fastly deployment."

Deploying the Shape solution alongside your Fastly CDN has the added advantage of ensuring that analysis takes place at the network edge, as close as possible to the point of origin. In this way, response times are maintained in the range of 200ms or lower—well below the threshold at which legitimate users would notice any disruption.

There are two stages to Shape deployment: observation mode and mitigation mode. In observation mode, Shape analyzes the logs of all incoming requests to an application in order to identify threats and customize a defensive resolution.

Shape Security defense graph

While analyzing logs to distinguish between malicious and legitimate login traffic, Shape also has the ability to categorize requests into attack campaigns for analysis. If an attack campaign tries to bypass Shape by somehow retooling (typically by updating software or leveraging new proxies), Shape is still able to identify the campaign based on hundreds of other signals.

Once Shape and the customer are confident that no legitimate human traffic will be impacted, mitigation mode can be activated. From that point, when it is determined in real-time that an application request is from a fraudulent source, that source is immediately blocked—all without introducing any friction to legitimate human users.


More often than not, an organization’s applications are its business. Apps are where they interact with customers, where they deliver value, and where they offer a differentiated experience to their users. And the bad guys know it; which is why there is an escalating war on web and mobile apps across every vertical in every market.

F5 and Shape have joined forces to defend all your apps from attack. We deliver a comprehensive application security portfolio, powered by a unique AI/ML engine, that has been proven to slash fraud and abuse, prevent reputational damage, and eliminate business disruptions. Customers that use the popular and widespread Fastly CDN will have a particularly easy time setting up this solution, as Fastly can be quickly configured to share all necessary server logs to empower Shape to identify and mitigate fraudulent traffic.

For more information about F5 and Shape Security, visit

Protection Against Bots and Other Automated Attacks

Shape Defense protects against the most sophisticated credential stuffing and account takeover attacks, carding, and the rest of the OWASP Automated Threats to Web Applications, including:

  • Account Takeover: Stops fraudsters from rapidly testing stolen credentials on your login applications, which means they can’t take over accounts in the first place.
  • Scraping: Control how scrapers and aggregators harvest data from your website, allowing you to protect sensitive data and manage infrastructure costs. 
  • Carding: Prevent criminals from using your checkout pages to validate stolen credit cards.
  • Gift Card Attacks: Ensure gift card value, loyalty points and other stored value remains in your customers hands.
  • Inventory Hoarding: Ensure your campaigns and most in demand items and are sold directly to your customers, not to scalpers.
  • Marketing Fraud: Ensure your business analytics and marketing spend are based on bot free data.