4 Steps to a Successful Flash Sales Event: Behind the Scenes of a Bot Security Operations Center [2022 Update]

A must read as you gear up for Black Friday and holiday sales.

On a normal business day, DataDome’s bot protection solution detects and blocks a new bad bot targeting our customers’ websites and mobile apps every millisecond. But during flash sales events, such as Black Friday, Cyber Monday, and popular sneaker launches, e-commerce platforms typically face at least five times—sometimes up to 30 times—more bot attacks than on normal days. 

That’s how attractive flash sales are for bad bot operators. If scalpers can manage to snap up a majority of inventory to resell for a profit, their potential ROI justifies their investments in time and money. The best approach for retailers is to plan ahead. To help, check out the four essential steps our bot security operations center (SOC) team completes to support successful sales events for our customers:

1. Pre-Event Preparation
2. Event Mode Activation
3. Real-Time Event Monitoring & Fine-Tuning
4. Post-Event Review

During flash sales, not only does the volume of automated traffic increase, but the most motivated attackers send in the most technically sophisticated bots on the market. On Black Friday, a bot protection system that may be “good enough” at normal times will not offer adequate protection against bot-related performance issues and scalping.

An adequate protection solution requires advanced machine learning to detect and block bad bots. During special events, DataDome’s out-of-the-box special protection modes optimize the detection granularity and response strategy based on context to handle malicious bot traffic on autopilot.

Also, when the stakes are particularly high, our human security operations center (SOC) team is there to monitor customer traffic and adjust to threats as needed. But how exactly does DataDome’s bot SOC team manage flash sales events, and how can you ensure your next sales event is a success? Keep reading to find out.

1. Pre-Event Preparation

You’re probably familiar with the maxim of the “five P’s”: proper preparation prevents poor performance. Bot protection during flash sales or major product launches is no exception! Data shows that 71% of bot attacks specifically target high-profile sales events. 

The DataDome bot SOC team prepares for major sales events in close collaboration with our customers. 48 hours prior to the event, the customer provides key parameters such as:

• The date and time of the flash sales event.
• Applicable products, SKUs, and associated URLs.
• Main business drivers and KPIs (limited-edition products, available inventory, expected market interest, etc.).
• Any additional security measures they are implementing.

When all the important details have been established, our SOC team gets ready for the event in two main ways.

Monitoring: The SOC team starts monitoring for bots that might be preparing for the event. For example, are bot operators ramping up their own monitoring activity, or trying to make purchases ahead of the launch? Is there an increase in account takeover (ATO) attacks?

Configuration: The SOC team also ensures event-specific machine learning (ML) models are used for bot detection during the flash sales period. Typically, flash sales ML models challenge visitors more aggressively than normal models. For example: 

• Signals like browser fingerprints or bad IPs may trigger more aggressive decisions than usual.
• Since any scalping bot worth its salt can solve a CAPTCHA, signals that would normally trigger a CAPTCHA response may be immediately hard-blocked instead.
• Since scalping bot operators are willing to invest in residential proxies, the related r signals may be given less weight than normal in the detection decision.

Our customers often also ask us to adapt our responses to specific factors or limitations during an event. For example, before the launch of the PS5, one customer informed us that their site could not support more than a given number of requests per minute. Therefore,  we had to monitor that particular KPI, intervene manually if needed, and keep the customer constantly informed.

2. Event Mode Activation

During major sales events bot operators pull out all the stops, using the best technologies and tactics available. They invest in vast numbers of extremely distributed residential IPs, forge their headers, make sure their user agents are updated, and use CAPTCHA farms (or solve CAPTCHAs themselves) to bypass their targets’ security systems.

This CyberAIO bot user is solving CAPTCHAs to buy Air Jordan 5 Fire Red sneakers during a launch, aka sneaker drop.

Shortly before the event kicks off, the SOC team activates the more aggressive models and prepares for ad hoc responses, entering “release mode”. 

The purpose is twofold:

• Prevent automated purchasing to give human buyers a fair chance to obtain the products they want.
• Make sure the website isn’t overwhelmed by bot-driven traffic peaks.

3. Real-Time Event Monitoring & Fine-Tuning

It’s showtime! 

During major sales events and launches, every decision can have a major impact on the business of DataDome’s customers. We need to protect customer websites from aggressive purchasing bots, but we also need to avoid blocking legitimate human buyers. That’s why we complement our AI engine with human cybersecurity analysts who understand business challenges and what a particular blocking decision might entail. 

Sophisticated bots react in real time to the security measures they’re facing, so during an event, our SOC team proactively monitors and mitigates traffic via various dashboards and pre-configured alerts. They activate and strengthen our models gradually, and constantly monitor parameters such as:

• Total Traffic
• Alerts (about bypasses, unexplained traffic peaks that require manual intervention, etc.)
• Fake Good Bots
• False Positives 
• Suspicious Activity (on other endpoints, such as APIs or staging sites)

The SOC team uses in-depth knowledge of the customer’s normal traffic, monitors everything that could potentially go wrong during the event, and constantly adjusts the detection models accordingly. 

They also keep an open communication channel with the customer (typically on Slack), and intervene manually if needed. When in doubt, a human always gets the final word.

4. Post-Event Review

After every flash sales event, our SOC and threat research teams review everything that happened during the event—good and bad—and what we can learn from it.

With the customer, we review their main KPIs and identify successes and areas for improvement. 

Internally, we also review lessons learned and create an action plan to make the next event even better.

Are you ready for your next flash sales event?

Unmitigated bot traffic can cause serious harm to your e-commerce business all year round, but even more so during special events. “Good enough” bot protection under normal circumstances is usually no match for the most motivated bot operators.

To explore how DataDome’s bot detection algorithm and human SOC team can help make your next sales event a success, schedule a demo today.

This blog post is a summary of a webinar about bot mitigation during flash sales with DataDome’s Head of Research & SOC Team Manager Antoine Vastel and Bot Protection Success Specialist Jarrod Hartwig.
Watch the full recording here.