Buying vs. Building Bot Protection: Choose the Best Way to Protect Your Business

With more than half of internet traffic coming from bots, both good and bad, bot protection software has become a necessity for any business on the internet. Many companies ask the question: instead of paying a vendor, why not build a tool in-house or use open-source? The allure is clear; open-source is free and just has to be customized, and in-house built tools are completely under the company’s control.

But the challenges of building a bot protection solution (or customizing an open-source tool) are many: source code with gaps and vulnerabilities, more challenging development, customized requirements across different areas of business, code sustainment, etc. that all need to be supported without interruption in perpetuity. Neither open source nor in-house built protection is free—and they may end up costing more than buying from a reputable vendor.

Still, building bot protection is not impossible—it just has to be the right choice for your business. Use this guide to help you determine the best course of action to protect your business from malicious bots and online fraud.

The Evolving Complexity of Bots

As technology and software have evolved over the years, so have bots—especially malicious bots. From the first malware (a simple web crawling bot) to bots that can effortlessly mimic human behavior to bypass protections, cybersecurity is a constant back-and-forth battle with bot developers and malicious actors. Bots can now solve CAPTCHA challenges using farms or built-in tools, change their IP addresses using proxies to avoid IP-based blocking rules, forge their fingerprints and signatures to appear like trusted commercial bots or human users, and more. Fraudsters update bots in a continuous cat-and-mouse game, and combating their sophisticated tactics is a full-time effort—especially with AI-powered tools automating bot evolution.

Considering the majority of US businesses aren’t even protected against simple bots, bot threats have been left unchecked to grow and change over years.

Challenges of Building In-house Bot Protection

Building an in-house bot protection software that can keep up with sophisticated bot attacks requires a huge amount of resources your company may not want to spend. Keeping up with bad bots involves: scalability, limited data, research, resources, maintenance, and time.

Scalability & Adaptability

Bots come in droves of thousands or even more, making millions upon millions of requests to your website. Is your in-house tool ready to handle that level of traffic on a regular basis? Can it scale as your company grows, and adapt to sales events like Black Friday that can lead to 30x higher traffic than normal?

If you build an in-house bot protection tool, ensure it is scalable and adaptable no matter the circumstances. Understand that this will put extra strain on your IT infrastructure and resources. Cloud resources (computing, networking, storage, security, etc.) are a recurring operations cost, as well as SRE and Ops teams.

Limited Data

An effective bot detection model requires a lot of data to train the algorithms—data you may not have access to. When you develop an in-house bot tool, you will only have insights into the bot threats you are faced with. New threats that are attacking your competitors or other industries will be invisible until they reach you and wreak havoc.

Continuous Research

To know how to stop the latest bots, you will need to invest in research continually, looking for the newest threats and ways bots have learned to circumvent security features you might be using. This research can involve infiltrating bot developer communities along with several hours of looking into bot attacks on your own business. And then, once you’ve sufficiently researched a new threat or way bots are bypassing security, you will need to figure out how to stop it, then implement that solution into your software.

Rinse and repeat this process every day, potentially multiple times a day.

Intensive Resource Allocation

An in-house bot protection tool has intensive resource needs all dedicated to the company rather than spread out across customers: talent, time, and infrastructure. Businesses would need to hire developers and engineers to build and implement the tool, researchers to stop new attacks, and probably a few on-call personnel to respond to larger bot attacks. How many hours would be needed to get the tool running? How many to keep it going despite the continual improvement of bad bots?

Lastly, your technology infrastructure needs to be able to handle bot traffic and human traffic, as well as your tool, without adding unnecessary friction in the UX or increasing loading times. Consider where your business’ traffic is coming from as well. Do you have a steady stream of international traffic? Businesses with internet presence around the world need to invest in global infrastructure to be able to react quickly without impacting UX.

Maintenance & Regular Updates

In line with your research, you will need to continually maintain your bot protection software with regular updates and checks to ensure you’re stopping the bots you want to. Threats are always evolving, so your tool should be too.

Despite your efforts, your team can only be so large compared to the size of your company. And if your focus is on actually running your business, you won’t be able to keep up with bot evolution. Most organizations will only be able to build a very basic, low-protection solution—likely costing more money and time than paying for sophisticated protection would.

Time to Value

Consider the time to value (TTV) of a solution you build in-house. When you start considering the need for a bot protection tool, you’re already feeling pain somewhere in your business. How long will it take to build your tool from scratch? How much damage could an attacker do in the meantime?

Advantages of Buying a Bot Protection Solution

Buying a ready-made bot protection solution from a reputable vendor has more benefits than detriments—and will often save you money every month. The advantages of buying your bot detection include: expertise and specialization in the field, shared intelligence, continuous improvements without internal effort, scalability, comprehensive analytics, and cost-effectiveness.

Expertise & Specialization in Bot Detection

A bot detection software vendor is comprised of experts in that field, specializing in mitigating the kind of bots businesses are struggling with. They will have threat researchers, engineers, developers, and on-call response personnel in-house, all of whom are focused on keeping your business safe from malicious bots and online fraud.

As far as TTV goes, you can often deploy protection in hours, stopping bots before they become too painful for your business. No need to scramble to build or update your in-house tool.

Shared Intelligence

A bot detection software vendor can gather threat data from every single customer they protect, so new threats are added to the detection model for everyone immediately. This also means that the detection algorithms benefit from massive troves of training data, which results in a stronger, smarter model overall.

Continuous Improvements Without Internal R&D Overhead

Security vendors are fully aware of how quickly bots are changing and evolving, and how fast they have to move in response. When you buy a bot protection solution, you don’t have to worry about building an internal cybersecurity R&D team (and all the associated overhead costs). The vendor has this team already, and they are scouring the web for the latest threats every day, deploying continuous updates and improvements to their protection solution.

Scalability & Adaptability

Bot management vendors know that attacks tend to come in waves—hordes of scalpers during flash sales and limited-edition releases, masses of scrapers gathering data from websites, and other cyberattacks. Vendors know to ensure their solution can handle varying levels of traffic. Bot protection software vendors also often provide different tiers for customers based on the size of the company—as your business grows, so, too, can your protection. And all without putting additional strain on your internal IT infrastructure and team.

Comprehensive Analytics & Reporting

Another missing piece from a solution you build in-house is the ability to deep-dive into your traffic and the blocking decisions made by the engine. Therefore, many vendors have invested time into building out their analytics and reporting capabilities, usually in the form of a centralized dashboard, where customers can gather information about how the solution is working for them.

Cost-Effectiveness

Do you have the money and time to spend hiring more and more people to keep up with the ever-growing threat of bots and online fraud? Most companies would rather spend money elsewhere. In the long run (and many times even the short run), using a bot protection solution from a reputable vendor will save you money. The vendor takes care of the underlying architecture, security, responding to threats, and keeping up with bot development—keeping your business safe and expenses down.

Criteria to Assess Buy vs. Build

If your company has all of these characteristics or factors, then you may be in a position to build a bot protection tool yourself. If not, we recommend buying one.

Online Presence

If your business does not use a website for revenue-generating, your bot risk is likely low. But if your website is expansive enough, fraudsters may be more likely to try and scrape your website, take over user accounts, etc. The larger your online presence, the more attack surfaces available to malicious actors—and the more attractive a target you are.

If your company is large enough to handle the level of bot activity associated with your online presence, you may be able to build bot protection.

Available Resources

Building and maintaining a good bot protection solution for your business takes a lot of budget, employee hours, and time. What resources are available to your business? If you have a lot of budget but not a lot of employees (or they don’t have time to dedicate to bot protection), your best option is to buy a tool. If you have the employee hours and time to spare, do you have the budget to update and maintain the infrastructure behind whatever bot protection tool they build?

Most businesses want to be able to spend their budget (and their employees’ time) on things that bring revenue back to the business—not in fighting an uphill battle with bots.

Business Model & Vulnerability to Bot Attacks

Most business models these days rely upon the internet for anything from revenue to advertising to new employees. However, a few models rely more heavily and are therefore more vulnerable to bot attacks:

• E-commerce (of both products and services)
• Advertising
• Subscription

If your business relies on advertising, ad fraud perpetrated by bots can completely confuse your metrics without bringing in new customers. In e-commerce, most bot attacks can cause problems, from account takeovers to payment fraud to DDoS. If you sell a service based on a subscription, your business is vulnerable to DDoS, payment fraud, and account takeover.

Consider strongly how much your business relies on the internet for day-to-day operations and revenue. Most things on the internet are vulnerable to one type of bot or another. How vulnerable are you?

Future Scalability & Expansion Plans

Businesses, big and small, want to grow. If your smaller business has the time to build a bot protection tool, will it continue working if your customer base doubles? What about triples? Scalability is key, and the larger your business becomes, the more bots will be knocking on your online door. The same goes for if you plan to expand your business into a different industry—can your house-built tool scale with you?

In-House Technical Expertise & Willingness to Maintain the System

Anticipating how bots are evolving and devising ways to stop them is a full-time, difficult task—a task for several people to tackle. Do you have the resources to build up in-house technical expertise to the level you’d need to keep your business safe from online threats? And if so, can you maintain and even grow that system along with the rest of your business?

Costs vs. Savings

The main question of bot mitigation is simple—how much are bots costing your business, and how much do you stand to save if they’re managed properly? Compare that to the costs of either buying or building a bot management tool, and you will have more insight on what option is best for your business.

Real-World Case Studies of Buy vs. Build

Bot Mitigation Successes with Purchased Solutions

Ladders, Inc.: Ladders, Inc. had an in-house tool that was not working as intended and taking far too much time to update. Once they switched to DataDome, they realized that there was a huge benefit of using a purchased solution: the vendor gathers data from bot attacks happening all over the world and can apply protections to all customers proactively. Using DataDome also freed up their IT team’s time and saw a 15-20% reduction of infrastructure costs.

Kelkoo: They had an in-house fraud detection system to avoid paying for clicks generated by bots, but ad publishers would challenge their statistics because they did not come from an impartial third party. Once DataDome was in the mix, their advertising publishers accepted the statistics, leading to ad spend being completely devoted to real clicks.

Cabells: While they could have devoted the time and energy to developing something in-house, they knew it was a better use of their time to continue evaluating journals and enhancing their digital distribution system. With DataDome, they were able to protect their business from malicious bots out of the box, without devoting massive internal resources to dealing with alerts.

Pitfalls Faced by Companies Building In-House Tools

SoundCloud: They created in-house models to detect and filter out inauthentic traffic. But they still faced bot attacks, and the amount of work that needed to be done after an attack to figure out how to update the models was diverting roadmaps and valuable resources away from revenue-generating endeavors.

SNCF: They began with a WAF and a series of custom rules, but ran into technical constraints pretty quickly. Ultimately, bots were developing and changing too quickly to keep up with. They had, in the past, implemented an in-house industrial solution that ended up being too complex to monitor and maintain themselves.

Conclusion

Bots and other online threats are constantly evolving, growing more adept at bypassing traditional protections like WAFs and CAPTCHA. Your business can only be protected by a similarly specialized, evolving bot protection system—and very few companies have the extra resources to spend on an entire division devoted to bot protection.

The challenges of building—and, more importantly, maintaining—an in-house tool are many: scalability, the need for continuous research, intensive resource allocation (both time and money), and the struggle of updating the system to stop the newest bad bots as soon as they show up. Most businesses are better off spending their employees’ time and energy on revenue-generating tasks, not the endless cat-and-mouse fight against bots.

Recommendations

Regardless of whether you plan to buy or build protection, your first step will be the same:

1. Gain a full understanding of your company’s vulnerabilities. Our BotTester tool can give you insight on the basic bots your websites might be vulnerable to.

Buying?

If you’re considering buying a solution, we know you have a big decision ahead of you.

2. Utilize our Buyer’s Guide to dig deep into the vendors you’re reviewing, to ensure the solution you choose is the best for your business.
3. Gather metrics before and after implementing a solution, to better gauge its effectiveness. You can use the DataDome ROI Calculator to estimate how much bots are costing your business, as well as how much your tool is costing you.
4. Stay in the know! Regularly review the metrics and reports provided by your solution to see what bots are threatening your business.

Building?

If you’re still leaning towards building your own solution:

2. Ensure you have a dedicated team of employees who can build and maintain your bot protection tool, as well as an SOC team to deal with big attacks, and solid threat research to locate new threats as they appear.
3. Build your bot protection tool. Remember to focus on creating something scalable and adaptable, preferably with minimal latency added.
4. Gather as many metrics are possible before creating your solution and after, to better gauge its effectiveness. You can also hire penetration testers to locate gaps in your protection.
5. Stay in the know! Regularly review your metrics and adjust your protection tool accordingly. And if bots are still getting through, consider either investing more resources into your in-house tool, or buy from a reputable vendor.