Shape Security Review and Alternatives

Shape Security is a cloud-based system that offers bot detection for Web applications. Bots are automated processes, used by hackers to commit fraud. These processes are built to mimic humans and so are difficult to detect. There are good bots – website monitoring and testing systems use them to exercise interactive features in a site.

Shape Security was bought by F5 in 2020. F5 loads all of its products into a package called BIG-IP. This was originally produced only as a physical appliance. Although F5 is now expanding to deliver BIG-IP as a virtual appliance or a cloud service, it still ranks its network device as its main offering.

F5 has kept Shape Security as a separate product line, so you won’t be pushed to buy a BIG-IP device to run it. Instead, Shape Security offers its Bot Manager as part of the Shape Enterprise Defense package, which has a range of deployment options.

Shape Security bot management

Shape Security operates as a proxy, which assesses traffic before it gets to the protected Web server. It can protect APIs and mobile apps as well as websites.

Unlike many bot management systems, Shape Security doesn’t guard against DDoS attacks. It focuses on commercial fraud. The Shape Security system protects against:

  • Fake accounts
  • Account takeover attempts, such as credentials stuffing
  • Card fraud
  • Gift card cracking
  • Marketing fraud
  • Inventory hoarding
  • Content scraping

These services are particularly useful to eCommerce sites, that issue accounts to buyers and has a shopping cart feature. The Shape Security system attempts to identify which transactions are being performed by automated processes rather than by humans. The system also puts actions into content, to identify malicious actions, which could also be implemented by humans.

The Shape Security system works a little differently for APIs because the traffic flow goes directly to the API, which then refers to the Secure Security proxy for transaction analysis.

The Shape Security process starts with Shape Defense Engine. This package has a database of attack vectors to look for. The first action performed by this module is to check through a blacklist. This list of known transgressors is centralized among all of Shape Security’s customers, so the system doesn’t just apply to individual accounts. Shape Security has a large number of customers and the system identifies four billion bot transactions per week.

As bots tend to operate worldwide campaigns, this blacklist is very effective. It is constantly updated and so as soon as a cyber scammer begins a campaign and hits one of the sites that Shape Security protects, all of the client community is immunized.

The efficacy of the blacklist is important because you don’t want a security system to slow down the response times of your Web services. The slightest inconvenience can make a customer give up and switch to a rival’s site.

For the next phase of the Shape Security system, the service uses machine learning to define normal human movements on a site. It then looks for deviations from that standard. Activity that misses the standard pattern gets further scrutiny and that even includes the intervention of human analysts.

Remember that Shape Security pools intelligence between customers. That means that the detection effort is distributed. As bot campaigns move through the Web and apply to many sites, scrutiny only needs to be applied once to record an attack identifier. The likelihood of each protected site being a study lab for bot detection is very slight and so the blacklist will be the main protection mechanism for most customers.

Shape Security deployment options

The primary deployment option for Shape Enterprise Defense is as a SaaS package, hosted on the Shape Security server. It is also possible to get the code installed on your site as a proxy server. This is loaded onto a network appliance or installed as a virtual appliance. The service can also be accessed as an API.

F5 operates a product line called Silverline. This is a managed service that includes technicians to run the software. Essentially, this is a Security Operations Center on contract and the managed version of Shape Enterprise Defense is called Silverline Shape Defense. You can add other F5 security systems to the package.

Shape Security prices

F5 doesn’t publish a price list for the Shape Enterprise Defense system. Your options for getting to know more about the service include:

Shape Security strengths and weaknesses

Shape Security has a good track record and an impressive client list. We have identified several good and bad points about the Shape Enterprise Defense service.


  • Easy to set up and no maintenance requirements
  • Fast visitor assessments
  • Protects websites, mobile apps, and APIs
  • Managed service available
  • Uses AI for low false-positive reporting


  • Doesn’t block DDoS attacks

Alternatives to Shape Security

You certainly should consider Shape Security for your bot protection system. However, whenever you are purchasing any kind, it is always a good idea to consider several options.

What should you look for in an alternative to Shape Security? 

We reviewed the market for bot detection systems like Shape Enterprise Defense and analyzed the tools based on the following criteria:

  • A blacklist
  • Machine learning for activity baselining
  • Fast activity scanning
  • A reputable provider
  • Managed service option
  • A free trial or a demo system for a risk-free assessment
  • Value for money, represented by an innovative bot detection service at a fair price

With these selection criteria in mind, we looked for systems that can identify and block bot activity and defend against automated fraud attempts on websites, mobile apps, and APIs. We were particularly interested in systems that could go one better than Shape Security and identify DDoS traffic as well.

Here is our list of the five best alternatives to Shape Security:

  1. Cloudflare Bot Manager This cloud-based service is part of a bundle of tools for website owners that also includes a free SSL certificate, a content delivery network, and a DNS service.
  2. Reblaze Bot Management A remarkably fast bot blocker that operates as a proxy and can defend against DDoS attacks as well as Application-level fraud.
  3. DataDome A plug-in that provides bot detection with an adjustable series of 15 tests and four preset scanning routines.
  4. Imperva Web Application Firewall This bot protection system is offered as a SaaS platform but can also be hosted on-site or on a cloud account.
  5. Radware Bot Manager A plug-in bot detector that looks for DDoS traffic and automated fraud attempts.

You can read more about each of these systems in the following sections.

1. Cloudflare Bot Manager

Cloudflare dashboard

Cloudflare Bot Manager is offered as part of a package called Cloudflare Application Services. Cloudflare is particularly strong on DDoS protection and it runs its DNS service. Both of these elements in the package are essential for websites. The bundle also includes a content delivery network (CDN).

Cloudflare processes 28 million HTTP requests per second. This is a large volume of traffic and the company operates more than 200 data centers around the globe. Customers get their websites copied and hosted at several of these locations – not all of them. The service guarantees speedy delivery and constant availability.

Key Features:

  • A package of services
  • Constant availability
  • DDoS protection
  • Blacklisting
  • Fast scanning

Incoming traffic that is part of a DDoS attack can be instantly recognized by their format. As these packets have to be received to be identified, the main strategy of Cloudflare to manage DDoS attacks is to just absorb them. Malformed connection requests just don’t get passed on to the Web server.

The next task in the bot management cycle is to check through a blacklist. This weeds out bots very quickly. The large user community of Cloudflare means that the service’s blacklist is very large and constantly updated. The first two steps in the bot detection process used by Cloudflare take care of the majority of attacks.

Detailed scans look through the remaining activity that is allowed through to the protected website. The system looks for signs of content scraping, account takeover attempts, inventory hoarding, and payment and card fraud. If malicious activity is detected, that actor gets added to the blacklist. The system uses fingerprinting that combines factors about the attacker rather than its IP address. These identifiers include operating system type and version browser brand and version, and add-on profile.

As well as bot management, a CDN, and DNS management, the Cloudflare Application Service’s bundle includes a free SSL certificate and SSL management. The package is available in four plans and the first of these is Free.


  • Free version available
  • The large client list for incident sharing
  • Free SSL certificate and SSL management
  • Speedy delivery
  • Constant availability


  • Visitor scans can take a lot of time

2. Reblaze Bot Management

Reblaze Bot Management

Reblaze Bot Management is remarkable for the speed with which it processes each HTTP request – 0.5 milliseconds. This system involves a private cloud element, which is hosted on your account, and a CDN, which accelerates the delivery of websites.

One of the reasons for Reblaze’s fast processing is that it can eliminate a lot of bot traffic, such as DDoS attacks straight away. It also has a large blacklist. The remaining tests of Reblaze look at the Application Layer and identify account takeover activity, click fraud, scalping, inventory hoarding, card fraud, and content scraping.

Key Features:

  • DDoS blocker
  • High-speed scans
  • Fraud detection
  • Account takeover identification

The account dashboard allows you to adjust the scanning process through options such as whitelisting. Data in the dashboard reports on all activities. It shows the traffic that was blocked and it also details the activities of permitted visitors, which is a useful tool for marketers and Web designers.

Reblaze is available for a 30-day free trial.


  • Content delivery network
  • Blacklisting and whitelisting
  • Traffic analysis
  • Constant availability


  • Reblaze doesn’t publish a price list

3. DataDome


DataDome is an evaluation system that operates as a plug-in. This service can protect websites, mobile apps, and APIs. You need to receive traffic into your system and call in the DataDome assessment to scan each packet so it won’t block DDoS attacks.

DDoS is one of the bot activities that DataDome can detect. However, you will need to make other arrangements to prevent your Web server from being overwhelmed.

Typically, a DataDome assessment takes two milliseconds per incoming request. The tool offers a menu of 15 tests but not all of them will be implemented for every scan. You can decide which individual tests to apply or select one of four pre-set combinations that are organized to deal with specific situations.

Key Features:

  • Menu of 15 tests
  • Pre-set scan combinations
  • Fraud detection

The list of tests performed by DataDome includes a reference to a blacklist. If the source of a transaction is on that list, it can be shut down immediately, so the assessment doesn’t always need to run through all of the designated tests.

DataDome performs fraud detection and also detects scalping, inventory hoarding, account takeover, and content scraping. DataDome is available for assessment with a 30-day free trial.


  • Good for eCommerce sites with shopping carts
  • Identifies payment and card fraud attempts
  • Adjustable scanning sequences


  • Doesn’t block traffic floods

4. Imperva Web Application Firewall

Imperva WAF

Imperva Web Application Firewall includes a bot manager unit. This system can protect websites, mobile apps, and APIs. The entire firewall system is a cloud-based proxy that processes all incoming traffic before it gets to your load balancers or Web servers.

The bot manager is called Advanced Bot Protection. This system works through a list of steps, which aim to filter out the bulk of malicious traffic as quickly as possible. Sophisticated attacks might evade early detection but should be identified by more detailed and time-consuming tests, which are kept in reserve to crack the human-like activities of fraud attempts, which can be very difficult to spot.

Key Features:

  • DDoS absorption
  • Blacklisting
  • Application-level observation

This service will absorb DDoS attacks in the first phase, preventing volume attacks from reaching your system. The next major test is a blacklist reference. More detailed checks occur on all remaining traffic, which has to be passed through initially. Application-level assessments need to be implemented across packets.

Application activity tests use machine learning to define the usual movements of humans through a website or mobile app. When a visitor’s activities don’t conform to this pattern, greater focus is placed on this user. The Imperva system looks for content scraping, scalping, inventory hoarding, account takeover, click fraud, payment fraud, and card fraud.

The Imperva WAF system is implemented as Imperva Cloud WAF or on-site with Imperva WAF Gateway. It is also possible to self-host the WAF in an AWS account. Imperva offers a bundle of the WAF, a CDN, and the Advanced Bot Protection system. This package is available on a 30-day free trial.


  • Bot protection integrated with a WAF and a CDN
  • Deployment options for SaaS or self-hosted
  • Multiple layers of checks


  • Uses reCAPTCHA challenges which might annoy visitors

5. Radware Bot Manager

Radware Bot Manager

Radware Bot Manager operates as an add-on service for the Radware CDN or WAF and it can also be used individually as a plug-in for your Web server or load balancer. The system protects websites, mobile apps, and APIs. The system examines traffic patterns to spot volume attacks. It then checks a blacklist and finally, performs a detailed analysis on the remaining traffic.

Traffic filtering is implemented very quickly but the detailed Application-level checks can take time to reach conclusions. These behavior tracking checks use machine learning to record typical behavior and identify bot activity.

Key Features:

  • Add-on service or individual API-type service
  • WAF and CDN add-on options
  • Deployment options

Radware Bot Manager prevents DDoS attacks, content scraping, card fraud, click fraud, and account takeover. The system is also able to encourage bots to drop a protected system’s identity from its attack list by responding with a fake connection failure report. The Bot Manager is available for a 30-day free trial.


  • Blacklisting
  • AI-based activity anomaly detection
  • Fight back strategies


  • The API option requires you to make other arrangements to absorb traffic floods