Bot Actors

The Bot Actors page helps you identify automated entities interacting with your APIs. These entities represent bots engaged in API abuse, enumeration, or other activities. Traceable analyzes traffic patterns and groups suspicious activity into bot actors.

What will you learn in this topic?

By the end of this topic, you will be able to:

Understand how Traceable detects and classifies bot actors.
Use insights on the Bot Actors page to analyze activity.
Investigate a bot actor in detail.
Interpret activity patterns and behavior.
Assess the impact of automated traffic across your APIs.

Understand bot actors

The Bot Actors page provides visibility into their activity patterns, targets, and potential risks. Each actor represents a source of automation, typically identified using a combination of IP address and user agent. You identify and investigate the sources generating automated traffic across your APIs. You understand where bot activity originates, how it behaves, and which APIs it targets, helping you detect and respond to bot threats before they impact you. The following table outlines when and why to use bot actors, and how to effectively leverage them for source-level investigation.

Why use it?	When to use?	How can you leverage it?
Understand the sources of automated activity, including their tactics, targets, and patterns. Identify repeated, coordinated, or high-volume attacks, and uncover the scope of bot actors affecting your APIs.	When investigating who is driving automated attacks, analyzing patterns across multiple actors, validating coordinated or distributed attacks, or tracking persistent and burst activity.	Create Bot Protection rules to detect and surface bot actors. Filter actors by threat type, severity, or time range to focus on what matters. Group actors to reveal patterns and common attack paths. Use these insights to assess impact, prioritize high-risk actors, and take precise, informed action.

Why use it?

When to use?

How can you leverage it?

Understand the sources of automated activity, including their tactics, targets, and patterns. Identify repeated, coordinated, or high-volume attacks, and uncover the scope of bot actors affecting your APIs.

When investigating who is driving automated attacks, analyzing patterns across multiple actors, validating coordinated or distributed attacks, or tracking persistent and burst activity.

Create Bot Protection rules to detect and surface bot actors.

Filter actors by threat type, severity, or time range to focus on what matters. Group actors to reveal patterns and common attack paths. Use these insights to assess impact, prioritize high-risk actors, and take precise, informed action.

Navigate the bot actor workflow

On the Bot Actors page, you see a consolidated list of detected actors along with key attributes, such as threat type, targeted APIs, and severity. The following is a list of metrics that are visible on the Bot Actors dashboard:

Actor — It represents the source of activity using attributes, such as IP address and user agent.
Actor Type — It represents how the actor is identified or classified based on detection logic.
Threat Type —It represents the type of behavior detected, such as scraping or credential abuse.
Targets — It represents the APIs or endpoints the actor interacts with.
Labels — It Provides additional contextual tags that help enrich and categorize the actor's activity.
Severity — It represents the risk level associated with the actor to help prioritize investigation.
Events Count — It represents the total number of events generated by the actor, reflecting activity volume.
Accounts Count — It represents the number of accounts impacted by the actor, reflecting downstream impact.
First Detected — It represents when the activity was first detected.
Last Detected — It represents when the activity was last detected.

Filtering and grouping

You can filter and group different bot actors for better analysis. This helps you understand the impact, prioritize response, and uncover how the bot actor affects you. This view helps you quickly identify high-risk actors and prioritize investigation. You can refine your analysis using the following options:

Select the environment you require from the Environment drop-down.
Choose a specific period to analyze threats using the Time filter.
Organize accounts by threat type or target using the Group By option.
Filter () and sort based on investigation needs.
Export data ( ) for further analysis.

You can then drill down into any actor for detailed investigation. For deeper analysis, you access event-level evidence associated with the actor. This includes request and response data, actor attributes, timestamps, and behavioral signals, allowing you to understand how the automation operates and what it targets.

Drill down into a specific actor

After you identify an actor, you open it to analyze behavior at a granular level. This view helps you understand how the actor operates and the extent of its impact. The actor detail view highlights attributes such as targeted APIs, associated accounts, severity, and behavioral indicators. It also provides contextual insights into how the activity is detected and why it is considered suspicious. The following metrics provide insights about a specific actor:

Total Events — Total number of bot events generated by the actor.
Total Devices — Number of devices linked to the actor.
Total IPs — Total number of IP addresses detected.
Active Duration — Time span over which the actor remains active, the difference between the first and last detected time.

The detailed view provides a deeper, granular understanding of bot actor behavior, activity patterns, and relationships across accounts and APIs. The following tabs highlight the metrics to analyze bot actor behavior, activity patterns, and account relationships:

Activity

Radar

The Activity tab highlights attributes, such as targeted APIs, associated accounts, severity, and behavioral indicators. It also provides contextual insights into how the activity is detected and why it is considered suspicious. You select an actor from the list to access detailed information, including identity attributes, activity patterns, and time-based behavior.

The following key activity metrics provide insights into actor behavior:

Endpoint — APIs targeted by the actor help you identify focus areas and sensitive flows.
Events — Total number of events generated indicates activity volume and intensity.
Accounts — The number of impacted accounts shows how broadly the activity affects entities.
Last Seen — The most recent activity timestamp helps you determine whether the activity is ongoing.
AI Summary — Generated summary of observed behavior provides a quick interpretation of patterns and potential intent.

You use these metrics together to determine whether the actor exhibits burst activity, persistent automation, or targeted behavior.

The Radar tab helps you identify the primary source account from where the bot attack started. It shows you the sequential network of connected accounts involved in the attack. You can filter accounts by account type, threat type, and target using the filter () icon. The following screenshot shows the different detected accounts flow:

The following table displays the components of the flowchart at each level:

Primary Account	Connected Accounts	Activity
User ID — Unique identifier of the primary account. Active Duration — Total time the account is active. It is the difference between the last and first detected times. Devices Used — Devices associated with the account. Total Events — Total number of recorded events.	User ID — Identifiers of linked or related accounts.	Activities — Activities associated with the threat that violate bot policies.

Primary Account

Connected Accounts

Activity

User ID — Unique identifier of the primary account.

Active Duration — Total time the account is active. It is the difference between the last and first detected times.

Devices Used — Devices associated with the account.

Total Events — Total number of recorded events.

User ID — Identifiers of linked or related accounts.

Activities — Activities associated with the threat that violate bot policies.

This helps you analyze the connected accounts and track any suspicious activity across them.

How to detect and classify bot actors

Traceable builds a behavioral baseline by continuously learning from normal API traffic. When traffic deviates from this baseline, it evaluates multiple signals that indicate automation rather than legitimate behavior.

Detection signals

Instead of relying on a single indicator, Traceable correlates multiple behavioral signals to identify bot activity. These include:

Sudden bursts of API requests within a short time window.
Attempts to impersonate browsers or legitimate clients.
Unusual or inconsistent user agent patterns.
Targeting of sensitive or high-value endpoints.
Repeated requests originating from the same source.

Investigate a bot actor

Investigate a bot actor by analyzing how it interacts with your APIs and user accounts. Focus on observable behavior and use that evidence to guide your decisions. Start by reviewing the actor’s request patterns. You check request volume, frequency, and timing to understand how the actor operates. You identify the API endpoints it targets and look for repetition, bursts, or scripted sequences. You pay close attention to authentication endpoints, error responses, and retry behavior, as these often reveal automated activity.

Next, examine the scope of activity. You determine whether the actor targets a single user account or multiple user accounts. You look for signs of coordinated access, such as repeated request patterns across different accounts or APIs. Then, evaluate the behavior against expected application usage. You classify the activity as benign if it matches normal user behavior. You treat it as suspicious if it deviates from expected patterns or targets sensitive APIs. You identify it as malicious if it shows clear automation, abuse patterns, or sustained high-volume requests. If you cannot confidently determine intent, continue to monitor the actor over time. You can use additional data to validate patterns before taking restrictive action.

Sample scenarios

The following section explains sample scenarios in which bot protection policies, actors, and accounts work together to prevent and manage bot attacks:

Example 1 — Detecting and mitigating account enumeration

You observe repeated requests to your user verification endpoints and navigate to the Bot Actors page. One actor is making frequent attempts using different email addresses to check which accounts exist. The activity is systematic, with no legitimate variation in behavior, and impacts multiple accounts. Based on these signals, you classify the actor as performing account enumeration. You apply mitigations, such as implementing rate limits, introducing response obfuscation, and triggering alerts for suspicious patterns.

Example 2 — Prevent automated API abuse

Traffic analysis reveals excessive requests to your pricing and checkout endpoints. On the Bot Actors page, a specific actor stands out with high-frequency requests exceeding normal usage patterns. The requests follow a uniform cadence, often targeting sensitive operations, such as creating orders or fetching pricing data, indicating automated misuse rather than legitimate activity. You classify the actor as engaging in API abuse and enforce controls, such as request throttling, authentication checks, and anomaly alerts. Post-mitigation monitoring confirms that abuse has been mitigated and that the API remains secure.

Example 3 — Identify credential-stuffing attacks

You notice a spike in login attempts across multiple user accounts. A single actor is submitting numerous login requests targeting authentication endpoints, often in bursts from different IP addresses. The requests show repeated use of common credentials with no variation, indicating automated credential stuffing. You classify the actor accordingly and implement protective measures such as account lockouts, rate limiting, and enforcement of multi-factor authentication.