Documentation Index

Fetch the complete documentation index at: https://docs.traceable.ai/llms.txt

Use this file to discover all available pages before exploring further.

Protection Policy Types

Updated
  • 4 minute(s) read
Prev Next
Updates (April 2026 to June 2026)

  • June 2026 — Updated the topic to add information about the Bot and Abuse Protection and AI firewall Policy types in Protection policies. For more information, see Protection policy categories.

Protection begins with policies. Policies define the rules that Traceable uses to evaluate activity, identify threats, and apply security controls across your application ecosystem. However, not all threats are the same. A web application attack, an API authorization issue, a malicious bot, and an AI-specific threat each require different detection logic and enforcement mechanisms. To address these varying security challenges, Traceable provides multiple policy types, each designed for a specific attack surface and protection objective. By combining predefined protections with customizable rules, you can implement targeted security controls that align with your security requirements, strengthen your security posture, and help protect your environment from threats, such as unauthorized access, malicious traffic, automated abuse, sensitive data exposure, and AI-related risks.

What will you learn in this topic?

By the end of this topic, you will be able to:

  • Identify the protection policy types available in Traceable.

  • Understand the purpose of each policy type.

  • Determine when to use WAF, API Protection, Bot and Abuse Protection, AI Firewall, and Custom Policies.

Understand policy types

Before you configure the different protection policies, make sure you understand the types of policies. The following table explains when to use, why to use, and how it is helpful:

Why use it?

When to use it?

How can you leverage it?

Protection policies help you secure applications, APIs, AI workloads, and web services by detecting, monitoring, and mitigating malicious activity.

Use protection policies when exposed applications, APIs, or AI services require protection from unauthorized access, abuse, automated attacks, data exposure, or other security threats.

Traceable provides multiple policy categories to address different security challenges. Use WAF policies for web application threats, API Protection policies for API-specific risks, Bot and Abuse Protection policies for malicious automation, AI Firewall policies for AI-related threats, and Custom Policies for organization-specific security requirements.

Protection policy categories

Traceable divides policies into the following categories:

Category

Description

WAF (Web Application Firewall) Policies

Pre-defined rules that protect your application from web-based security threats, offering protection against OWASP Top 10 security breaches, SQL injection, Cross-site scripting (XSS), malicious traffic, etc. For more information, see WAF.

API Protection Policies

Pre-defined rules that protect your APIs from threats such as broken authorization, JWT Anomaly, etc. These policies help identify API-specific vulnerabilities, attack patterns, and enforce security controls accordingly. For more information, see API Protection.

Bot and Abuse Protection Policies

Pre-defined and custom rules that protect your APIs and web applications from malicious bots and automated abuse. These policies help detect bot-driven threats, identify abusive traffic patterns, and enforce security controls accordingly. For more information, see Bot and Abuse Protection Policies.

AI Firewall Policies (Beta)

Pre-defined and custom rules to protect your application from AI-related threats, such as input explosion and personal information in prompts. These policies help you identify AI-specific vulnerabilities and enforce security controls accordingly. For more information, see AI Firewall Policies.

Custom Policies

Allows you to define tailored security rules to protect your application against malicious sources, API abuse or overuse, data loss, and more. The Custom Policies are divided into the following categories:

  • Malicious Sources — Rules to protect your APIs from known malicious sources such as suspicious users, IPs with poor reputations, sanctioned countries, and Tor. For more information, see Malicious Sources.

  • Custom Signatures — Rules with custom rules based on patterns you would like Traceable to use in blocking. This feature is useful if you are migrating to Traceable from a legacy WAF and have created custom rules you wish to continue using. The rules can be configured for detection and blocking (optional). For more information, see Custom Signatures.

  • Rate Limiting — Rules enabling you to control the incoming traffic to an API by limiting the number of requests from a user within a given period. Once the limit is reached, the rule blocks the violating users. For more information, see Rate Limiting.

  • Data Loss Prevention — Rules that let you control access patterns for sensitive data to an API within a given period. Sensitive data access is tracked based on the criteria you define for the API Endpoints. After the data access limit is reached, the rule rejects all requests from that user, thereby avoiding any exfiltration attempts of sensitive data. For more information, see Data Loss prevention (DLP).

  • Enumeration — Rules that enable you to look for specific data in request parameters, path parameters, or sensitive data being enumerated within a given period. By selecting relevant APIs, you can use this rule to prevent credential stuffing attempts and gift card fraud. After reaching the limit, the rule rejects all requests, protecting the API from enumeration-based attacks. For more information, see Enumeration.

©2025 Traceable by Harness | Terms of Service | Privacy Policy | OSS Disclosures