Frequently Asked Questions

WebDecoy is an AI bot detection and mitigation platform that uses invisible honeypot decoy links to detect when AI scrapers visit your website. Once detected, you can automatically block, redirect, or poison their training data.

Setup takes about 5 minutes. Create a WebDecoy account, add a decoy link to your website, or configure your own domain with a DNS record (CNAME or A record) for seamless integration. You'll start detecting bots instantly.

No. WebDecoy is designed for non-technical users. We provide step-by-step guides, and our simple dashboard makes everything point-and-click. If you need help, our support team is here.

Yes. Our Free plan includes 3 decoys, 100 detections per month, basic analytics, and community support. No credit card required. Upgrade anytime.

Absolutely. Start with our Free plan and experience WebDecoy yourself. If you want to explore paid features, we offer a 30-day money-back guarantee on all paid plans.

Bot Scanner is WebDecoy's behavioral analysis engine that detects headless browsers (Puppeteer, Playwright, Selenium), automation frameworks, and AI crawlers in real-time. Unlike honeypots that wait for bots to click links, Bot Scanner actively analyzes visitor behavior, TLS fingerprints (JA3/JA4), and interaction patterns to detect bots with 95%+ accuracy.

Bot Scanner analyzes multiple signals: mouse movement entropy (real humans have natural, unpredictable movements), interaction timing patterns, TLS fingerprints, WebGL/Canvas fingerprints, and browser API behavior. These signals are combined to create a threat score. Headless browsers and automation tools produce distinctive signatures that humans cannot replicate.

Bot Scanner detects Puppeteer (including stealth plugin), Playwright, Selenium, Nightmare, WebDriver, Phantom.js, and other headless browser frameworks. Detection accuracy is 95%+ even against sophisticated evasion techniques.

No. The false positive rate is less than 0.1%. Real browsers produce distinctive behavioral signals (natural mouse movement, proper fingerprints, expected timing) that automation cannot replicate. Verified search engines (Googlebot, Bingbot) are whitelisted and never blocked.

Add a single script tag to your page or use our npm package (@webdecoy/scanner). Installation takes less than 5 minutes. The SDK is under 10KB gzipped and loads asynchronously with less than 50ms overhead.

Bot Scanner can automatically: block IPs at the edge (Cloudflare, AWS WAF, Akamai), send webhook alerts (Slack, PagerDuty, custom endpoints), stream events to SIEM (Splunk, Elastic, Datadog), serve poisoned data, redirect to custom pages, or log for analysis. Response time is under 1 second from detection to edge blocking.

We detect 20+ AI bots including GPTBot (OpenAI), ClaudeBot (Anthropic), Perplexity, GoogleBot for Research, Bingbot, Applebot, and many others. Bot Scanner adds behavioral detection for headless browsers and automation frameworks. Our detection engine is updated weekly.

Decoy links are invisible honeypot links placed on your website. They're hidden from real users but visible to web crawlers and AI bots. When a bot visits a decoy link, we detect it and can take action.

Bring your own domain by configuring a DNS record (CNAME or A record) pointing to WebDecoy. Your honeypots blend seamlessly into your site - bots can't distinguish decoys from real content. Example: decoys.yoursite.com → webdecoy.com

Yes. You have several options: automatically block detected bot IP addresses, return HTTP 403 Forbidden, redirect to custom pages, or return intentionally bad data to poison their training. Choose what works best for you.

No. Decoy links are invisible and don't impact your site's performance. WebDecoy uses edge computing for bot detection, ensuring instant responses without slowing down your site.

Endpoint Decoys are API honeypots - fake API endpoints that detect malicious traffic. Unlike link decoys for web scrapers, Endpoint Decoys catch credential stuffing, SQL injection, API enumeration, and other backend attacks with zero false positives.

Endpoint Decoys automatically detect and categorize: SQL injection (critical), command injection (critical), XXE attacks (critical), XSS (high), path traversal (high), insecure deserialization (high), and mass assignment (medium). Each attack is logged with full forensic data.

Yes. Every WebDecoy detection automatically maps to MITRE ATT&CK tactics and techniques. For example, web crawler detection maps to Reconnaissance (TA0043), credential stuffing maps to Credential Access (TA0006), and SQL injection maps to Execution (TA0002). This enables seamless integration with SOC workflows and SIEM correlation rules.

WebDecoy detections cover multiple ATT&CK techniques including: T1595 (Active Scanning), T1594 (Search Victim-Owned Websites), T1110 (Brute Force) with sub-techniques for password spraying and credential stuffing, T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter), T1083 (File and Directory Discovery), and more. Each detection includes technique IDs in webhook payloads.

Yes. Our REST API lets you programmatically create decoys, query detection events, manage webhooks, and configure settings. Full API documentation is available in your dashboard.

Yes. Set up webhooks to receive instant notifications when bots are detected. Send events to Slack, email, Discord, PagerDuty, or any custom HTTP endpoint.

WebDecoy works with all CDNs including Cloudflare, AWS CloudFront, and Akamai. For maximum stealth with custom domains, we support Cloudflare for SaaS for automatic SSL certificate provisioning.

Yes. Export detection logs, create custom reports, and download raw data for analysis. Professional and Business plans include scheduled email reports.

Enterprise plans include SAML 2.0 and OAuth 2.0 support for Single Sign-On integration with your identity provider. Contact sales for details.

Yes. Create Endpoint Decoys at paths like /api/admin/login, /api/users, or /graphql to catch attackers probing your API. Configure expected content types, allowed HTTP methods, and enable request body capture for forensic analysis.

Yes. Endpoint Decoy detections can be sent via webhooks to any SIEM including Splunk, Elastic, Datadog, and more. Each detection includes attack signatures, severity levels, HTTP method, headers, and optional request body for complete forensic analysis.

Yes. We don't store any personally identifiable information (PII). We only store bot detection events with IP addresses and user agents. See our Privacy Policy for complete details.

All data is encrypted in transit (TLS 1.3) and at rest. We use industry-standard security practices, regular penetration testing, and comply with SOC 2 requirements.

All webhooks are signed with HMAC-SHA256. Verify the signature using your webhook secret to ensure the request came from WebDecoy. We also support multiple retry attempts for reliability.

Yes. All data is backed up to geographically distributed servers. We maintain 99.99% uptime SLA and can quickly restore data if needed.

Yes. You can delete your account at any time, which permanently removes all your data. We also comply with GDPR data deletion requests.

We accept all major credit cards (Visa, Mastercard, American Express), bank transfers, and wire transfers for enterprise customers. Payments are processed securely through Stripe.

Yes. Upgrade or downgrade at any time. Changes take effect immediately, and we'll prorate charges or issue refunds based on your billing cycle.

Yes. Save 20% with annual billing. Enterprise customers get volume discounts and custom pricing. Contact our sales team for a quote.

30-day money-back guarantee on all paid plans. If WebDecoy isn't right for you, we'll issue a full refund. No questions asked.

Free plan: Community support. Starter: Email support. Professional: Priority email support. Business: Dedicated account manager and phone support.

First, make sure the decoy URL is accessible from the internet. Check that robots.txt isn't blocking it and that you're not blocking WebDecoy's detection crawler. Contact support if you need help.

Check that your webhook endpoint is accessible from the internet and responds with 200 OK. We retry failed webhooks 3 times. Check the webhook log in your dashboard to see delivery status.

Yes. Add decoy links in your HTML, load them dynamically with JavaScript, or use our API to manage decoys programmatically. Works great with React, Vue, Angular, etc.

Yes. You can place decoy links anywhere on your site - root, subdirectories, or specific paths. They'll work regardless of your URL structure.

Log in to your account and go to Settings → Billing. You can update payment methods, email address, and billing information anytime.