Implement your own protections with custom rules, managed rulesets, and Vercel BotID, all from a single firewall dashboard with live traffic insights.
DDoS Protection
Protect uptime and control infrastructure cost by filtering high-volume request floods.
Web Application Firewall
Apply custom rules to implement business logic and stop credential stuffing, malformed requests, and vulnerable routes.
Bot Protection
Catch non-browser agents, spoofed headers, and simple replay attacks.
Automatically mitigate Layer 3, DDoS, and other high-volume attacks before they reach your applications.
Use the WAF's UI or API to define custom business logic and precisely control traffic.
Mitigate the most critical risks, like OWASP Top 10, using predefined advanced rulesets.
Browser checks help ensure that only legitimate users can access your application during an attack.
Stop attacks before they reach your app and critical endpoints.
Vercel Firewall filters billions of requests per week across TCP and HTTP layers by default.
Blocks L3/L4 and L7 DDoS attacks in real time across the entire platform.
Basic or deep Kasada-powered analysis, easily configurable.
Identify and block headless browsers, scripts, and automation tools.
Optionally block known AI scrapers and model trainers with one toggle.
Challenges suspicious sessions or validates traffic invisibly with Vercel BotID.
Analyzes thousands of signals per request to distinguish users from bots without friction.
Rotates detection methods on every page load to block replay, spoofing, and automation frameworks.
Uses Kasada’s machine learning models to detect the most advanced, stealthy bots in real time.
Add invisible bot protection to any route with a lightweight server-side check.
Block automation that targets discounts, inventory, or payment flows.
No signup or free-tier fraud, or fake email loops.
Keep AI use secure to reduce prompt costs and preserve performance.
automatically exclude known and unknown bots from your analytics, keeping insights clean and actionable.
Stop automated tools from copying product listings, pricing, or IP.
You choose the routes. BotID only runs where you configure protected paths and components.
Yes. BotID verifies sessions invisibly. There is no user interaction.
BotID runs detection scripts inside the session. It is resistant to spoofing, replay, and inspection.
BotID is available for all teams, with Deep Analysis checks powered by Kasada available for Pro and Enterprise teams.
Yes. BotID supports per-component protection. You can apply it only where needed, like checkout, signup, or AI endpoints.
No. Detection runs asynchronously inside the client session and integrates into your existing routing logic.
No. It evaluates session validity without storing user behavior or PII.
Scoring models estimate bot likelihood using heuristics. BotID deterministically validates session authenticity. It returns a simple pass or fail, rather than an ambiguous score.
BotID works natively with all frameworks. It can be used with any frontend served with Vercel.
No. There are no bots to manage or IP blocks, rate limits, or thresholds to tune.
BotID includes a free Basic mode and a paid Deep Analysis mode powered by Kasada. See the docs for pricing.
Firewall is active
All systems normal
50k
40k
30k
20k
10k
0k
Log request starting with /
Challenge user agents that look like bots
Deny traffic from Germany
