Throttled.IO
Throttled.IO is a passive API abuse detection service for infrastructure and DevOps teams. It continuously analyzes your access logs, identifies scrapers and abusive bots, and maintains a ban list your WAF or firewall can pull at any time.
The setup is three steps:
Your app / load balancer / CDN
│
│ POST /logs (per request or batched)
▼
[ Throttled.IO ]
│ detectors run continuously
│ ban list updated automatically
▼
Your WAF / firewall / CDN
│
│ GET /banlist (poll on your schedule)
▼
Enforcement — in your own infrastructure
Steps 1 and 3 are simple HTTP calls. Everything in between — behavioral analysis, IP enrichment, ban list management — is handled by Throttled.IO automatically.
Throttled.IO never acts as a proxy, gateway, or middleware. Your traffic flows exactly as it does today. If Throttled.IO has downtime, your service stays up — your firewall keeps enforcing its last-fetched ban list until we're back. This is the fundamental difference from reverse-proxy WAF solutions like Cloudflare.
Passive by design
Most WAF and scraper-mitigation products sit inline — every request flows through them before reaching your origin. That makes your service's availability dependent on theirs.
Throttled.IO works the other way: you ship logs asynchronously, and you consume the ban list on your own schedule. The analysis is fully decoupled from your request path. You remain in control of what gets blocked, when, and how.
What Throttled.IO does automatically
Once logs are flowing, Throttled.IO runs continuously in the background:
- Behavioral detection — detectors scan for scraper patterns, brute-force attempts, and round-the-clock automation across sliding time windows
- IP enrichment — every flagged IP is resolved to its ASN, BGP prefix, country, organisation name, and abuse contact via BGP and RIR data
- Ban list updates — confirmed abusers are added to your ban list automatically on each report cycle; your enforcement layer picks them up on the next poll
- Recommendations — cloud/hosting IPs get ASN-ban suggestions; residential IPs get abuse-report templates with contacts pre-filled
Customization
The three-step loop works out of the box. When you need more control, it's all available:
Custom detector rules
Define your own abuse patterns — endpoint regex, request thresholds, and time windows — tailored to your specific traffic. Or use the suggested rules feature: Throttled.IO analyses your actual traffic baseline and proposes detector thresholds calibrated to what's genuinely unusual for your service.
Allowlists
Exclude addresses that should never be flagged — internal networks, CI systems, search engine crawlers, social media bots, or any IP, subnet, ASN, or country. The same mechanism handles trusted-source exclusions and false-positive overrides.
Traffic dashboard and impact simulation
Before acting on any report, overlay it onto your RPS chart and inspect IP/path/ASN breakdowns filtered to the flagged subset. See exactly what you'd be blocking — and what share of legitimate traffic it represents — before you enforce.
Automated enforcement
Once you trust a detector's accuracy, enable automated bans for it. Flagged addresses are added to the ban list the moment the report runs, with no manual step required.
Core capabilities
| Feature | Description |
|---|---|
| Passive log ingestion | Reads existing logs — no inline proxy, no request-path risk |
| Batch and real-time ingest | Ship events individually or in batches; replay historical logs to backfill |
| Abuse detection | Identifies scrapers, brute-force attempts, and persistent bots |
| Suggested detector rules | Analyses your traffic baseline and proposes detector thresholds tuned to your actual access patterns |
| Multi-service support | Separate detectors and ban lists per hostname or service, matched by regex |
| IP / ASN enrichment | Resolves any IP to ASN, prefix, country, org name, and abuse contact |
| Traffic dashboard | Inspect RPS, path counts, IP breakdowns, and report overlays before acting |
| Managed blocklist | Maintains ban lists for IPs, subnets, and ASNs with full history |
| Allowlist management | Exclude IPs, subnets, ASNs, or entire countries from detection and enforcement |
| Recommendation engine | Suggests the right action based on traffic origin type |
| Automated bans | Optionally auto-add flagged IPs to the ban list per detector — no manual step needed |
| Abuse report generation | Produces ready-to-send reports for residential and ISP abuse |
| Alerts | Notifies your team via Slack or email when a new report is generated |
| Team management | Invite team members with admin, billing, or viewer roles |
| WAF / CDN export | Outputs blocking rules in JSON or iptables format for your enforcement layer |