Skip to main content

Throttled.IO

Throttled.IO is a passive API abuse detection service for infrastructure and DevOps teams. It continuously analyzes your access logs, identifies scrapers and abusive bots, and maintains a ban list your WAF or firewall can pull at any time.

The setup is three steps:

Your app / load balancer / CDN

│ POST /logs (per request or batched)

[ Throttled.IO ]
│ detectors run continuously
│ ban list updated automatically

Your WAF / firewall / CDN

│ GET /banlist (poll on your schedule)

Enforcement — in your own infrastructure

Steps 1 and 3 are simple HTTP calls. Everything in between — behavioral analysis, IP enrichment, ban list management — is handled by Throttled.IO automatically.

Nothing in your request path

Throttled.IO never acts as a proxy, gateway, or middleware. Your traffic flows exactly as it does today. If Throttled.IO has downtime, your service stays up — your firewall keeps enforcing its last-fetched ban list until we're back. This is the fundamental difference from reverse-proxy WAF solutions like Cloudflare.


Passive by design

Most WAF and scraper-mitigation products sit inline — every request flows through them before reaching your origin. That makes your service's availability dependent on theirs.

Throttled.IO works the other way: you ship logs asynchronously, and you consume the ban list on your own schedule. The analysis is fully decoupled from your request path. You remain in control of what gets blocked, when, and how.


What Throttled.IO does automatically

Once logs are flowing, Throttled.IO runs continuously in the background:

  • Behavioral detection — detectors scan for scraper patterns, brute-force attempts, and round-the-clock automation across sliding time windows
  • IP enrichment — every flagged IP is resolved to its ASN, BGP prefix, country, organisation name, and abuse contact via BGP and RIR data
  • Ban list updates — confirmed abusers are added to your ban list automatically on each report cycle; your enforcement layer picks them up on the next poll
  • Recommendations — cloud/hosting IPs get ASN-ban suggestions; residential IPs get abuse-report templates with contacts pre-filled

Customization

The three-step loop works out of the box. When you need more control, it's all available:

Custom detector rules

Define your own abuse patterns — endpoint regex, request thresholds, and time windows — tailored to your specific traffic. Or use the suggested rules feature: Throttled.IO analyses your actual traffic baseline and proposes detector thresholds calibrated to what's genuinely unusual for your service.

Allowlists

Exclude addresses that should never be flagged — internal networks, CI systems, search engine crawlers, social media bots, or any IP, subnet, ASN, or country. The same mechanism handles trusted-source exclusions and false-positive overrides.

Traffic dashboard and impact simulation

Before acting on any report, overlay it onto your RPS chart and inspect IP/path/ASN breakdowns filtered to the flagged subset. See exactly what you'd be blocking — and what share of legitimate traffic it represents — before you enforce.

Automated enforcement

Once you trust a detector's accuracy, enable automated bans for it. Flagged addresses are added to the ban list the moment the report runs, with no manual step required.


Core capabilities

FeatureDescription
Passive log ingestionReads existing logs — no inline proxy, no request-path risk
Batch and real-time ingestShip events individually or in batches; replay historical logs to backfill
Abuse detectionIdentifies scrapers, brute-force attempts, and persistent bots
Suggested detector rulesAnalyses your traffic baseline and proposes detector thresholds tuned to your actual access patterns
Multi-service supportSeparate detectors and ban lists per hostname or service, matched by regex
IP / ASN enrichmentResolves any IP to ASN, prefix, country, org name, and abuse contact
Traffic dashboardInspect RPS, path counts, IP breakdowns, and report overlays before acting
Managed blocklistMaintains ban lists for IPs, subnets, and ASNs with full history
Allowlist managementExclude IPs, subnets, ASNs, or entire countries from detection and enforcement
Recommendation engineSuggests the right action based on traffic origin type
Automated bansOptionally auto-add flagged IPs to the ban list per detector — no manual step needed
Abuse report generationProduces ready-to-send reports for residential and ISP abuse
AlertsNotifies your team via Slack or email when a new report is generated
Team managementInvite team members with admin, billing, or viewer roles
WAF / CDN exportOutputs blocking rules in JSON or iptables format for your enforcement layer