Scraping

Scraping is traffic from an automated extractor rather than a human: a bot pulling your catalog, or a crawler hitting an endpoint far faster than anyone could click. It often rides legitimate accounts and valid sessions, so the request itself looks fine. What stands out is where it comes from and how fast it arrives.

Rupt scores this risk on the access and login actions.

What Rupt looks for

Anonymizing network: automated traffic tends to run from hosting and datacenter IPs, proxies, or VPNs rather than a home connection. A request from a cloud provider's address range is a classic scraper tell.
Velocity: the rate of requests from one IP or user. Humans pause, read, and click; scrapers don't.

Severity and response

The checks aggregate into a scraping risk severity. Datacenter traffic alone catches a lot of bots, but it also catches corporate VPNs and privacy-conscious users, so velocity is what separates a heavy reader from an extractor. Most teams challenge or rate-limit as these signals stack up and deny only when both are unmistakable. Your policies set the threshold.

Intelligence

Identification

Bot and AI agent detection

Rules engine

Modular challenges

By use case

Account sharing

Multi-accounting

Referral fraud

Fake accounts

Account takeover

Developer resources

Documentation

API reference

API status

Scraping

What Rupt looks for

Severity and response