Detect bots and AI agents. You decide who's allowed.

Not every bot is bad. Many AI agents do authorized work for your customers. Rupt identifies every automated request — its framework, intent, and risk — so you can allow, challenge, or block on your own terms.

Identify every bot. You decide what to do.

Some bots help your business — search crawlers, monitoring tools, partner integrations, customer AI agents doing authorized work. Others don't — credential stuffers, scrapers, click farms.

Rupt names every category and surfaces what's behind the request. You set the policy per type, per endpoint, per scenario.

Set a policy per bot type

  • AI agents New

    LLM-driven agents — Computer Use, Browser Use, autonomous shopping and research bots. Sometimes invited.

  • Scrapers & crawlers

    Headless browsers harvesting content, prices, or data. Search engines and monitoring belong here too.

  • Credential stuffers

    Bots cycling stolen credentials against your login. Always unwanted.

  • Click farms

    Automation gaming engagement or burning ad budget.

  • Fake-account bots

    Automated signup flows for trial abuse and fraud.

  • SMS pumpers

    Bots triggering OTP to siphon SMS budget.

  • Engagement bots

    Fake views, votes, and reviews distorting metrics.

AI agents — invited or not.

Customers running Computer Use to shop in your store, autonomous research agents you partnered with, internal automation, or unauthorized scrapers wearing an LLM as a disguise.

Rupt fingerprints the framework — Computer Use, Browser Use, Browserbase, AgentQL, Selenium, Puppeteer, Playwright — and surfaces behavioral signals so you can tell which agents to welcome and which to block.

Read about AI agent traffic patterns
Request req_8d7c6b5a Identified: AI agent
FrameworkBrowser Use · v0.4Headless markersdetectedMouse events0 over sessionIdle time0 ms between actionsAPI patternautomatedIP classdatacenterConfidence97%
Your policy challenge applied in 42ms

Four signal types. One classification.

Bots and AI agents can spoof one or two signals. They rarely spoof all four — that's where Rupt classifies them.

Device, behavior, network, and coherence — composed into a single identification with a confidence score. Your rules turn that into a verdict.

Browse the full signal catalog

  • Device & browser

    Headless markers, automation framework detection (Selenium, Puppeteer, Playwright, Browserbase), and proprietary fingerprint drift.

  • Velocity & timing

    Inhuman action rates, perfectly-spaced events, no idle time, and timing patterns no real user produces.

  • Network & origin

    Datacenter IPs, residential proxies, VPN traffic, and ASN reputation — layered with device history.

  • Behavioral coherence

    Mouse movement, scroll cadence, focus events, and interaction patterns flagged when bots fake them.

Allow, challenge, or block — your call.

Wrap any sensitive action with rupt.evaluate(). You get an identification (bot type, AI agent framework, confidence) plus a verdict from your own policy — allow, challenge, or block — in under 50ms.

The same agent can be allowed on one endpoint and blocked on another. Same intelligence, your rules.

Read the quickstart
1import Rupt from "rupt";
2
3const rupt = new Rupt(
4  "your_client_id"
5);
6
7awaitrupt.
8
9
evaluate
attach
challenge
verify
detach
NORMALrupt-demo.ts100% ≡ 9/9 ln : 7
$ node server.js && rupt listen
> Ready! Waiting for requests...

How do you want to work with Rupt?

Choose how you want to work with us. Try Rupt now or contact sales to get started.

Contact sales Try Rupt now