The challenge
These bots can scrape data, create abusive application load or participate in layer-seven denial-of-service attacks. A familiar user-agent string is not enough to establish that a request came from a person.
Request analysis
I configured a WAF to combine several signals: request rate, navigation order, repeated actions, source reputation and inconsistencies between claimed browser identity and observed behavior. Each signal was weak on its own, so decisions relied on combinations rather than a single header.
Progressive response
Clearly abusive requests were blocked. Ambiguous sessions could be slowed, challenged or asked to complete a CAPTCHA. This reduced the chance of excluding legitimate visitors during traffic spikes while still raising the cost of automation.
Result
The WAF became one layer in the application-security path, not a claim of perfect bot detection. The practical value came from combining network and behavioral evidence, measuring false positives and adjusting thresholds from real traffic.