CASE 94 · PINION · 2026
Bots stopped, humans didn’t notice.
A ticketing platform was losing high-demand event ticket releases to scalper bots. Blocking outright was too aggressive (false positives killed legitimate buyers); CAPTCHA was too rude (drop-off was measurable). AWS WAF’s Challenge action — a silent client-side cryptographic puzzle — let us stop the bots without showing a CAPTCHA to humans.
Ticketing platform
SECURITY
2026
RESULTS
What changed, by the numbers.
BOT TICKET PURCHASES
−94%
HUMAN DROP-OFF
< 0.1%
TIME-TO-PURCHASE
+180ms
CUSTOMER COMPLAINTS
−72%
HOW IT WENT
The arms race against bots had been incrementally tightening. Each new mitigation slowed the bots a bit and the humans a bit. The CAPTCHA experiment had cost roughly 8% of conversion on the affected releases — a steep tax.
The Challenge action runs a silent cryptographic puzzle in the browser. Humans never see it; their browser solves it in 180ms and the request proceeds. Headless scrapers either fail the challenge or get rate-limited to non-competitive speeds. Bot Control fed the suspicious-request scoring that decided when to challenge.
Bot ticket purchases dropped 94% on the next high-demand release. Human-visible drop-off stayed under 0.1% — the challenge added 180ms that nobody can perceive. Customer complaints dropped 72% as actual fans got tickets instead of resale-market scalpers.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.