Bot Detection Limits

Kedra Shield’s bot detection catches the majority of automated threats, but no detection system is 100% accurate. This page explains what can and cannot be detected, and why.

What Gets Detected

Kedra Shield uses a two-layer detection approach:

Layer 1: Cloudflare Bot Scoring

Cloudflare analyzes every request at the network edge and assigns a bot score based on behavioral signals. This handles the majority of traffic without additional API calls:

  • Visitors with a bot score of 75+ and low threat are classified as definitely human and allowed through.
  • Visitors with a bot score of 50-74 are classified as likely human and allowed through.
  • Visitors with a bot score of 15-49 fall into the uncertain range and are passed to Layer 2 for deeper analysis.
  • Visitors with a bot score under 15 are classified as likely bots and blocked immediately.

Layer 2: ProxyCheck.io

For uncertain traffic, the app queries ProxyCheck.io to get detailed analysis:

  • VPN and proxy detection — Identifies commercial VPN providers, proxy servers, and Tor exit nodes.
  • Hosting provider detection — Identifies traffic from cloud hosting services.
  • Scraper detection — Identifies known scraping tools and services.
  • Compromised server detection — Identifies IPs from botnets.
  • Risk scoring — Assigns a score (0-100) and confidence rating.
  • Attack history — Flags IPs with previous attack records.

What May Not Be Detected

Residential proxies

Some advanced bots use residential proxy networks — real home internet connections rented out for proxy traffic. These are harder to detect because they appear as normal residential visitors.

New or unknown VPN providers

ProxyCheck.io maintains a database of known VPN providers. Very new or obscure VPN services may not yet be in the database.

Sophisticated bots that mimic human behavior

Advanced bots that simulate realistic browsing patterns (page views, mouse movements, time on page) may score as low risk and pass through detection.

Bots that complete actions within the 3-second window

Kedra Shield intercepts cart and checkout requests and holds them until the security check completes. A 3-second timeout ensures legitimate customers are never locked out. Bots that trigger cart events within this window may succeed before being blocked.

Server-side scrapers

Scrapers that fetch raw HTML from your store without executing JavaScript bypass all client-side protections (content protection, DevTools blocking, etc.). However, they are still subject to bot detection at the network level based on their IP and provider signals.

What Affects Detection Accuracy

Protection level

  • Regular mode — Higher thresholds, fewer false positives, but some borderline threats may pass.
  • Strict mode — Lower thresholds, catches more threats, but may affect legitimate users on shared networks or mobile carriers.

Detection confidence

The app adjusts blocking thresholds based on how confident the detection service is in its assessment. Low-confidence detections require a higher risk score before blocking, reducing false positives but letting some marginal threats through.

Rotating IPs

Bots that rotate through many IP addresses appear as different visitors each time. Each new IP must be independently evaluated. Combining bot detection with VPN detection and ASN blocking covers more of these cases.

Why Not Block Everything Suspicious?

Kedra Shield is designed to avoid blocking legitimate customers. False positives — blocking a real customer — are worse for your business than a bot getting through. The detection system is tuned to prioritize accuracy over aggressiveness.

If you are under heavy attack, you can:

  • Enable strict mode for more aggressive bot detection.
  • Block specific ASNs of cloud providers hosting the bots (Pro).
  • Block specific IP ranges identified in your analytics.
  • Enable all content protection features to limit what bots can extract.

Fake Add-to-Carts and Initiated Checkouts

A common complaint is bots that add items to cart and initiate checkouts without completing them. This skews your abandoned cart metrics and may affect ad attribution.

Kedra Shield intercepts cart and checkout requests for detected bots and returns a 403 error. However:

  • The bot must first be detected as a threat for interception to work.
  • Sessions are recorded in Shopify Analytics before the app can evaluate the visitor.
  • Some bots trigger cart events very quickly, potentially within the 3-second timeout window.

For best results against cart spam, combine bot blocking with VPN blocking, ASN blocking, and the auto-block fraud IPs feature (Pro).

Next Steps