Skip to content

SYSTEM Cited by 1 source

Vercel BotID

Vercel BotID is Vercel's bot-detection product, positioned at the edge of the Vercel frontend-cloud. It intercepts requests to "your most sensitive routes like login, checkout, AI agents, and APIs" and emits a human-vs-bot classification that the customer's application can gate on. The product is described on the wiki via the 2026-04-21 Deep Analysis post — BotID is the parent system; Deep Analysis is the named edge-case path for sophisticated actors.

Architectural position

BotID runs in the request path before application routes execute. Per the 2026-04-21 post the classification backend is "powered by Kasada's machine learning backend" — the ML is embedded from Kasada, a third-party bot-management vendor, not a Vercel-owned classifier.

client → Vercel edge → BotID (classify) → app route
                           └─ Kasada ML backend

The standard path is single-pass classification: browser telemetry is captured, the Kasada backend scores the session, and the result (human / bot) is available to the application within the normal request budget. Per the post: "Standard bot detection handles the majority of threats effectively."

Deep Analysis sub-path

For sophisticated actors that evade single-pass classification (real browser-automation tooling, carefully crafted fingerprints and behavioural profiles), BotID has a second path — systems/vercel-botid-deep-analysis — that:

  • Analyses telemetry across multiple sessions.
  • Correlates signals that no single session exposes (e.g. identical browser fingerprints across proxy-node IPs).
  • Forces re-verification — re-collects browser telemetry — when a correlation signal fires.
  • Produces an adaptive reclassification without any customer-authored rule changes.

This is the patterns/correlation-triggered-reverification pattern on the wiki; Deep Analysis is its canonical instance.

Feature scope (what the post discloses)

  • Browser telemetry as the primary feature set — fingerprints + behavioural patterns. The post does not publish the specific features (deliberate — disclosure accelerates evasion).
  • Cross-session correlation — the correlation engine can join sessions by browser fingerprint across different source IPs and detect coordinated operator behaviour.
  • Proxy-node identification — distinguishes IPs that are "proxy nodes" from IPs that are "network origin points."

Operational claim

The 2026-04-21 production-incident narrative reports ~10 minutes detection-to-mitigation for a ~40-45-profile coordinated bot fleet making "thousands of requests" during a traffic spike of 500 % above baseline. "No manual intervention required. No emergency patches or rule updates. The customer took no action at all." The loop is designed to be hands-free.

Relationship to other wiki-covered bot-management systems

  • systems/cloudflare-bot-management — the analogue in Cloudflare's product line. Same class of product (ML-driven bot scoring at the edge), different feature space (TLS / HTTP/2 fingerprints as the wiki-disclosed signal set vs browser-telemetry + behavioural patterns). Both share unpublished feature lists, adversarial-iteration framing, and managed-mitigation-without-customer-rules posture.
  • systems/kasada-bot-management — the dependency; Vercel BotID is a product wrapper, not an independent classifier.

Limitations / caveats

  • Branded ML dependency. The classifier is Kasada's, not Vercel's. Evaluating BotID on strategic grounds requires evaluating the Kasada vendor relationship.
  • Product-surface-only disclosure. No published model details, no FP rate, no AUC, no baseline false-alarm frequency. The 2026-04-21 post is a vignette, not a performance report.
  • Edge-case path is best-effort. Deep Analysis tolerates a short window of misclassification (the attacker is classified as human during the analysis window). Customers with zero- tolerance for even a few minutes of bot traffic would need additional layers.

Seen in

Last updated · 476 distilled / 1,218 read