Edge
Network perimeter
- TLS / JA3 / JA4 fingerprint
- HTTP/2 frame timing
- ASN reputation, ISP class
- Tor / VPN / proxy signals
- TCP option ordering
Bot defense for hostile traffic.
Certification for teams defending production systems from adversarial automation.
CBDP Certified Bot Defense Practitioner
Draft v0.3
Cohort 001
Format Scenario
-
Established
MMXXVI
Public Standard
-
Modules
09
Canonical Path
-
Lectures
50
Recorded
-
Assessments
08
Graded
-
Last Revised
2026-03-31
Open Specification
The Threat Surface
Four stages of adversarial traffic,
mapped to the curriculum.
Production bot defense is a layered pipeline. Each stage produces a verdict that informs the next. The CBDP curriculum walks the entire surface — signal acquisition, fusion, scoring, and edge enforcement — with the same vocabulary your incident reports already use.
Client
Browser fingerprint
- Canvas / WebGL entropy
- Font enumeration & rendering
- navigator.* divergence
- Headless markers (CDP)
- WebGPU shader probes
Behavior
Session telemetry
- Mouse trajectory entropy
- Keystroke dwell / flight
- Scroll cadence anomalies
- API call sequencing
- Inter-request timing
Enforcement
Edge response
- Cloudflare Workers verdict
- WAF rule expression
- Rate-limit token bucket
- Challenge issuance (JS / CAPTCHA)
- Allow / log / mitigate / block
Designed for your team
Built for the people who actually fight bots.
One curriculum, four lenses. Pick the role you are hiring against — or the one you are hired into — and see exactly what the academy ships for it.
For Defenders
Designed for Blue Teams who detect and stop bot fraud at scale.
Build the detection lab, ship the playbooks, and rehearse the incidents you will actually face — with the same vocabulary your SOC already uses.
- Detection Engineering
- Telemetry & Signals
- Incident Playbooks
- SOC Drills
For Offense
Built for Red Teams who simulate real adversaries.
Recon, fingerprint, evade, and exfiltrate the way modern bot operators do — inside a lab that mirrors production controls without bringing them down.
- Recon & Fingerprinting
- Credential Stuffing
- Scraper Evasion
- CAPTCHA Bypass
For Joint Ops
For Purple Teams running attack–defend exercises end-to-end.
Run paired offense and defense scenarios, attribute the activity to the right control, and produce coverage maps the whole org can read.
- Joint Exercises
- Coverage Maps
- Attribution
- Detection Tuning
For Agent Builders
For teams defending the agents they ship.
Treat your agent like a target. Ship prompt-injection labs, abuse detection, guardrails, and eval harnesses that survive contact with real users.
- Prompt Injection Labs
- Agent Abuse Detection
- Guardrails
- Eval Harnesses
Competencies
What CBDP-certified practitioners can do.
The credential is defined by what the holder can demonstrate — not by what they have read. Three competency axes, twelve graded capabilities, one practical examination.
-
I Acquire Read the adversary at every layer.
Capture and interpret signals across the full request stack — from TLS hellos to canvas entropy to keystroke cadence — without contaminating the lab or the truth set.
- Build a signal-grade detection lab
- Validate telemetry against ground truth
- Reason about signal entropy and decay
-
II Fuse Score traffic with defensible weights.
Combine fingerprint, behavior, and reputation into a fused verdict that survives drift, scales with traffic, and produces decisions reviewable by an auditor.
- Design weighted scoring pipelines
- Manage false-positive cost explicitly
- Tune thresholds against operator goals
-
III Enforce Ship defenses production must trust.
Translate a verdict into action at the edge — challenge, mitigate, log, block — with full observability, rollback paths, and clear semantics for the SOC.
- Implement edge enforcement on Cloudflare
- Connect verdicts to WAF, SIEM, ticketing
- Write runbooks operators actually follow
The Curriculum
Nine modules. One canonical path.
The CBDP curriculum is sequenced — each module assumes the prior. Skipping around weakens the practitioner's mental model of the threat surface. Read it as a single text in nine chapters.
-
I Introduction & Setup
Orient the course, establish the lab baseline, and make the first environment decisions before deeper detection and evasion work begins.
-
II Bot History & Taxonomy
Establish the vocabulary and history behind web automation so later defensive decisions are tied to operator incentives and capabilities.
-
III Browser Fingerprinting & Device Identity
Move from conceptual bot classes into the browser and network signals that make devices and sessions look coherent or suspicious.
-
IV Automation & Headless Browser Detection
Study how automation stacks leak themselves and how challenge systems force headless browsers to prove they are coherent.
-
V IP Intelligence & Network-Layer Detection
Expand from browser-level signals into reputation, routing, infrastructure attribution, and the operational value of network telemetry.
-
VI Behavioral Analytics & ML for Bot Detection
Work from raw interaction traces into behavioral models while keeping explainability and adversarial adaptation in view.
-
VII CAPTCHAs & API Security
Connect browser trust and bot pressure to API abuse, credential attacks, token replay, and challenge systems.
-
VIII CDN, WAF & Production Integration
Take detection logic out of prototypes and place it into CDN, WAF, cache, session, and SOC-adjacent production systems.
-
IX Final Q1 Project & Public Deliverables
End the quarter with a capstone and a publishable artifact set that reflects both engineering rigor and responsible communication.
Labs · Course work
See the labs you'll build.
The curriculum is built around lab outputs, not passive reading. Each track turns the lectures into a working detection artifact students can inspect, tune, and defend.
Build the browser and device-signal lab.
Sections III-IV take students from fingerprint surfaces to headless detection, anti-detect browsers, and JavaScript challenge evasion.
Build the network-layer risk lab.
Section V moves from IP reputation into proxy detection, residential classification, ASN/BGP analysis, IPv6, geolocation mismatch, and honeypots.
Build the behavior and classifier lab.
Section VI turns behavioral telemetry into features, classifiers, model explanations, evasion analysis, and a final behavioral report.
Build the abuse and production defense lab.
Sections VII-IX connect CAPTCHA, API abuse, replay defense, credential attacks, WAF/CDN integration, SOC observability, tuning, and capstone evidence.
Alignment
Mapped to industry frameworks by design.
The standard does not invent its own taxonomy. CBDP capabilities are explicitly mapped to NIST, OWASP, and MITRE so practitioners can speak the language their auditors, vendors, and SOC peers already use.
CBDP capabilities map directly to the Detect and Respond functions of the NIST CSF, with secondary coverage of Identify (asset visibility) and Govern (risk acceptance for false-positive cost).
- DE.AE — Anomalies & Events Module VI · Behavioral analytics
- DE.CM — Continuous Monitoring Modules III–V · Telemetry stack
- RS.AN — Analysis Module VIII · Verdict fusion & enforcement
- GV.RR — Roles & Responsibilities Module IX · Production handoff
Every OWASP Automated Threat in the OAT-001 to OAT-021 catalog is addressed across the curriculum. The examination requires the candidate to identify, classify, and counter at least eight distinct OAT classes from log evidence.
- OAT-008 · Credential Stuffing Modules IV, VI · IP intel + behavior
- OAT-011 · Scraping Modules III, V · Fingerprint + headless
- OAT-015 · Denial of Inventory Module VII · CAPTCHA & rate limits
- OAT-021 · Denial of Service Module VIII · Edge enforcement
CBDP candidates are taught to read bot operator playbooks through the ATT&CK lens — recognising T1071, T1190, T1210, and the broader Resource Development tactics that make adversarial automation possible at scale.
- T1071.001 · Web Protocols Module I · Traffic taxonomy
- T1190 · Exploit Public-Facing App Module II · Bot history & taxonomy
- T1496 · Resource Hijacking Module IV · IP intelligence
- T1583.006 · Acquire Web Services Module IX · Operator economics
Examination
Sit for the standard.
Cohort 001 is now reviewing applications. Practitioners with two or more years of production security experience may apply directly. The examination is open-book, scenario-based, and graded by a panel of reviewing practitioners against published rubrics.
- Format
- Take-home, 96 hours
- Sections
- Three, mapped to competencies
- Pass mark
- Defended scenario report
- Cost
- Public good — free of charge
Applications are reviewed on a rolling basis. Candidates accepted into Cohort 001 will receive their examination dossier on the published cohort start date.