Keynote: Cloudflare for AppSec with Anatol Nikiforov (Cloudflare)
The Talsec Mobile App Security Conference in Prague was a two-day, invite-only event on fraud, malware, and API abuse in modern mobile apps, held at Chateau St. Havel on November 3–4, 2025, and hosted by Talsec, freeRASP, and partners. It brought together leading experts and practitioners to strengthen the mobile AppSec community, connect engineers with attackers and defenders, and share practical techniques for high‑stakes sectors like banking, fintech, and e‑government.
Anatol Nikiforov of Cloudflare presented a keynote on the rapidly evolving landscape of Application Security (AppSec), focusing on how AI and the rise of residential proxies are creating sophisticated new challenges for cybersecurity providers.
The Exponential Speed of Change
Technological adoption is accelerating at an unprecedented pace. While mobile phones took 15 years to reach 100 million users and Facebook three and a half years, ChatGPT achieved the same user base in just two months. This rapid adoption is transforming cybersecurity, particularly in the domain of automated traffic and bots.
Identifying bots has become increasingly complex. Modern bots are far more sophisticated than earlier versions, which relied on IP addresses and contextual clues:
AI Amplification: Advanced bots leverage AI to learn and evade detection.
Evasion: Bots bypass visual challenges such as CAPTCHAs using computer vision and rapidly change IP addresses and behaviors.
Scale of Attack: Bot attacks are growing exponentially. The largest Distributed Denial-of-Service (DDoS) attack recorded last year reached 4 terabits per second; recently, a 29.7 terabit-per-second attack was mitigated, representing an eight-fold increase.
The Rise of Botnets and Residential Proxies
The 29.7 Tbps attack originated from a botnet called Isuru, which evolved from the Mirai botnet. Isuru has compromised over a million devices, primarily IoT devices such as routers and CCTV cameras.
Botnets have shifted their business model from offering "botnet as a service" to providing residential proxies.
Residential Proxy Overview
Residential proxies infect devices, like user routers, and sell their network capacity on the darknet. This enables hackers to launch attacks using legitimate residential IP addresses that carry reputational trust online. Malicious activity typically uses a small fraction of the user’s bandwidth (e.g., 7–10%) to avoid detection.
Device infection often occurs through N-day attacks, exploiting known vulnerabilities for which patches exist but have not been applied.
The Scale of the Residential Proxy Business
Residential proxies are not exclusive to cybercriminals. Legitimate companies also operate residential proxy services, selling access to IP addresses for advertising or AI model training. Users often unknowingly permit up to 10% of their internet traffic to be used via agreements in app terms, such as free VPNs or ad blockers. Globally, approximately 250 million IP addresses participate in the residential proxy ecosystem.
Combating Evasive Bots with Personalized Security
Identifying residential proxies is challenging, even with advanced machine learning models, because malicious requests originate from legitimate IP addresses. Bots often rotate IPs per request, preventing detection based on repeated requests from a single IP.
Cloudflare developed ML version 8 (ML8) to differentiate residential proxies by analyzing individual requests rather than IP addresses alone. Key outcomes from ML8 implementation include:
Detection of 17 million new residential IP addresses per hour during the initial rollout.
Identification of 95% of evasive attacks previously difficult to detect.
A 20% increase in bot detections from cloud providers such as AWS and Digital Ocean, leveraging behavioral signals rather than IP alone.
Personalized security further enhances protection by tailoring machine learning models to specific enterprise traffic patterns. This approach addresses variations in what constitutes abuse for different organizations.
The personalized security process includes:
Dynamic Baseline: Establishing normal traffic patterns over time, accounting for seasonality or release spikes.
Identifying Anomalies: Detecting abnormal behavior specific to a website or application, such as methodical scraping of gaming data.
Automated Rules: Flagging anomalous bots and automatically generating rules to adjust bot scores for the specific customer.
Beta tests with five enterprise customers showed that personalized security detected 34% more abuses than traditional methods.
Web Bot Authentication: Whitelisting Legitimate Bots
Legitimate AI agents, or "agentic bots," require secure authorization for actions such as making transactions on behalf of users. Visa and Mastercard implemented Web Bot Authentication to authorize these bots using cryptographic verification.
Requirements for agentic bots include:
Registration: Bots register on the platform and provide cryptographic keys.
Signature and Nonce: Each request contains a signature and a nonce to prevent replay attacks.
Key ID, Timeline, and Tag: Requests include a Key ID, transaction timeline, and an intent tag (e.g., purchase or browse).
This system operates without infrastructure changes for Visa or Mastercard. OpenAI has agreed to implement it, and Cloudflare provides an SDK for developers using Cloudflare Workers to build agentic AI applications compliant with these security protocols.
Thank you Anatol and Cloudflare team for sharing insights on combating modern AI-amplified bots and the evolving cybersecurity landscape. The detailed analysis of botnets, residential proxies, and the exponential scale of attacks provides valuable context for understanding today’s threats.
Last updated
Was this helpful?