SHAPE is now part of F5,  Learn More
See why we are better together
Virtual Summit 2020 | App Security and Fraud Summit  Learn More
Watch On-demandSee why we are better together

Attackers on website and mobile apps drive fraud, risk, and bad experiences.


Shape Defense

Every day, web and mobile applications face an onslaught of sophisticated attacks with one commonality; instead of exploiting application vulnerabilities, attackers abuse an application’s originally designed functionality. These imitation attacks - delivered by bots and other forms of automation - simulate human behavior using highly sophisticated automated tools, with the goal of conducting crime or disrupting business.

Shape Defense provides all-in-one security to protect your site from bots, fake users, and unauthorized transactions, preventing large scale fraud and eroded user experiences. Companies get the visibility, detection and mitigation outcomes they need to slash fraud, reduce cloud hosting, bandwidth and compute costs, improve user experiences, and optimize their business based on real human traffic.

World Class Protection for Everyone

Designed to meet the needs of a broad range of organizations, Shape Defense delivers world-class application protection that leverages the power of the Shape network.

Unrivaled accuracy

Through advanced AI and ML, Shape Defense accurately detects and mitigates fraudulent and unwanted traffic in real-time, while allowing legitimate human users without introducing additional friction.

Network leverage

Every 24 hours, Shape blocks more than two billion fraudulent log-in attempts and other transactions, while ensuring that more than 200 million legitimate human transactions are kept safe.

omnichannel protection

Shape Defense can be deployed to protect web and mobile applications, as well as HTTP APIs. The company’s mobile SDK is deployed on more than 200 million iOS and Android devices worldwide.

easy to deploy and flexible to implement

Shape Defense can be implemented in a variety of modes, including deployments as quick as 30 minutes. And Shape Defense is managed through simplified administration that does not require security expertise on staff.

Protection Against Bots and Other Automated Attacks

Shape Defense protects against the most sophisticated credential stuffing and account take over attacks, carding, and the rest of the OWASP Automated Threats to Web Applications list. And Shape Defense protects against attacker retooling, delivering persistent protection.

Account Takeover

Stops fraudsters from rapidly testing stolen credentials on your login applications, which means they can’t take over accounts in the first place.


Control how scrapers and aggregators harvest data from your website, allowing you to protect sensitive data and manage infrastructure costs. 


Prevent criminals from using your checkout pages to validate stolen credit cards.

Gift Card Attacks

Ensure gift card value, loyalty points and other stored value remains in your customers hands.

Inventory Hoarding

Ensure your campaigns and most in demand items and are sold directly to your customers, not to scalpers.

Marketing Fraud

Ensure your business analytics and marketing spend are based on bot free data.

How Shape Defense Works

Shape Defense uses a patented two-stage process to deliver highly accurate real-time detection and mitigation, as well as provide sustained protection through attacker retooling.

Stage 1 evaluates each transactions  across a set of proprietary risk factors that include network, activity, user, device and account factors. Unwanted and fraudulent transactions are mitigated in real time, Shape’s unique Stage 2 defense counters the attackers’ evolution with an after-action machine learning and human analysis to continuously improve effectiveness.

Download Data Sheet
Shape SPM Dashboard

The Easiest, Most Effective Way to Ensure PCI DSS Compliance

One important requirement of the Payment Card Industry Data Security Standard (PCI-DSS) is Requirement 6.6. Shape Defense is a Level 1 PCI-certified security-as-a-service solution that actively defends against automated cyber-attacks and vulnerabilities on web applications, including attacks that may evade other legacy security solutions such as WAFs, IPS, and DDoS mitigation tools.

  • Prevents and detects web-based attacks
  • Sits in front of public-facing web applications
  • Configured to block web-based attacks
  • Actively running and up-to-date
  • Generates audit logs
  • Generates attack alerts and immediate investigation

Protect Your Online Business Today

Protect your online business from credential stuffing, account takeover, unwanted scraping, carding and other sophisticated online attacks and automation traffic that would otherwise result in large scale fraud, inflated cloud operational costs, and additional friction for your users.

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Policy.