Defend against bots, fraud, and abuse.

Castle lets you block bad bots, account takeovers, transaction fraud, and spam. All without the hassle of CAPTCHAs.

Invisibly shield your accounts from threats

Go beyond CAPTCHAs with a lightweight API that blocks large-scale human and bot-driven attacks using user identity, reputation, and behavior analysis.

  • Lightweight integration

    Integrate Castle as easily as adding a CAPTCHA without routing all web traffic through a CDN.

  • Complete protection

    Prevent large-scale attacks, detecting both human and bot-driven account takeovers and fake signups.

  • No CAPTCHAs needed

    Leveraging user identity, reputation, and behavior, Castle blocks attackers without CAPTCHAs that can tip them off.

Sign up
Email
Password
Enter PIN code
Verification failed
73
Castle Risk Score
  • Robotic input
  • 3 accounts per device
  • Residential proxy
  • No internet history
  • Newly registered domain
The Castle platform

Everything you need to stop fraud & abuse

A complete stack of data, tools, and APIs, eliminating the need for multiple, disconnected tools.

  • Behavioral analysis

    Use out-of-the-box signals or create your own custom aggregations and rate limiters.

  • Device fingerprinting

    99.5% accurate fingerprinting. Uncover headless browsers, tampering, carrier data, etc.

  • Bot detection

    Detect bots, scripts, and coordinated attacks. Identify automated behavior and tampering.

  • AI scoring

    Spot account takeover attempts and abusive behavior using self-learning AI.

  • Rules engine

    Real-time allow, challenge, or deny actions. Manage rules seamlessly, without code changes.

  • Email intelligence

    Assess email reputation and risk. Detect disposable domains and enumeration patterns.

  • Case & state management

    Manage dynamic trust, block, and review lists of users, devices, or any custom attribute.

Analytics

Proactive threat hunting with user behavior analytics

Monitor, analyze, and alert on up to 18 months of historical data enriched with user and device intelligence to stop evolving abuse trends.

Pattern exploration

Uncover patterns in login attacks, signup spam campaigns, and repetitive in-app transactions.

Network analysis

Spot interconnected users via shared devices, emails, IPs, payment methods, or addresses.

Session monitoring

Get a complete history of each user and company, down to individual page views and any custom actions.

Rule simulation

Test complex risk logic on historical data first, ensuring zero disruption to legitimate users.

Customization

Fraudulent behavior, as defined by you

Combine Castle's threat data with velocity checks and rate limiters to categorize users according to what's considered fraud and abuse on your specific platform.

Fake Accounts

Weed out bad actors before or after signup

Segment out new accounts based on similarity to other accounts, bot behavior, and blocklists.

More about Fake Accounts
99
jake.smith2023+3@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Suspicious IP
  • Users per Device (12)
  • Repetitive Email Pattern
  • Abuse-repored IP
74
jake.smith2023+2@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Suspicious IP
43
lisa.lydje.92@gmail.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Country
Account Takeovers

Identify both bots and human attacks

Use a combination of scores and heuristics to highlight suspicious or hijacked accounts.

More about Account Takeovers
99
stephc@gmail.com
Active 2 minutes ago
Malaysia
Kuala Lumpur
  • Credential Stuffing
  • New Device
  • Datacenter IP
  • Abuse-repored IP
74
steve.smith@yahoo.uk.co
Active 2 minutes ago
Mexico
Mexico City
  • New Device
  • New Country
  • Impossible Travel
64
johanb@hotmail.com
Active 2 minutes ago
Denmark
Copenhagen
  • Proxy IP
  • Users per Device (2)
Multi-Accounting

Only allow signing up once

Aggregate the number of accounts created per device, IP, or credit card and block when it exceeds a threshold.

More about Multi-Accounting
99
preben+11@webstore.dk
Active 2 minutes ago
Denmark
Copenhagen
  • Users per Device (13)
  • Users per Credit Card (7)
  • Users per IP (32)
63
preben+12@webstore.dk
Active 2 minutes ago
Denmark
Copenhagen
  • Users per Device (12)
  • Users per Credit Card (6)
  • Users per IP (31)
63
lee.sommers@hotmail.com
Active 2 minutes ago
Sweden
Stockholm
  • Users per Email (3)
Content Abuse

Block repetitive spam content

Customize logic based on the the number of content posts or messages per device and minute, and tune it with regex filters.

More about Content Abuse
99
johan@briss.net
Active 2 minutes ago
Sweden
Gothemburg
  • Bot Behavior
  • Content per IP (122)
  • Datacenter IP
94
monica.wu@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Content per User 1h (33)
  • Proxy IP
45
tom.smith1981@altavista.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Regex
SMS Pumping

Eliminate SMS verification abuse

Use a mix of bot detection and velocity signals to lock down spammy SMS fees with high precision

More about SMS Pumping
99
tina.spears@gmail.com
Active 2 minutes ago
Malaysia
Kuala Lumpur
  • Bot Behavior
  • Verifications per IP (48)
  • Users per Device (12)
96
bert.be12@fastmail.co
Active 2 minutes ago
Mexico
Mexico City
  • Bot Behavior
  • Verifications per IP (48)
23
johbr@hotmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Blocked Phone Numbers
Account Sharing

Define account sharing your way

Uncovering account sharing requires granular controls to define the exact behavior that breaches your terms of services.

More about Account Sharing
97
info@ituniv.edu
Active 2 minutes ago
Nigeria
Abuja
42 Devices
  • Excessive Content Sharing
  • Impossible Travel
88
devops@datahog.io
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
23 Devices
  • Frequent Device Toggling
  • Bot Behavior
  • Proxy IP
73
mike@sweepcard.ai
Active 2 minutes ago
United States
Chicago
12 Devices
  • Frequent IP Toggling
  • Impossible Travel
Transaction Abuse

Stop card testing before the transaction

Implement velocity checks to prevent a transaction attempt from reaching your payment processor in the first place.

More about Transaction Abuse
99
sebastian.wallin@bachnet.com
Active 2 minutes ago
Germany
Berlin
  • Transactions per 1h (13)
  • Transactions per Card (21)
  • Users per Device (3)
78
gregory.greg@gmail.com
Active 2 minutes ago
United States
San Francisco
  • Transactions per 10m (5)
45
tom.smith1981@altavista.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Credit Card
API Abuse

Headless API protection

Castle supports protection of endpoints where client-side code can't be injected, such as desktop apps or REST APIs

More about API Abuse
99
sebastian.wallin@bachnet.com
Active 2 minutes ago
Germany
Berlin
  • Request per IP (138)
  • Abuse-reported IP
  • Time Since Registration (39s)
78
gregory.greg@gmail.com
Active 2 minutes ago
United States
San Francisco
  • Request per User (18)
45
lisa.lydje.92@gmail.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked IP
Automation

Scale threat response with custom flows

Model custom security flows, blocklists, and trusted device management. Manage review states across signups, logins, and in-app activity.

State management

Maintain custom security lists (blocklists, allowlists, trusted devices, reviews, etc.) and update states in real-time based on rules and manual actions.

Inline blocking

Initiate real-time blocks or step-up verifications anywhere in your app without disrupting the user experience.

Alerts & notifications

Ensure your team stay informed with triggered Slack notifications, or automate end-user notifications or internal processes using granular webhooks.

Developers

Stop any fraud with a single, unified API

Retrieve comprehensive threat insights in real-time and use them to tailor the user experience.

Response
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
{
  "id": "2V48MDnuMar9pvOOwulwK4BXui2",
  "type": "$login",
  "status": "$succeeded",
  "name": "Login Succeeded",
  "authenticated": true,
  "endpoint": "/v1/risk",
  "created_at": "2023-09-02T4:39:05.147Z",
  "properties": {
    "my_custom_property": 234
  },
  "device": {
    "fingerprint": "zhQ3YFvQTVOIP4EZWcMaNg",
    "user_agent": "CryptoKid iOS/2023.9.1 (2023.9.1) (iPhone15,3; iOS 16.6.1; Castle 3.0.7)",
    "name": "Adam's iPhone",
    "emulator": false,
    "rooted": false,
    "software": {
      "languages": ["en-us", "en", "ru-ru"],
      "type": "mobile_application",
      "name": "CryptoKid iOS",
      "version": { "major": "2023", "full": "2023.9.1" }
    },
    "timezone": {
      "offset": -420,
      "name": "America/New_York"
    },
    "os": {
      "name": "iOS",
      "version": { "major": "16", "full": "16.6.1" }
    },
    "hardware": {
      "type": "phone",
      "name": "iPhone",
      "brand": "Apple",
      "model": {
        "name": "iPhone 14 Pro Max",
        "code": "iPhone15,3"
      },
      "display": { "width": 430, "height": 932 }
    },
    "cellular": {
      "carrier": {
        "name": "Verizon Wireless",
        "country_code": "US"
      },
      "available": true
    },
    "wifi": { "available": true },
    "battery": {
      "charging_state": "unplugged",
      "level": 34
    },
    "location": {
      "accuracy": 20,
      "city": "Falls Church",
      "country_code": "US",
      "latitude": 38.8524,
      "longitude": -77.148
    },
    "screen": {
      "density": 3,
      "orientation": "portrait"
    },
    "memory": {
      "available": 345,
      "total": 5500
    },
    "storage": {
      "available": 2011,
      "total": 121943
    },
    "usage": {
      "screen_time": 10265,
      "uptime": 695312
    }
  },
  "scores": {
    "bot": { "score": 0.033 },
    "account_abuse": { "score": 0.27 },
    "account_takeover": { "score": 0.196 }
  },
  "ip": {
    "address": "108.18.100.121",
    "type": "ipv4",
    "asn": 701,
    "isp": {
      "name": "Verizon Fios",
      "organization": "Verizon Fios"
    },
    "location": {
      "city": "Falls Church",
      "country_code": "US",
      "region_code": "VA",
      "continent_code": "NA",
      "postal_code": "22042",
      "latitude": 38.8597,
      "longitude": -77.198
    },
    "privacy": {
      "anonymous": false,
      "datacenter": false,
      "proxy": false,
      "tor": false
    }
  },
  "email": {
    "normalized": "adam@castle.com",
    "domain": "castle.com",
    "disposable": false,
    "unreachable": false,
    "domain_details": {
        "created_at": "2014-12-27T00:30:13.000+00:00",
        "updated_at": "2021-10-01T17:59:27.000+00:00",
        "expires_at": "2024-12-27T00:30:13.000+00:00",
        "registrar": "101domain GRS Limited",
        "registrant": "Digital Privacy Corporation",
        "nameservers": ["ns-77.awsdns-09.com", "ns-1523.awsdns-62.org"],
        "spf_record": { "exists": true },
        "dmarc_record": { "exists": true },
        "mx_records": { "null_mx": false }
    }
  },
  "metrics": {
    "1": {
      "name": "Users per device fingerprint in 30d",
      "value": 5
    },
    "2": {
      "name": "Failed logins per IP in 1h",
      "value": 238
    },
    "3": {
      "name": "Average transaction amount per user",
      "value": 83.13
    }
  },
  "signals": {
    "impossible_travel": {},
    "credential_stuffing": {},
    "multiple_accounts_per_device": {},
    "new_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block multi-accounting",
    "id": "3666300b-adc9-4a9a-9773-f6e692ed348d",
    "revision_id": "1d1e6f75-08ea-47ea-bb92-61d598c448e2"
  },
  "lists": [
    "blocked_ips",
    "trusted_devices"
  ],
  "list_items": [
    "8842e866-86e7-4f18-a023-edbf8cb91107",
    "42bc2f4d-64d1-4291-a77f-61c64bd410a0"
  ],
  "user": {
    "id": "7312",
    "registered_at": "2023-08-13T14:00:58.000Z",
    "name": "Adam Winter",
    "email": "adam@castle.com",
    "phone": "+11123456789",
    "traits": {
      "nationality": "PL",
      "organization_id": "789435"
    }
  },
  "sdks": {
    "client": {
      "name": "castle-web",
      "version": "2.1.8"
    }
  }
}
egesgesges

Built for scale

Our APIs process billions of monthly requests with resilience against severe bot attacks.

100ms response time

Fingerprinting, risk scores, and rules computed instantly in real-time.

Pay-as-you-go pricing

Transparent and predictable plans based on requests or MAU.

Get started

Create your free account today

Starting at $0 for 1,000 requests per month, with transparent pricing that scales with your needs.

App screenshot