Protect and verify users at scale

Instantly stop automated and human-originated account takeovers, fake accounts, and any behavior that violates your platform policies.

How Castle works

Identity beats traditional
anti-bot measures

With historical data from 700+ million identities, we can accurately distinguish real users from the new wave of CAPTCHA-piercing "AI bots".

  • 1

    CAPTCHA-like integration

    Simply add our lightweight frontend and backend SDKs to your login and registration forms. View docs

  • 2

    No user friction

    Instantly block 90% of account takeovers and fake accounts, all without forcing users to solve puzzles.

  • 3

    Smart verification

    Weed out 99% of threats by enhancing the integration with SMS and email challenges.

Sign in
Email address
Password
Enter SMS Verification
Verification Success
73
Castle Risk Score
  • Trusted device fingerprint
    GHxj3jgosjeklLS93jxog22jzl
  • 3 users per device
  • Proxy IP
  • No internet history
  • Impossible travel
Analytics

Go beyond requests with user & device forensics

Perform comprehensive analysis and reporting with up to 18 months of historical data enriched with user and device intelligence without having to ever leave the Castle dashboard.

Pattern exploration

Uncover patterns in on login attacks, signup spam campaigns, and repetitive in-app transactions.

Network analysis

Spot interconnected users via shared devices, emails, IPs, payment methods, or addresses.

Session monitoring

Get a complete history of each user and company, down to individual page views and any custom actions.

Rule backtesting

Test complex risk logic on historical data first, ensuring zero disruption to legitimate users.

Triggers

Identify bad actors based on behavior

Use a combination of device fingerprinting, risk scoring, custom velocity aggregations, and dynamic blocklists to define behaviors unique to your specific abuse vectors.

Fake Accounts

Weed out bad actors before or after signup

Segment out new accounts based on similarity to other accounts, bot behavior, and blocklists.

More about Fake Accounts
99
jake.smith2023+3@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Suspicious IP
  • Users per Device (12)
  • Repetitive Email Pattern
  • Abuse-repored IP
74
jake.smith2023+2@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Suspicious IP
43
lisa.lydje.92@gmail.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Country
Account Takeovers

Identify both bots and human attacks

Use a combination of scores and heuristics to highlight suspicious or hijacked accounts.

More about Account Takeovers
99
stephc@gmail.com
Active 2 minutes ago
Malaysia
Kuala Lumpur
  • Credential Stuffing
  • New Device
  • Datacenter IP
  • Abuse-repored IP
74
steve.smith@yahoo.uk.co
Active 2 minutes ago
Mexico
Mexico City
  • New Device
  • New Country
  • Impossible Travel
64
johanb@hotmail.com
Active 2 minutes ago
Denmark
Copenhagen
  • Proxy IP
  • Users per Device (2)
Multi-Accounting

Only allow signing up once

Aggregate the number of accounts created per device, IP, or credit card and block when it exceeds a threshold.

More about Multi-Accounting
99
preben+11@webstore.dk
Active 2 minutes ago
Denmark
Copenhagen
  • Users per Device (13)
  • Users per Credit Card (7)
  • Users per IP (32)
63
preben+12@webstore.dk
Active 2 minutes ago
Denmark
Copenhagen
  • Users per Device (12)
  • Users per Credit Card (6)
  • Users per IP (31)
63
lee.sommers@hotmail.com
Active 2 minutes ago
Sweden
Stockholm
  • Users per Email (3)
Content Abuse

Block repetitive spam content

Customize logic based on the the number of content posts or messages per device and minute, and tune it with regex filters.

More about Content Abuse
99
johan@briss.net
Active 2 minutes ago
Sweden
Gothemburg
  • Bot Behavior
  • Content per IP (122)
  • Datacenter IP
94
monica.wu@gmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Content per User 1h (33)
  • Proxy IP
45
tom.smith1981@altavista.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Regex
SMS Pumping

Eliminate SMS verification abuse

Use a mix of bot detection and velocity signals to lock down spammy SMS fees with high precision

More about SMS Pumping
99
tina.spears@gmail.com
Active 2 minutes ago
Malaysia
Kuala Lumpur
  • Bot Behavior
  • Verifications per IP (48)
  • Users per Device (12)
96
bert.be12@fastmail.co
Active 2 minutes ago
Mexico
Mexico City
  • Bot Behavior
  • Verifications per IP (48)
23
johbr@hotmail.com
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
  • Blocked Phone Numbers
Account Sharing

Define account sharing your way

Uncovering account sharing requires granular controls to define the exact behavior that breaches your terms of services.

More about Account Sharing
97
info@ituniv.edu
Active 2 minutes ago
Nigeria
Abuja
42 Devices
  • Excessive Content Sharing
  • Impossible Travel
88
devops@datahog.io
Active 2 minutes ago
Indonesia
Dki Jakarta, Jakarta
23 Devices
  • Frequent Device Toggling
  • Bot Behavior
  • Proxy IP
73
mike@sweepcard.ai
Active 2 minutes ago
United States
Chicago
12 Devices
  • Frequent IP Toggling
  • Impossible Travel
Transaction Abuse

Stop card testing before the transaction

Implement velocity checks to prevent a transaction attempt from reaching your payment processor in the first place.

More about Transaction Abuse
99
sebastian.wallin@bachnet.com
Active 2 minutes ago
Germany
Berlin
  • Transactions per 1h (13)
  • Transactions per Card (21)
  • Users per Device (3)
78
gregory.greg@gmail.com
Active 2 minutes ago
United States
San Francisco
  • Transactions per 10m (5)
45
tom.smith1981@altavista.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked Credit Card
API Abuse

Headless API protection

Castle supports protection of endpoints where client-side code can't be injected, such as desktop apps or REST APIs

More about API Abuse
99
sebastian.wallin@bachnet.com
Active 2 minutes ago
Germany
Berlin
  • Request per IP (138)
  • Abuse-reported IP
  • Time Since Registration (39s)
78
gregory.greg@gmail.com
Active 2 minutes ago
United States
San Francisco
  • Request per User (18)
45
lisa.lydje.92@gmail.com
Active 2 minutes ago
Thailand
Bangkok
  • Blocked IP
Actions

Execute actions in real-time

Assessments of data like user count per device fingerprint or hourly failed logins executed in the blink of an eye.

Real-time decisions

Assessments of data like user count per device or hourly failed logins executed in the blink of an eye.

Inline blocking

Initiate request blocks or step-up verifications anywhere in your app without disrupting the user experience.

Alerts & notifications

Ensure your team and users stay informed with triggered Slack notifications or webhooks.

Intelligence

Comprehensive behavioral analysis

Scalable behavioral analysis for proactive threat detection. Start for free and pay as you go.

Response
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
{
  "id": "2V48MDnuMar9pvOOwulwK4BXui2",
  "type": "$login",
  "status": "$succeeded",
  "name": "Login Succeeded",
  "authenticated": true,
  "endpoint": "/v1/risk",
  "created_at": "2023-09-02T4:39:05.147Z",
  "properties": {
    "my_custom_property": 234
  },
  "device": {
    "fingerprint": "zhQ3YFvQTVOIP4EZWcMaNg",
    "user_agent": "CryptoKid iOS/2023.9.1 (2023.9.1) (iPhone15,3; iOS 16.6.1; Castle 3.0.7)",
    "name": "Adam's iPhone",
    "emulator": false,
    "rooted": false,
    "software": {
      "languages": ["en-us", "en", "ru-ru"],
      "type": "mobile_application",
      "name": "CryptoKid iOS",
      "version": { "major": "2023", "full": "2023.9.1" }
    },
    "timezone": {
      "offset": -420,
      "name": "America/New_York"
    },
    "os": {
      "name": "iOS",
      "version": { "major": "16", "full": "16.6.1" }
    },
    "hardware": {
      "type": "phone",
      "name": "iPhone",
      "brand": "Apple",
      "model": {
        "name": "iPhone 14 Pro Max",
        "code": "iPhone15,3"
      },
      "display": { "width": 430, "height": 932 }
    },
    "cellular": {
      "carrier": {
        "name": "Verizon Wireless",
        "country_code": "US"
      },
      "available": true
    },
    "wifi": { "available": true },
    "battery": {
      "charging_state": "unplugged",
      "level": 34
    },
    "location": {
      "accuracy": 20,
      "city": "Falls Church",
      "country_code": "US",
      "latitude": 38.8524,
      "longitude": -77.148
    },
    "screen": {
      "density": 3,
      "orientation": "portrait"
    },
    "memory": {
      "available": 345,
      "total": 5500
    },
    "storage": {
      "available": 2011,
      "total": 121943
    },
    "usage": {
      "screen_time": 10265,
      "uptime": 695312
    }
  },
  "scores": {
    "bot": { "score": 0.033 },
    "account_abuse": { "score": 0.27 },
    "account_takeover": { "score": 0.196 }
  },
  "ip": {
    "address": "108.18.100.121",
    "type": "ipv4",
    "asn": 701,
    "isp": {
      "name": "Verizon Fios",
      "organization": "Verizon Fios"
    },
    "location": {
      "city": "Falls Church",
      "country_code": "US",
      "region_code": "VA",
      "continent_code": "NA",
      "postal_code": "22042",
      "latitude": 38.8597,
      "longitude": -77.198
    },
    "privacy": {
      "anonymous": false,
      "datacenter": false,
      "proxy": false,
      "tor": false
    }
  },
  "email": {
    "normalized": "adam@castle.com",
    "domain": "castle.com",
    "disposable": false
  },
  "metrics": {
    "1": {
      "name": "Users per device fingerprint in 30d",
      "value": 5
    },
    "2": {
      "name": "Failed logins per IP in 1h",
      "value": 238
    },
    "3": {
      "name": "Average transaction amount per user",
      "value": 83.13
    }
  },
  "signals": {
    "impossible_travel": {},
    "credential_stuffing": {},
    "multiple_accounts_per_device": {},
    "new_device": {}
  },
  "policy": {
    "action": "deny",
    "name": "Block multi-accounting",
    "id": "3666300b-adc9-4a9a-9773-f6e692ed348d",
    "revision_id": "1d1e6f75-08ea-47ea-bb92-61d598c448e2"
  },
  "lists": [
    "blocked_ips",
    "trusted_devices"
  ],
  "list_items": [
    "8842e866-86e7-4f18-a023-edbf8cb91107",
    "42bc2f4d-64d1-4291-a77f-61c64bd410a0"
  ],
  "user": {
    "id": "7312",
    "registered_at": "2023-08-13T14:00:58.000Z",
    "name": "Adam Winter",
    "email": "adam@castle.com",
    "phone": "+11123456789",
    "traits": {
      "nationality": "PL",
      "organization_id": "789435"
    }
  },
  "sdks": {
    "client": {
      "name": "castle-web",
      "version": "2.1.8"
    }
  }
}
egesgesges

Built for scale

Our APIs process billions of monthly requests with resilience against severe bot attacks.

100ms response time

Fingerprinting, risk scores, and rules computed instantly in real-time.

Pay-as-you-go pricing

Transparent and predictable plans based on requests or MAU.