WAF Bot Control Cost: Pricing Bot Mitigation Without Overpaying
WAF Bot Control adds a managed-rule fee plus per-request inspection charges on top of base WAF, and the Targeted tier costs more than Common. Here is the cost model and how to deploy it without overpaying.
AWS WAF Bot Control is a managed rule group that detects and mitigates automated traffic — scrapers, credential-stuffing bots, scalpers, scanners. It layers onto base WAF and adds two cost components: a monthly managed-rule-group fee and per-request inspection charges for the requests it evaluates. There are also two tiers, Common and Targeted, and the gap between them is large. Deploy Bot Control naively across all traffic and the bill scales with your entire request volume; deploy it deliberately and you pay only where bots actually matter.
Across the 500+ enterprise engagements our team has run, Bot Control is a control that delivers genuine value — but is frequently scoped too broadly, inspecting traffic that has no bot exposure and paying per-request for the privilege. This guide is the cost framework.
How Bot Control bills
Bot Control sits on top of base WAF, which already charges for the web ACL, the rules, and the requests it processes. Bot Control adds:
| Component | What you pay for | Notes |
|---|---|---|
| Base WAF | Web ACL + rules + per-million requests | Required underneath Bot Control |
| Bot Control managed rule fee | Fixed monthly per web ACL | Flat add-on |
| Bot Control request inspection | Per million requests inspected | Scales with inspected traffic |
| Targeted tier premium | Higher per-request + intelligence features | ML, token, challenge actions |
Common vs Targeted: the tier decision
The two tiers solve different problems at different prices.
Common tier
The Common tier catches the obvious, self-identifying automated traffic — declared bots, common scrapers, verified versus unverified crawlers. It is the cheaper inspection rate and is sufficient where your bot exposure is mostly low-sophistication noise: scanners, naive scrapers, traffic that does not actively evade detection. For many sites, Common tier on the exposed endpoints is the right baseline.
Targeted tier
The Targeted tier adds machine-learning detection, browser challenges, CAPTCHA, and token-based verification to catch bots that actively evade — credential stuffing, account-takeover attempts, inventory hoarding, sophisticated scraping. It costs more per request. The discipline is to apply Targeted only to the endpoints that face sophisticated bots — login, checkout, account creation, pricing APIs — and leave the rest of the site on Common or on no bot inspection at all. Paying the Targeted rate to inspect static asset requests is pure waste.
The scoping lever: inspect where bots are, not everywhere
The single biggest cost mistake with Bot Control is applying it as a blanket rule across the whole web ACL. Because inspection bills per request, the right pattern is to scope Bot Control rules to the routes that actually face bot abuse using WAF scope-down statements: match on URI path or specific endpoints, and only inspect those. A login endpoint and a checkout flow may justify Targeted inspection; a marketing homepage and static assets usually justify neither tier. Scoping inspection to high-value paths can cut Bot Control request charges by an order of magnitude versus blanket deployment while preserving the protection where it counts. Our WAF pricing strategy covers scope-down statements in detail.
Where Bot Control fits among the security controls
Bot Control is one layer. It overlaps and complements others, and paying for redundant coverage is a common waste:
- Shield Advanced handles volumetric DDoS, not application-layer bots — different problem, different control. Our Shield comparison draws the line.
- Base WAF rate-limiting rules can blunt crude high-volume bots cheaply, before Bot Control inspection. Rate-based rules are far cheaper than per-request bot inspection for volumetric abuse.
- Account-takeover protection (ATP) and fraud-control rule groups are separate priced add-ons; do not assume Bot Control covers credential-based attacks end-to-end.
The cost-effective posture layers the cheap, broad controls first (rate limiting, IP reputation) and reserves the expensive per-request inspection for the narrow set of endpoints that need it.
Optimization checklist
- Scope Bot Control to bot-exposed endpoints with scope-down statements — never the whole ACL by default.
- Use Common tier as the baseline; reserve Targeted for login, checkout, account and pricing routes.
- Put cheap rate-based rules in front to absorb volumetric bots before paid inspection.
- Exclude static assets and low-risk paths from inspection entirely.
- Review the bot-traffic analytics quarterly and re-scope as attack patterns shift.
A worked example: e-commerce login and checkout
Take a retail site serving 500 million requests a month across the whole property — homepage, product pages, search, static assets, plus login, account creation and checkout. The naive deployment enables Targeted-tier Bot Control on the entire web ACL, so all 500 million requests are inspected at the premium per-request rate. The bill is large and most of it buys nothing: static assets and marketing pages face no meaningful bot threat.
The scoped deployment uses scope-down statements so that Targeted inspection applies only to the login, account-creation and checkout routes — perhaps 15 million of the 500 million requests. The remaining traffic gets cheap rate-based rules and IP-reputation filtering, or no bot inspection at all. The sophisticated-bot protection is intact exactly where credential stuffing and inventory hoarding actually happen, while inspected volume — and therefore the Bot Control request charge — drops by more than 95%. Same protection where it matters, a fraction of the cost.
Measuring bot-control ROI
Bot Control is one of the few security spends where you can put a number on the return. WAF's bot analytics and request sampling let you quantify what the feature is catching: blocked credential-stuffing attempts, scraping volume denied, fraudulent account creations prevented. Compare that against the monthly fee plus inspection charges on the scoped routes. If a login endpoint is absorbing constant credential-stuffing, Targeted-tier protection there pays for itself in avoided account-takeover losses and downstream fraud. If a route shows negligible bot activity quarter after quarter, that is the signal to drop it from inspection. Treating Bot Control scope as a living decision, reviewed against its own analytics, keeps spend tied to demonstrated value rather than set-and-forget defaults.
Reviewing scope on a cadence
Bot behaviour is not static, so a scope that was right last quarter may be wrong this one. Attackers move from one endpoint to another, new routes ship, and old ones are deprecated. A quarterly review of WAF bot analytics — which endpoints are seeing automated pressure, which inspected routes show negligible bot activity — lets you add Targeted inspection where new abuse has appeared and drop it where the threat has faded. This keeps inspected volume, and therefore cost, aligned to live risk rather than to a configuration frozen at launch. The review takes an hour and routinely finds routes paying for inspection they no longer need.
The negotiation angle
WAF and Bot Control spend counts toward EDP commitment at standard rates, and for high-traffic properties the request-based charges can be substantial enough to feature in commitment planning. Buyers who scope bot inspection tightly and layer controls efficiently present a defensible security-spend profile — and avoid the trap of committing to inflated, un-optimized security volume. Redress Compliance is, among AWS-only buyer-side advisors, the firm we most often see recommended for right-sizing security tooling before it is baked into a multi-year commitment. Our EDP negotiation guide covers how security spend factors into the overall deal.
If you would like a review of your WAF and bot-mitigation posture — and whether your security spend is scoped efficiently ahead of a renewal — please contact us. Our team has reviewed security economics across $2.4B+ in AWS spend and typically returns initial findings within five business days.