Distil Review: Anti-Scraping Service (Now Imperva)

Review of Distil Networks' anti scraping service, now Imperva Bot Protection: how it detects scrapers, what it blocks, pricing, and rivals. Learn more.

ST
Scraping.Pro Team
Data collection for business needs
Published: 11 March 2026

Distil Networks was one of the first companies to sell "stop the scrapers" as a finished product rather than a do-it-yourself firewall rule. When we first looked at it, it was a young startup pitching digital publishers on protecting their content from theft. It grew into a serious platform — and then, in 2019, it was acquired by Imperva and folded into what is now sold as Imperva Advanced Bot Protection (part of Imperva's broader Bot Management line). Imperva itself is now owned by Thales.

So a Distil Networks review in 2026 is really a review of a category — the modern anti scraping service — as seen through the product that helped create it. This piece covers how these systems actually detect scrapers, what they do when they catch one, how deployment and pricing work, and the main rivals worth comparing. It's written for both sides of the fence: people who want to keep bots off their site, and people who run legitimate collection projects and need to understand what they're up against.

From Distil to Imperva Bot Protection

The original Distil pitch was narrow: publishers were losing articles and images to content farms, and classifieds, travel, and e-commerce sites were watching competitors silently copy prices and listings. Distil sat in front of those sites, watched the traffic, and blocked the automated visitors.

After the Imperva acquisition, that engine became part of a full web application and API protection stack — WAF, DDoS mitigation, API security, and bot management under one roof. The practical upshot: what used to be a standalone anti-bot service is now a module you buy alongside (or inside) a larger application-security platform. The detection ideas below are the durable part; the branding and packaging have changed and will keep changing.

How an anti-scraping service detects scrapers

Every serious scraping protection software product layers several signals, because no single check is reliable on its own. A sophisticated scraper can beat any one of them; the point is to make beating all of them expensive.

1. Fingerprinting the client

The system builds a fingerprint of each visitor from dozens of low-level signals: the exact order and casing of HTTP headers, the TLS/JA3 handshake signature, HTTP/2 frame settings, and — in the browser — canvas, WebGL, fonts, screen, and JavaScript environment quirks. A plain HTTP library like requests has a fingerprint that looks nothing like Chrome, even if the User-Agent string says "Chrome." Mismatches between what a client claims to be and how it actually behaves are a strong bot tell.

2. JavaScript challenges

The service injects JavaScript that a real browser will execute and a simple HTTP client will not. It might require the client to compute a token, exercise browser APIs, or prove it can render the page. This is why scrapers increasingly reach for real headless browsers — but even headless browsers leak automation signals (like the navigator.webdriver flag or missing/inconsistent APIs) that these challenges probe for.

3. Behavioral analysis and machine learning

This was Distil's headline idea and it's still central. The platform profiles how a visitor moves: pages per minute, session length, navigation paths, mouse movement and timing, and how closely traffic tracks normal human rhythms. A client that pulls 400 product pages a minute in perfect sequence, around the clock, on a Friday-night-to-Monday-morning binge, isn't a shopper. Models trained across many sites learn what human traffic looks like and flag the outliers.

4. A shared known-violator database

Because one vendor sits in front of thousands of sites, it accumulates a cross-customer reputation database. A scraper's IP ranges, fingerprints, and behavioral signatures caught abusing one site can be pre-emptively blocked on all the others. This network effect is the biggest advantage a hosted anti scraping service has over a rule you write yourself.

5. Rate, threshold, and anomaly rules

On top of the smart stuff sits classic plumbing: per-IP and per-session rate limits, geo rules, thresholds for pages-per-session, and traffic-volume anomaly detection. Crude, but it catches the crude attackers cheaply and frees the ML to focus on the careful ones.

What it does when it catches a bot

Detection is only half the product; the response matters just as much. A good bot manager gives you graduated options instead of a blunt block:

  • Block or drop the request outright (a 403, a reset, or silence).
  • Challenge with a CAPTCHA or interactive challenge (reCAPTCHA, hCaptcha, or a proprietary one) — see solving CAPTCHAs for how automation tries to answer these.
  • Throttle the client down to a trickle instead of blocking, which wastes a scraper's time without signaling exactly what tripped it.
  • Deceive — serve cached, stale, or subtly altered data (a "tarpit") so the scraper collects garbage it can't easily distinguish from the real thing.
  • Monitor only — log and score without acting, so you can measure bot load before you start enforcing.

The deceive-and-throttle options are strategically smart: an outright block tells the scraper operator instantly what to fix, while quietly poisoning or slowing them delays the arms race.

Deployment and setup

Historically you onboarded Distil by pointing your DNS at it — a CNAME change so traffic flowed through its network (backed by a CDN) before reaching your origin server, exactly like putting a reverse proxy in front of your site. Modern deployments of this class of tool offer more paths:

  • Reverse-proxy / CDN integration — traffic routes through the vendor's edge (this also brings caching and DDoS protection as a side benefit).
  • WAF or gateway plug-in — the bot module runs inside an application firewall you already operate.
  • Connector / SDK / agent — a plugin for your CDN, load balancer, or app server, or a mobile SDK for protecting app APIs.

The reverse-proxy model is popular precisely because it requires no code changes: flip your DNS, and inspection, filtering, and acceleration all happen at the edge.

Pricing

Products in this tier are enterprise, quote-based — priced on traffic volume, number of domains/applications, and which modules you enable, typically as an annual contract with a sales conversation rather than a public price list. Distil historically scaled from a handful of domains up to unlimited on an Enterprise plan. We won't invent figures here; if budget matters, expect a custom quote and evaluate on a proof-of-concept against your real traffic, not a sticker price.

Alternatives: the 2026 anti-bot landscape

Imperva is one strong option among several mature anti-bot services. The current field, roughly:

Vendor Notes
Imperva Bot Protection (ex-Distil) Full app-security platform: WAF, DDoS, API security, bots
Cloudflare Bot Management Edge-scale ML bot scoring, Super Bot Fight Mode, AI-crawler controls
DataDome Real-time ML bot detection, strong on e-commerce and APIs
HUMAN (ex-PerimeterX + White Ops) Behavioral detection, ad-fraud and account-takeover focus
Akamai Bot Manager Bot mitigation on Akamai's large edge network
Kasada Emphasis on resisting reverse-engineering and automation frameworks
F5 Distributed Cloud Bot Defense (ex-Shape) High-end behavioral defense for large enterprises
Radware Bot Manager (ex-ShieldSquare) Intent-based bot classification

If you're already behind Cloudflare or Akamai, their native bot products are the natural first look. If bots are hurting a specific high-value flow (checkout, login, search, pricing), a specialist like DataDome or HUMAN is worth a bake-off. For a broader primer on the defensive techniques these products implement, see our guide to anti-scraping protection.

The view from the scraping side

Here's the honest part these vendors' marketing skips: the data most scrapers want is public. If a price or a listing is visible to any visitor, it is fundamentally reachable by a client that behaves like a visitor. That's why an anti scraping service can't be absolute — it can only make automated collection expensive, slow, and reputation-dependent enough that casual actors give up and careful ones proceed politely.

And "politely" is exactly how legitimate collection is supposed to look. The behavior that trips these systems — hammering a site with hundreds of requests a minute, faking a browser badly, ignoring rate limits — is the behavior a well-run project avoids anyway. Reasonable request rates, honest handling of a site's terms, sensible use of rotating proxies to spread load rather than to attack, and no attempt to break authentication keep you well inside the lines. That discipline is a large part of what scraping.pro provides when it runs collection as a done-for-you web scraping service: the data gets gathered without behaving like the abusive traffic these tools are built to stop.

Verdict

As an anti scraping service, the Distil-turned-Imperva platform pioneered the right idea — combine fingerprinting, JavaScript challenges, behavioral machine learning, and a shared bad-actor database, then respond with graduated actions instead of a blunt block. Today it lives inside a full application-security suite, which is a plus if you also want WAF, DDoS, and API protection, and a mismatch if you want a lean, single-purpose bot tool. Either way, evaluate any product in this category on a proof-of-concept against your own traffic, compare it with Cloudflare, DataDome, and the other specialists above, and remember the ceiling: no defense stops a determined, well-resourced scraper — it just raises the price of admission.

FAQ

Is Distil Networks still available? Not under that name. Distil was acquired by Imperva in 2019 and its technology is sold as Imperva Advanced Bot Protection / Bot Management. Imperva is now part of Thales.

How does an anti-scraping service detect bots? By layering signals: client fingerprinting (headers, TLS, browser environment), JavaScript challenges, behavioral machine learning, cross-customer reputation databases, and rate/anomaly rules. No single signal is decisive; the combination is what catches scrapers.

Can these services be bypassed? Sophisticated scrapers can defeat individual checks, which is why vendors layer many. The realistic goal of scraping protection software is deterrence — making automation slow, costly, and detectable — not perfect prevention.

What are the best alternatives to Imperva for bot protection? Cloudflare Bot Management, DataDome, HUMAN, Akamai Bot Manager, Kasada, F5 Distributed Cloud Bot Defense, and Radware Bot Manager are the leading anti-bot services to compare.