AI transcript
0:00:05 50% of traffic is already bots, it’s already automated
0:00:07 and agents are only really just getting going.
0:00:10 Most people are not using these computer use agents
0:00:13 because they’re too slow right now, they’re still at previews
0:00:16 but it’s clear that’s where everything is going.
0:00:19 Then we’re going to see an explosion in the traffic
0:00:21 that’s coming from these tools and just blocking them
0:00:24 just because they’re AI is the wrong answer.
0:00:27 You’ve really got to understand why you want them,
0:00:29 what they’re doing, who they’re coming from
0:00:30 and then you can create these granular rules.
0:00:34 AI agents are changing how people interact with the web
0:00:36 but most sites still treat them like bots.
0:00:40 In this episode, taken from the AI plus A16Z podcast,
0:00:44 A16Z partner Joel De La Garza talks with ArcJet CEO David Mitten
0:00:47 about building internet infrastructure for this new era.
0:00:49 Here’s Derek to kick things off.
0:00:55 Thanks for listening to the A16Z AI podcast.
0:00:56 If you’ve been listening for a while
0:00:58 or if you’re at all plugged into the world of AI,
0:01:00 you’ve no doubt heard about AI agents
0:01:03 and all the amazing things they theoretically can do.
0:01:04 But there’s a catch.
0:01:07 When it comes to engaging with websites,
0:01:10 agents are limited by what any given site allows them to do.
0:01:14 If, for example, a site tries to limit all non-human interactions
0:01:17 in an attempt to prevent unwanted bot activity,
0:01:20 it might also prevent an AI agent from working on a customer’s behalf,
0:01:24 say, making a reservation, signing up for a service, or buying a product.
0:01:29 This broad strokes approach to site security is incompatible with the idea of what some call
0:01:35 agent experience, an approach to web and product design that treats agents as first-class users.
0:01:41 In this episode, A16Z infra partner, Joel De LaGarza dives into this topic with David Mitton,
0:01:46 the CEO of ArcJet, a startup building developer-native security for modern web frameworks,
0:01:50 including attack detection, sign-up spam prevention, and bot detection.
0:01:54 Their discussion is short, sweet, and very insightful.
0:01:56 And you’ll hear it after these disclosures.
0:02:01 As a reminder, please note that the content here is for informational purposes only,
0:02:05 should not be taken as legal, business, tax, or investment advice,
0:02:08 or be used to evaluate any investment or security,
0:02:14 and is not directed at any investors or potential investors in any A16Z fund.
0:02:19 For more details, please see A16Z.com slash disclosures.
0:02:22 It seems like what once was old is new again.
0:02:28 And we’d love to get your thoughts on this new emergence of bots
0:02:31 and how, while we know all the bad things that happen with them,
0:02:33 there’s actually a lot of good and really cool stuff that’s happening
0:02:35 and how we can maybe work towards enabling that.
0:02:37 Right, well, things have changed, right?
0:02:40 The DDoS problem is still there,
0:02:43 but it’s just almost handled as a commodity these days.
0:02:46 The network provider, your cloud provider,
0:02:47 they’ll just deal with it.
0:02:49 And so when you’re deploying an application,
0:02:51 most of the time you just don’t have to think about it.
0:02:54 The challenge comes when you’ve got traffic
0:02:57 that just doesn’t fit those filters.
0:02:59 It looks like it could be legitimate,
0:03:01 or maybe it is legitimate,
0:03:02 and you just have a different view
0:03:04 about what kind of traffic you want to see.
0:03:06 And so the challenge is really about
0:03:08 how do you distinguish between the good bots and the bad bots?
0:03:11 And then with AI changing things,
0:03:15 it’s bots that might even be acting on behalf of humans, right?
0:03:17 It’s no longer a binary decision.
0:03:21 And as the amount of traffic from bots increases,
0:03:23 in some cases, it’s the majority of traffic
0:03:26 that sites are receiving is from an automated source.
0:03:29 And so the question for site owners is,
0:03:31 well, what kind of traffic do you want to allow?
0:03:33 And when it’s automated,
0:03:36 what kind of automated traffic should come to your site?
0:03:38 And what are you getting in return for that?
0:03:41 And in the old days, I mean, I guess the old providers,
0:03:43 we’ll say, the legacy providers in this space,
0:03:46 like it was very much using a hammer, right?
0:03:50 So they would say, hey, if this IP address is coming in,
0:03:51 it’s probably a bot.
0:03:53 Or they would say, if this user agent is coming in,
0:03:54 it’s probably a bot.
0:03:55 Very imprecise.
0:03:57 And I think the downside of that is that
0:03:59 you probably blocked a lot of legitimate traffic
0:04:01 along with the legitimate traffic.
0:04:04 And now there’s very real consequences
0:04:06 because some of these AI bots could be actual users
0:04:08 that are acting on behalf of
0:04:10 who are looking to purchase your products.
0:04:11 This is the challenge.
0:04:13 So a volumetric DDoS attack,
0:04:15 you just want to block that at the network.
0:04:16 You never want to see that traffic.
0:04:20 But everything else needs the context of the application.
0:04:21 You need to know where in the application
0:04:23 the traffic is coming to.
0:04:25 You need to know who the user is, the session,
0:04:27 and to understand in which case
0:04:28 you want to allow or deny that.
0:04:31 And so this is the real issue for developers,
0:04:34 for site owners, for security teams,
0:04:36 is to make those really nuanced decisions
0:04:40 to understand whether the traffic should be allowed or not.
0:04:43 And the context of the application itself is so important
0:04:44 because it depends on the site.
0:04:46 If you’re running an e-commerce operation,
0:04:47 an online store,
0:04:50 the worst thing you can do is block a transaction
0:04:51 because then you’ve lost the revenue.
0:04:54 Usually you want to then flag that order for review.
0:04:57 A human customer support person is going to come in
0:04:59 and determine based on various signals
0:05:01 by whether to allow it.
0:05:03 And if you just block that at the network,
0:05:05 then your application will never see it.
0:05:08 You never even know that that order was failed in some way.
0:05:11 There’s been a lot of media releases
0:05:14 about companies that have released solutions in this space.
0:05:17 But largely they were based on sort of those
0:05:19 old kind of approaches using network telemetry.
0:05:23 Is that generally how they’re working now?
0:05:26 Or is there some other capabilities that they’ve released?
0:05:28 Because they give them AI names
0:05:29 and you just immediately assume
0:05:30 that they’re doing something fancy.
0:05:31 That’s right, yeah.
0:05:32 So blocking on the network
0:05:36 is basically how the majority of these old school products work.
0:05:39 They do analysis before the traffic reaches your application
0:05:42 and then you never know what the result of that was.
0:05:44 And that just doesn’t fly anymore.
0:05:47 It’s insufficient for being able to build modern applications.
0:05:49 Particularly with AI coming in
0:05:51 where something like OpenAI
0:05:54 has four or five different types of bots
0:05:56 and some of them you might want to make
0:05:58 a more restrictive decision over.
0:06:00 But then others are going to be taking actions
0:06:01 on behalf of a user search.
0:06:05 And we’re seeing lots of different applications
0:06:06 getting more signups.
0:06:08 Businesses actually getting higher conversions
0:06:10 as a result of this AI traffic.
0:06:13 And so just blocking anything that is called AI
0:06:15 is too blunt of an instrument.
0:06:17 You need much more nuance.
0:06:18 And the only way you can do that
0:06:20 is with the application context,
0:06:22 understanding what’s going on inside your code.
0:06:24 I mean, I’d say we’re seeing across the industry
0:06:27 that AI is driving incredible amounts
0:06:28 of new revenue to companies.
0:06:30 And if you use an old world tool
0:06:31 to just block any of that traffic,
0:06:33 you’re probably dooming your business.
0:06:33 That’s right.
0:06:36 Or you’re putting it into some kind of maze
0:06:37 where it’s seeing irrelevant content.
0:06:39 And then by doing that,
0:06:41 you are kind of downranking your site
0:06:44 because the AI crawler is never going to come back.
0:06:46 It’s kind of like blocking Google
0:06:47 from visiting your site.
0:06:49 It’s like, yeah, Google doesn’t get you in,
0:06:51 you’re no longer in Google’s index,
0:06:53 but then you’re no longer in Google’s index.
0:06:54 And so anyone searching
0:06:56 is not going to find you as a result.
0:06:59 Well, and I believe we had sort of standards
0:07:00 in the old days that developed
0:07:03 or quasi standards like robots.txt, right?
0:07:04 Which would tell you like until the crawlers,
0:07:06 hey, don’t crawl these directories.
0:07:08 Are we doing something similar
0:07:09 for this new age agentic world?
0:07:13 So robots.txt is still the starting place.
0:07:15 And it’s kind of a voluntary standard.
0:07:19 It evolved over several decades ago now.
0:07:20 It’s been around a long time.
0:07:22 Bots have been a problem for a long time.
0:07:24 And the idea is you describe
0:07:25 the areas of your application
0:07:29 and tell any robot that’s coming to your site
0:07:31 whether you want to allow that robot
0:07:33 to access that area of the site or not.
0:07:35 And you could use that to control
0:07:36 the rollout of new content.
0:07:39 You could protect certain pages of your site
0:07:40 that you just don’t want to be indexed
0:07:41 for whatever reason.
0:07:43 And you can also point the crawler
0:07:44 to where you do want it to go.
0:07:46 You can use the sitemap for that as well.
0:07:49 But the robots.txt file format
0:07:50 has evolved over time
0:07:53 to provide these signals to the likes,
0:07:55 to crawlers like search engines
0:07:56 from Google and so on.
0:07:59 The challenge with that is it’s voluntary
0:08:01 and there’s no enforcement of it.
0:08:04 So you’ve got good bots like Googlebot
0:08:05 that will follow the standard
0:08:07 and you’ll be able to have full control
0:08:08 over what it does.
0:08:11 But there are newer bots that are ignoring it
0:08:13 or even sometimes using it as a way
0:08:15 to find the parts of your site
0:08:16 that you don’t want it to access
0:08:18 and they will just do that anyway.
0:08:20 And so this becomes a control problem
0:08:21 for the site owner.
0:08:23 And you really want to be able to understand
0:08:26 not just what the list of rules are
0:08:27 but how they are enforced.
0:08:28 Totally.
0:08:30 Maybe it’d be great to walk through
0:08:32 what these agents are.
0:08:34 Maybe get some more understanding
0:08:36 of sort of how they operate,
0:08:38 what people are using them for,
0:08:40 perhaps go through a couple of the use cases.
0:08:42 And then it’d be great to understand
0:08:44 sort of like how you do control it
0:08:47 because it seems like a far more complicated problem
0:08:48 than just bad IP addresses.
0:08:48 Right.
0:08:51 So if we think about OpenAI as an example
0:08:53 because they have four or five different crawlers,
0:08:56 there’s one and they all have different names
0:08:57 and they all identify themselves
0:08:58 in different ways.
0:09:01 So one actually is crawling to train
0:09:03 the OpenAI models on your site.
0:09:05 And that’s the one that probably everyone
0:09:07 is thinking about when they’re thinking about
0:09:09 I want to block AI, the training.
0:09:11 And you have different philosophical approaches
0:09:12 to how you want to be included
0:09:14 in the training data.
0:09:15 The others are more nuanced
0:09:17 and will require more thought.
0:09:19 So there’s one that will go out
0:09:23 when a user is typing something into the chat
0:09:24 and is asked a question
0:09:26 and OpenAI will go out and search.
0:09:29 It’s built up its own search index.
0:09:31 And so that’s equivalent of Googlebot.
0:09:33 You probably want to be in that index
0:09:35 because as we’re seeing,
0:09:37 sites are getting more signups,
0:09:37 they’re getting more traffic.
0:09:40 The discovery process is being part
0:09:42 of just another search index is super important.
0:09:42 Gotcha.
0:09:44 So like when I ask OpenAI,
0:09:46 when is John F. Kennedy’s birthday?
0:09:47 If it doesn’t know the answer,
0:09:48 it goes out and searches the web.
0:09:49 Yeah, that’s right.
0:09:50 Or if it’s trying to get open hours
0:09:51 for something,
0:09:53 it might go to a website for a cafe or whatever
0:09:55 and pass it and then return the results.
0:09:57 So that’s really just like a classic
0:09:58 search engine crawler
0:10:01 except it’s kind of happening behind the scenes.
0:10:02 The other one is something
0:10:04 that’s happening in real time.
0:10:06 So you might give the agent
0:10:07 a specific URL
0:10:09 and go and ask it to summarize it
0:10:11 or to look up a particular question
0:10:13 in the docs for a developer tool
0:10:14 or something like that.
0:10:15 And then that’s a separate agent
0:10:16 that will go out,
0:10:17 it will read the website
0:10:18 and then it will return
0:10:20 and answer the query.
0:10:22 For both of these two examples,
0:10:23 OpenAI and others
0:10:26 are now starting to cite those sources.
0:10:27 And you’ll regularly see,
0:10:28 and this is kind of the recommendation,
0:10:31 is you get the result from the AI tool
0:10:33 but you shouldn’t trust it 100%.
0:10:34 You go and then verify
0:10:35 and you look at the docs.
0:10:37 And maybe it’s like
0:10:38 when you used to go to Wikipedia
0:10:39 and you’d read the summary
0:10:40 and then you’d look at the references
0:10:41 and you’d go to all the references
0:10:43 and check to make sure
0:10:44 what had been summarized
0:10:45 was actually correct.
0:10:46 But all three of those examples,
0:10:48 you clearly could see
0:10:48 why you would want them
0:10:49 accessing your site.
0:10:50 Right.
0:10:52 Why like blocking all of OpenAI’s crawlers
0:10:53 is probably a very bad idea.
0:10:54 Yeah, it’s too blunt.
0:10:55 It’s too blunt an instrument.
0:10:56 You need to be able to distinguish
0:10:57 each one of these
0:10:59 and determine which parts of your site
0:11:00 you want them to get into.
0:11:03 And this then comes to the fourth one
0:11:04 which is the actual agent.
0:11:06 This is the end agent,
0:11:08 the computer operator type feature.
0:11:09 Headless web browsers.
0:11:11 Headless web browsers, yeah.
0:11:12 But even a web browser,
0:11:12 a full web browser
0:11:14 operating inside a VM.
0:11:16 And those are the ones
0:11:17 that require more nuance
0:11:20 because maybe you’re booking a ticket
0:11:22 or doing some research
0:11:23 and you do want the agent
0:11:24 to take actions on your behalf.
0:11:26 Maybe it’s going to your email inbox
0:11:27 and triaging things.
0:11:30 From the application builder’s perspective,
0:11:32 that’s probably a good thing.
0:11:33 You want more transactions,
0:11:35 you want more usage of your application.
0:11:37 But there are examples
0:11:39 where it might be a bad action.
0:11:40 So for example,
0:11:41 if you’re building a tool
0:11:42 that is going to try and
0:11:44 buy all of the concert tickets
0:11:46 and then sell them on later,
0:11:47 that becomes a problem
0:11:48 for the concert seller
0:11:50 because they don’t want to do that.
0:11:50 They want the true fans
0:11:52 to be able to get access to those.
0:11:53 And again, you need the nuance.
0:11:55 Maybe you allow the bot
0:11:56 to go to the homepage
0:11:57 and sit in a queue.
0:11:58 But then when you get
0:11:59 to the front of the queue,
0:12:00 you want the human
0:12:01 to actually make the purchase
0:12:02 and you want to rate limit that
0:12:03 so that maybe the human
0:12:04 can only purchase,
0:12:05 let’s say, five tickets.
0:12:06 You don’t want them
0:12:07 to purchase 500 tickets.
0:12:08 And so this gets into
0:12:10 the real details of the context,
0:12:11 each one,
0:12:12 about what you might want to allow
0:12:13 and what you might want to restrict.
0:12:15 That’s incredibly complicated.
0:12:16 I mean, if I remember back
0:12:18 why we made a lot
0:12:18 of the decisions we made
0:12:19 on blocking bots
0:12:21 was strictly because of scale.
0:12:23 So, you know,
0:12:25 you’ve got 450,000 IP addresses
0:12:26 sending you terabits of traffic
0:12:27 through a link
0:12:28 that only can do gigabit
0:12:30 and you’ve got to just
0:12:31 start dropping stuff, right?
0:12:32 And you take, you know,
0:12:34 it’s the battlefield triage
0:12:35 of the wounded, right?
0:12:36 It’s like some of you
0:12:37 aren’t going to make it
0:12:39 and it becomes a little brutal.
0:12:40 That sounds incredibly sophisticated.
0:12:43 How do you do that sort of
0:12:44 fine-grained control
0:12:45 of traffic flow
0:12:47 at internet scale?
0:12:48 So this is about
0:12:49 building up layers of protections.
0:12:51 So you start with the robots.txt,
0:12:53 just managing the good bots.
0:12:54 Then you look at IPs
0:12:56 and start understanding,
0:12:57 well, where’s the traffic coming from?
0:12:58 In an ideal scenario,
0:12:59 you have one user per IP address,
0:13:00 but we all know that
0:13:02 that doesn’t happen.
0:13:02 That never happens.
0:13:04 And so you can start to build up
0:13:05 databases of reputation
0:13:06 around the IP address
0:13:08 and you can access
0:13:09 the underlying metadata
0:13:10 about that address
0:13:11 knowing which country
0:13:12 it’s coming from
0:13:13 or which network it belongs to.
0:13:15 And then you can start
0:13:16 building up these decisions
0:13:17 thinking, well,
0:13:18 we shouldn’t really be getting
0:13:20 traffic from a data center
0:13:22 for our signup page.
0:13:23 And so we could block
0:13:24 that network.
0:13:26 But it becomes more challenging
0:13:27 if we have that agent example.
0:13:30 The agent with a web browser
0:13:31 or headless browser
0:13:31 is going to be running
0:13:32 on a server somewhere.
0:13:33 It’s probably in a data center.
0:13:35 And then you have
0:13:36 the compounding factor
0:13:37 of the abusers
0:13:39 will purchase access
0:13:39 to proxies
0:13:41 which run on residential
0:13:41 IP addresses.
0:13:43 So you can’t easily rely
0:13:44 on the fact
0:13:45 that it’s part of
0:13:47 a home ISP block anymore.
0:13:48 And so you have to build up
0:13:49 these patterns
0:13:50 understanding the reputation
0:13:51 of the IP address.
0:13:52 Then you have
0:13:53 the user agent string
0:13:55 that is basically
0:13:56 a free text field
0:13:57 that you can fill in
0:13:58 with whatever you like.
0:13:58 There is kind of
0:13:59 a standard there,
0:14:00 but the good bots
0:14:01 will tell you who they are.
0:14:02 It’s been surprising
0:14:04 getting into the details
0:14:05 of this how many bots
0:14:06 actually tell you
0:14:06 who they are.
0:14:07 And so you can block
0:14:07 a lot of them
0:14:08 just on that heuristic
0:14:10 combined with the IP address.
0:14:11 Or allow them.
0:14:12 Or allow them.
0:14:13 Yeah, I’m the shopping bot
0:14:13 from OpenAI.
0:14:14 Right.
0:14:14 Come on in,
0:14:15 buy some stuff.
0:14:15 Exactly.
0:14:16 And Googlebot,
0:14:16 OpenAI,
0:14:18 they tell you who they are
0:14:19 and then you can verify that
0:14:20 by doing a reverse DNS
0:14:21 lookup on the IP address.
0:14:22 So even though
0:14:23 you might be able
0:14:24 to pretend to be Googlebot,
0:14:25 you can check to make sure
0:14:26 that that’s the case or not
0:14:28 with very low latency lookups.
0:14:30 So we can verify that,
0:14:30 yes, this is Google,
0:14:31 I want to allow them.
0:14:33 yes, this is the OpenAI bot
0:14:35 that is doing the search indexing,
0:14:36 I want to allow that.
0:14:37 The next level from that
0:14:39 is building up fingerprints
0:14:40 and fingerprinting
0:14:41 the characteristics
0:14:42 of the request.
0:14:43 And this started
0:14:45 with the JA3 hash
0:14:45 which was invented
0:14:46 at Salesforce
0:14:47 and has now been developed
0:14:48 into a JA4.
0:14:50 Some of them are open source
0:14:50 these algorithms,
0:14:52 some of them are not.
0:14:53 So essentially you take
0:14:53 all of the metrics
0:14:54 around a session
0:14:55 and you create a hash of it
0:14:56 and then you stick it
0:14:56 in a database.
0:14:57 Exactly.
0:14:58 And you look for matches
0:14:58 to that hash.
0:14:59 You look for matches
0:15:00 and then the idea
0:15:01 is that the hash
0:15:02 will change based
0:15:03 on the client
0:15:04 so you can allow
0:15:05 or deny certain clients
0:15:06 but if you have
0:15:07 a huge number
0:15:07 of those clients
0:15:08 all spamming you
0:15:09 then they all
0:15:10 look the same,
0:15:10 they all have
0:15:11 the same fingerprint
0:15:12 and you can just
0:15:13 block that fingerprint.
0:15:14 So this is almost like
0:15:15 if you think of
0:15:17 I always think of things
0:15:18 in terms of the classic
0:15:18 sort of network stack
0:15:20 like layer 0 up to layer 7
0:15:22 like this is almost like
0:15:24 layer 2 level identity
0:15:25 for devices, right?
0:15:26 Right.
0:15:27 It’s looking at the TLS
0:15:28 handshake on the network level
0:15:30 and then you can go up
0:15:31 the layers
0:15:32 and there’s one called
0:15:33 the JA4H
0:15:35 which looks at the HTTP headers
0:15:37 and the earlier versions
0:15:39 of this would be working
0:15:40 on the ordering
0:15:40 of the headers
0:15:41 for instance
0:15:42 so an easy way
0:15:43 to work around it
0:15:44 is just to shift
0:15:44 the headers
0:15:46 the hashing has improved
0:15:47 over time
0:15:48 so that even changing
0:15:49 the ordering of the headers
0:15:51 doesn’t change the hash
0:15:52 and the idea is
0:15:53 that you can then combine
0:15:54 all of these different signals
0:15:56 to try and come to a decision
0:15:57 about whether you think
0:15:57 this is
0:15:58 or who it is
0:16:00 basically making the request
0:16:01 and if it’s malicious
0:16:02 you can block it
0:16:02 based on that
0:16:03 and if it’s someone
0:16:04 that you want to allow
0:16:05 then you can do so.
0:16:05 And this is before
0:16:06 you even get into
0:16:08 kind of the user level
0:16:09 what’s actually happening
0:16:10 in the application, right?
0:16:10 That’s right, yeah.
0:16:12 So this is the logic
0:16:13 on top of that
0:16:14 because you have to identify
0:16:14 who it is first
0:16:16 before you apply the rules
0:16:17 about what you want them to do.
0:16:18 Gotcha, so it’s almost like
0:16:19 you’re adding an authentication layer
0:16:21 or an identity layer
0:16:22 to sort of the transport side.
0:16:23 That’s right, yeah.
0:16:25 Or the application side
0:16:26 I guess you should say.
0:16:27 Yeah, the application, yeah.
0:16:29 But it’s throughout the whole stack
0:16:30 the whole OSI model
0:16:31 and the idea is
0:16:32 you have this
0:16:33 consistent fingerprint
0:16:34 that you can then
0:16:36 apply these rules to
0:16:36 and identity
0:16:37 kind of layers
0:16:38 on top of that
0:16:39 and we’ve seen
0:16:40 some interesting developments
0:16:42 in fingerprinting
0:16:43 and providing signatures
0:16:45 based on
0:16:45 who the request
0:16:46 is coming from.
0:16:47 So a couple of years ago
0:16:48 Apple announced
0:16:49 Privacy Pass
0:16:52 which is a hash
0:16:52 that is attached
0:16:54 to every request
0:16:54 you make
0:16:55 if you’re in the
0:16:55 Apple ecosystem
0:16:56 using Safari
0:16:57 on iPhone
0:16:58 or on Mac
0:16:59 then there is a way
0:17:01 to authenticate
0:17:01 that the request
0:17:02 is coming from
0:17:03 an individual
0:17:04 who has a subscription
0:17:05 to iCloud
0:17:06 and Apple has
0:17:07 their own fraud analysis
0:17:08 to allow you
0:17:09 to subscribe to iCloud
0:17:09 so it’s a very
0:17:11 it’s an easy assumption
0:17:11 to make
0:17:12 that if you have
0:17:12 a subscription
0:17:14 and this signature
0:17:15 is verified
0:17:16 then you’re a real person.
0:17:17 There’s a new one
0:17:18 that Cloudflare
0:17:19 recently published
0:17:21 around doing the same thing
0:17:23 for automated requests
0:17:24 and having a fingerprint
0:17:25 that’s attached
0:17:25 to a signature
0:17:26 inside every single request
0:17:27 which you can then use
0:17:29 public key cryptography
0:17:30 to verify
0:17:31 these are all emerging
0:17:32 as the problem
0:17:33 of being able
0:17:34 to identify
0:17:35 automated clients
0:17:36 increases
0:17:37 because you want
0:17:38 to be able to know
0:17:39 who the good ones are
0:17:40 to allow them through
0:17:41 whilst blocking
0:17:42 all the attackers.
0:17:43 Yeah it’s just like
0:17:43 the old days
0:17:44 with Kerberos right
0:17:45 every large vendor
0:17:46 is going to have
0:17:46 their flavor
0:17:48 and if you’re a shop
0:17:48 and you’re trying
0:17:49 to sell to everybody
0:17:50 you’ve got to kind of
0:17:50 work with all of them.
0:17:51 That’s right
0:17:52 and you just need
0:17:53 to be able to understand
0:17:54 is this a human
0:17:55 and is our application
0:17:56 built for humans
0:17:57 and then you allow them
0:17:58 or is it
0:17:59 that we’re building
0:17:59 an API
0:18:00 or do we want
0:18:01 to be indexed
0:18:01 and we want
0:18:02 to allow this traffic
0:18:03 it’s just giving
0:18:04 the site owner
0:18:05 the control.
0:18:06 Yeah I mean I think
0:18:07 what’s really interesting
0:18:09 to me is that
0:18:10 in my own use
0:18:11 and in my own life
0:18:13 like I interact
0:18:13 with the internet
0:18:15 less and less directly
0:18:16 like almost every day
0:18:17 and I’m going through
0:18:18 some sort of
0:18:19 AI type thing
0:18:20 it could be an agent
0:18:20 it could be
0:18:21 a large language model
0:18:22 it could be
0:18:23 any number of things
0:18:24 but I generally
0:18:25 don’t query stuff
0:18:26 directly as much
0:18:27 as I used to
0:18:28 and it seems like
0:18:28 we’re moving
0:18:29 to a world
0:18:29 where almost
0:18:31 the layer you describe
0:18:32 the agent type
0:18:34 activity you describe
0:18:34 will become
0:18:35 the primary consumer
0:18:36 of everything
0:18:36 on the internet.
0:18:38 Well if 50%
0:18:38 of the traffic
0:18:39 is already
0:18:40 bots
0:18:41 it’s already
0:18:41 automated
0:18:42 and agents
0:18:43 are only really
0:18:44 just getting going
0:18:45 most people
0:18:45 are not using
0:18:46 these computer use
0:18:47 agents
0:18:48 because they’re
0:18:48 too slow
0:18:49 right now
0:18:49 they’re not
0:18:50 they’re still
0:18:51 like previews
0:18:52 but it’s clear
0:18:52 that’s where
0:18:53 everything is going
0:18:54 then we’re going
0:18:55 to see an explosion
0:18:57 in the traffic
0:18:57 that’s coming
0:18:58 from these tools
0:18:58 and just blocking
0:18:59 them just because
0:19:00 they’re AI
0:19:01 is the wrong answer
0:19:02 you’ve really got
0:19:03 to understand
0:19:04 why you want them
0:19:05 what they’re doing
0:19:06 who they’re coming
0:19:06 from and then
0:19:07 you can create
0:19:08 these granular rules
0:19:08 I mean I hate
0:19:09 to use the analogy
0:19:09 but these things
0:19:10 are almost like
0:19:11 avatars right
0:19:12 they’re running
0:19:13 around on someone’s
0:19:13 behalf
0:19:14 and you need
0:19:14 to figure out
0:19:15 who that someone
0:19:16 is and what
0:19:16 the objectives
0:19:17 are
0:19:18 and control them
0:19:19 very granularly
0:19:20 and the old
0:19:20 school methods
0:19:22 of doing that
0:19:23 assume malicious
0:19:23 intent
0:19:25 which isn’t
0:19:26 always the case
0:19:26 and increasingly
0:19:27 is going to be
0:19:28 not the case
0:19:28 because you want
0:19:29 the agents
0:19:30 to be doing things
0:19:31 and the signals
0:19:31 just no longer
0:19:33 work when you’re
0:19:33 expecting traffic
0:19:34 to come from
0:19:35 a data center
0:19:35 or you’re expecting
0:19:36 it to come from
0:19:37 an automated
0:19:38 Chrome instance
0:19:39 and being able
0:19:40 to have the
0:19:41 understanding
0:19:42 of your application
0:19:43 to dig into
0:19:44 the characteristics
0:19:45 of the request
0:19:45 is going to be
0:19:46 increasingly important
0:19:47 in the future
0:19:48 of distinguishing
0:19:49 how criminals
0:19:50 are using
0:19:51 AI
0:19:52 what we’ve seen
0:19:52 so far
0:19:52 is either
0:19:53 training
0:19:54 and people
0:19:55 have that opinion
0:19:55 of whether they
0:19:56 want to train
0:19:56 or not
0:19:57 or it’s bots
0:19:58 that maybe
0:19:58 have got something
0:19:59 wrong
0:20:00 they’re accessing
0:20:00 the site
0:20:01 too much
0:20:01 because they
0:20:02 haven’t thought
0:20:02 about throttling
0:20:04 or they’re ignoring
0:20:04 robots.txt
0:20:05 rather than looking
0:20:06 at agents.txt
0:20:07 which is distinguishing
0:20:09 between an agent
0:20:09 you want to access
0:20:10 your site
0:20:11 and some kind
0:20:11 of crawler
0:20:13 and the examples
0:20:14 that we’ve seen
0:20:15 are just bots
0:20:15 coming to websites
0:20:16 and just downloading
0:20:17 the content
0:20:17 continuously
0:20:19 there’s no world
0:20:20 where that should
0:20:20 be happening
0:20:22 and this is
0:20:23 where the cost
0:20:23 is being put
0:20:24 on the site owner
0:20:25 because they currently
0:20:26 have no easy way
0:20:26 to manage
0:20:27 the control
0:20:30 the traffic
0:20:30 that’s coming
0:20:31 to their site
0:20:32 directionally
0:20:33 things are improving
0:20:34 because
0:20:34 you might have
0:20:35 looked back
0:20:36 18 months
0:20:37 and the bots
0:20:38 have no rate
0:20:38 limiting
0:20:39 they’re just
0:20:39 downloading content
0:20:40 all the time
0:20:42 today we know
0:20:42 that these bots
0:20:43 can be verified
0:20:44 they are identifying
0:20:45 themselves
0:20:46 they are much
0:20:47 better citizens
0:20:48 of the internet
0:20:48 and they are
0:20:49 starting to follow
0:20:50 the rules
0:20:51 and so over the
0:20:52 next 18 months
0:20:53 I think we’ll see
0:20:54 more of that
0:20:55 more of the AI
0:20:56 crawlers that we want
0:20:57 following the rules
0:20:58 doing things in the right way
0:20:59 and it will start
0:21:00 to split into
0:21:01 making it a lot easier
0:21:02 to detect the bots
0:21:03 with criminal intent
0:21:04 and those are the ones
0:21:05 that we want to be blocking
0:21:06 So with the transition
0:21:08 of bots
0:21:09 from being these
0:21:10 entities on the internet
0:21:11 that represent
0:21:12 third parties
0:21:13 and organizations
0:21:14 to this new world
0:21:16 where these AI agents
0:21:16 could be representing
0:21:17 organizations
0:21:17 they could be
0:21:18 representing customers
0:21:19 they could be
0:21:20 representing any number
0:21:20 of people
0:21:21 and this is probably
0:21:22 the wave of the future
0:21:24 it seems to me like
0:21:25 detecting
0:21:26 that it’s AI
0:21:27 or a person
0:21:27 is going to be
0:21:28 an incredibly difficult
0:21:28 challenge
0:21:29 and I’m curious
0:21:31 like how are you
0:21:31 thinking about
0:21:33 proving humanness
0:21:34 on the internet
0:21:34 right
0:21:35 proofing
0:21:37 is a tale
0:21:38 as old as time
0:21:39 there’s a NIST
0:21:39 working group
0:21:40 on proofing identity
0:21:41 that’s been running
0:21:42 I think for 35 years
0:21:43 and like still
0:21:44 hasn’t really gotten
0:21:45 to something
0:21:45 that’s implementable
0:21:46 there’s 15 companies
0:21:47 out there right
0:21:48 the first wave
0:21:50 of ride share services
0:21:51 and gig economy
0:21:52 type companies
0:21:53 needed to have proofing
0:21:53 right
0:21:54 because you’re hiring
0:21:54 these people
0:21:55 in remote places
0:21:56 where you don’t
0:21:56 have an office
0:21:57 and it’s still
0:21:58 not a solved problem
0:21:59 I’m curious
0:21:59 like it feels
0:22:00 like maybe AI
0:22:02 can help get us there
0:22:03 or maybe there’s
0:22:03 something that’s
0:22:04 happening in that space
0:22:04 right
0:22:06 well the pure solution
0:22:07 is digital signature
0:22:07 right
0:22:08 but we’ve been
0:22:09 talking about that
0:22:10 for so long
0:22:12 and the UX
0:22:12 around it
0:22:13 is basically impossible
0:22:15 for normal people
0:22:16 to figure out
0:22:17 and it’s why
0:22:17 something like
0:22:18 email encryption
0:22:19 no one encrypts
0:22:19 their email
0:22:21 you have encrypted chat
0:22:21 because it’s built
0:22:22 into the app
0:22:23 and it can do
0:22:24 all the difficult
0:22:24 things like the
0:22:26 key exchange
0:22:26 behind the scenes
0:22:28 so that solution
0:22:29 isn’t really going to work
0:22:31 but AI has been used
0:22:32 in analyzing traffic
0:22:33 for at least over a decade
0:22:34 it’s just it was called
0:22:35 machine learning
0:22:36 and so you start
0:22:37 with machine learning
0:22:38 and the question is
0:22:39 well what does
0:22:40 the new generation
0:22:42 of AI allow us to do
0:22:43 the challenge with
0:22:45 the LLM type models
0:22:46 is just the speed
0:22:47 at which they are
0:22:48 doing analysis
0:22:49 because you often
0:22:51 want to take a decision
0:22:52 on the network
0:22:53 or in the application
0:22:54 within a couple of milliseconds
0:22:55 otherwise you’re going to be
0:22:56 blocking the traffic
0:22:57 and the user’s going to
0:22:57 become annoyed
0:22:59 and so you can do that
0:22:59 with kind of
0:23:01 classic machine learning models
0:23:01 and do the inference
0:23:02 really quickly
0:23:03 and where I think
0:23:04 the interesting thing
0:23:05 in the next few years
0:23:06 is going to be
0:23:07 is how we take
0:23:08 this new generation
0:23:10 of generative AI
0:23:11 using LLMs
0:23:12 or other types
0:23:14 of LLM-like technology
0:23:15 to do analysis
0:23:17 on huge traffic patterns
0:23:18 I think that can be done
0:23:19 in the background
0:23:19 initially
0:23:20 but we’re already seeing
0:23:22 new edge models
0:23:23 designed to be deployed
0:23:24 to mobile devices
0:23:25 and IoT
0:23:26 that use very low amounts
0:23:28 of system memory
0:23:29 and can provide
0:23:30 inference responses
0:23:31 within milliseconds
0:23:32 I think those
0:23:33 are going to start
0:23:33 to be deployed
0:23:35 to applications
0:23:37 over the next few years
0:23:38 I think you’re exactly right
0:23:38 like I think
0:23:40 so much of what
0:23:41 we’re seeing now
0:23:42 is just being restricted
0:23:43 by the cost of inference
0:23:44 and that cost is
0:23:45 dropping incredibly fast
0:23:46 right
0:23:46 we saw this with
0:23:47 cloud
0:23:47 where like
0:23:49 S3 went to being
0:23:50 the most expensive storage
0:23:50 you could buy
0:23:51 to being free
0:23:52 essentially free
0:23:52 Glacier is essentially free
0:23:53 right
0:23:53 free is beer
0:23:53 right
0:23:54 whatever
0:23:55 and so like
0:23:56 we’re seeing that
0:23:58 even at a more
0:23:58 accelerated rate
0:23:59 for inference
0:23:59 like the cost
0:24:00 is just falling
0:24:00 incredibly
0:24:01 and then
0:24:02 when you look
0:24:03 at the capabilities
0:24:04 of these
0:24:05 new technologies
0:24:06 to drop
0:24:07 a suspicious email
0:24:08 into chat GPT
0:24:09 and ask if it’s
0:24:09 suspicious
0:24:10 and it’s like
0:24:11 100% accurate
0:24:11 right
0:24:12 like if you want
0:24:13 to like find
0:24:14 sensitive information
0:24:15 you ask
0:24:15 the LLM
0:24:16 is a sense
0:24:16 of information
0:24:17 and it’s like
0:24:18 100% accurate
0:24:18 like
0:24:20 it’s amazing
0:24:21 like as you squint
0:24:22 and look at the future
0:24:23 you can start to see
0:24:24 these really incredible
0:24:25 use cases
0:24:25 right
0:24:26 like to your point
0:24:27 of inference
0:24:27 on the edge
0:24:27 like
0:24:29 do you think
0:24:29 do you think
0:24:29 we all end up
0:24:30 eventually
0:24:30 with like
0:24:31 an LLM
0:24:32 running locally
0:24:33 that’s basically
0:24:34 going to be clippy
0:24:34 but for CISOs
0:24:35 like it pops up
0:24:36 and says
0:24:36 hey it looks like
0:24:36 you’re doing
0:24:37 something stupid
0:24:38 like is that
0:24:39 is that kind of
0:24:39 where you think
0:24:40 we land
0:24:40 that’s what we’re
0:24:41 working on
0:24:41 is getting
0:24:42 this analysis
0:24:43 into the process
0:24:43 so that for
0:24:44 every single request
0:24:45 that comes through
0:24:45 you can have
0:24:46 a sandbox
0:24:47 that will analyze
0:24:48 the full request
0:24:49 and give you a response
0:24:50 whereas now
0:24:50 you can wait
0:24:51 maybe two to five
0:24:53 seconds to delay
0:24:53 an email
0:24:54 and do the analysis
0:24:55 and decide whether
0:24:57 to flag it for review
0:24:57 or send it
0:24:58 to someone’s inbox
0:24:59 delaying an HTTP request
0:25:00 for five seconds
0:25:02 that’s not going to work
0:25:02 and so I think
0:25:05 the trend that we’re seeing
0:25:05 with the improvement
0:25:06 cost
0:25:08 the inference cost
0:25:09 but also the latency
0:25:10 in getting the inference
0:25:11 decision
0:25:12 that’s going to be the key
0:25:14 so we can embed this
0:25:14 into the application
0:25:16 you’ve got the full context
0:25:16 window
0:25:17 so you can add
0:25:17 everything you know
0:25:18 about the user
0:25:19 everything about the session
0:25:20 everything about your application
0:25:22 alongside the request
0:25:23 and then come to decision
0:25:24 entirely locally
0:25:25 on your web server
0:25:26 on the edge
0:25:27 wherever it happens
0:25:27 to be running
0:25:28 as I listen to you
0:25:29 say that
0:25:30 and describe this process
0:25:30 all I can think
0:25:31 is that advertisers
0:25:32 are going to love this
0:25:34 it just seems like
0:25:35 the kind of technology
0:25:36 built for sort of like
0:25:37 hey he’s looking at this product
0:25:38 show him this one right
0:25:38 yeah
0:25:40 super fast inference
0:25:40 on the edge
0:25:41 coming to a decision
0:25:43 and for advertisers
0:25:44 stopping click spam
0:25:46 that’s a huge problem
0:25:47 and being able to
0:25:47 come to that decision
0:25:48 before it even goes
0:25:50 through your ad model
0:25:51 and the auction system
0:25:52 who would have ever thought
0:25:53 that non-deterministic
0:25:55 incredibly cheap compute
0:25:57 would solve these use cases
0:25:57 right
0:25:59 we’re in a weird world
0:26:01 that’s it for this episode
0:26:03 thanks again for listening
0:26:04 and remember to keep listening
0:26:05 for some more great episodes
0:26:07 as the AI space matures
0:26:08 we need to start thinking
0:26:09 more practically
0:26:10 about how the technology
0:26:11 coexists with the systems
0:26:12 and platforms
0:26:13 we already use
0:26:15 that’s what we try to do here
0:26:16 and we’ll keep examining
0:26:16 these questions
0:26:17 in the weeks to come
0:00:07 and agents are only really just getting going.
0:00:10 Most people are not using these computer use agents
0:00:13 because they’re too slow right now, they’re still at previews
0:00:16 but it’s clear that’s where everything is going.
0:00:19 Then we’re going to see an explosion in the traffic
0:00:21 that’s coming from these tools and just blocking them
0:00:24 just because they’re AI is the wrong answer.
0:00:27 You’ve really got to understand why you want them,
0:00:29 what they’re doing, who they’re coming from
0:00:30 and then you can create these granular rules.
0:00:34 AI agents are changing how people interact with the web
0:00:36 but most sites still treat them like bots.
0:00:40 In this episode, taken from the AI plus A16Z podcast,
0:00:44 A16Z partner Joel De La Garza talks with ArcJet CEO David Mitten
0:00:47 about building internet infrastructure for this new era.
0:00:49 Here’s Derek to kick things off.
0:00:55 Thanks for listening to the A16Z AI podcast.
0:00:56 If you’ve been listening for a while
0:00:58 or if you’re at all plugged into the world of AI,
0:01:00 you’ve no doubt heard about AI agents
0:01:03 and all the amazing things they theoretically can do.
0:01:04 But there’s a catch.
0:01:07 When it comes to engaging with websites,
0:01:10 agents are limited by what any given site allows them to do.
0:01:14 If, for example, a site tries to limit all non-human interactions
0:01:17 in an attempt to prevent unwanted bot activity,
0:01:20 it might also prevent an AI agent from working on a customer’s behalf,
0:01:24 say, making a reservation, signing up for a service, or buying a product.
0:01:29 This broad strokes approach to site security is incompatible with the idea of what some call
0:01:35 agent experience, an approach to web and product design that treats agents as first-class users.
0:01:41 In this episode, A16Z infra partner, Joel De LaGarza dives into this topic with David Mitton,
0:01:46 the CEO of ArcJet, a startup building developer-native security for modern web frameworks,
0:01:50 including attack detection, sign-up spam prevention, and bot detection.
0:01:54 Their discussion is short, sweet, and very insightful.
0:01:56 And you’ll hear it after these disclosures.
0:02:01 As a reminder, please note that the content here is for informational purposes only,
0:02:05 should not be taken as legal, business, tax, or investment advice,
0:02:08 or be used to evaluate any investment or security,
0:02:14 and is not directed at any investors or potential investors in any A16Z fund.
0:02:19 For more details, please see A16Z.com slash disclosures.
0:02:22 It seems like what once was old is new again.
0:02:28 And we’d love to get your thoughts on this new emergence of bots
0:02:31 and how, while we know all the bad things that happen with them,
0:02:33 there’s actually a lot of good and really cool stuff that’s happening
0:02:35 and how we can maybe work towards enabling that.
0:02:37 Right, well, things have changed, right?
0:02:40 The DDoS problem is still there,
0:02:43 but it’s just almost handled as a commodity these days.
0:02:46 The network provider, your cloud provider,
0:02:47 they’ll just deal with it.
0:02:49 And so when you’re deploying an application,
0:02:51 most of the time you just don’t have to think about it.
0:02:54 The challenge comes when you’ve got traffic
0:02:57 that just doesn’t fit those filters.
0:02:59 It looks like it could be legitimate,
0:03:01 or maybe it is legitimate,
0:03:02 and you just have a different view
0:03:04 about what kind of traffic you want to see.
0:03:06 And so the challenge is really about
0:03:08 how do you distinguish between the good bots and the bad bots?
0:03:11 And then with AI changing things,
0:03:15 it’s bots that might even be acting on behalf of humans, right?
0:03:17 It’s no longer a binary decision.
0:03:21 And as the amount of traffic from bots increases,
0:03:23 in some cases, it’s the majority of traffic
0:03:26 that sites are receiving is from an automated source.
0:03:29 And so the question for site owners is,
0:03:31 well, what kind of traffic do you want to allow?
0:03:33 And when it’s automated,
0:03:36 what kind of automated traffic should come to your site?
0:03:38 And what are you getting in return for that?
0:03:41 And in the old days, I mean, I guess the old providers,
0:03:43 we’ll say, the legacy providers in this space,
0:03:46 like it was very much using a hammer, right?
0:03:50 So they would say, hey, if this IP address is coming in,
0:03:51 it’s probably a bot.
0:03:53 Or they would say, if this user agent is coming in,
0:03:54 it’s probably a bot.
0:03:55 Very imprecise.
0:03:57 And I think the downside of that is that
0:03:59 you probably blocked a lot of legitimate traffic
0:04:01 along with the legitimate traffic.
0:04:04 And now there’s very real consequences
0:04:06 because some of these AI bots could be actual users
0:04:08 that are acting on behalf of
0:04:10 who are looking to purchase your products.
0:04:11 This is the challenge.
0:04:13 So a volumetric DDoS attack,
0:04:15 you just want to block that at the network.
0:04:16 You never want to see that traffic.
0:04:20 But everything else needs the context of the application.
0:04:21 You need to know where in the application
0:04:23 the traffic is coming to.
0:04:25 You need to know who the user is, the session,
0:04:27 and to understand in which case
0:04:28 you want to allow or deny that.
0:04:31 And so this is the real issue for developers,
0:04:34 for site owners, for security teams,
0:04:36 is to make those really nuanced decisions
0:04:40 to understand whether the traffic should be allowed or not.
0:04:43 And the context of the application itself is so important
0:04:44 because it depends on the site.
0:04:46 If you’re running an e-commerce operation,
0:04:47 an online store,
0:04:50 the worst thing you can do is block a transaction
0:04:51 because then you’ve lost the revenue.
0:04:54 Usually you want to then flag that order for review.
0:04:57 A human customer support person is going to come in
0:04:59 and determine based on various signals
0:05:01 by whether to allow it.
0:05:03 And if you just block that at the network,
0:05:05 then your application will never see it.
0:05:08 You never even know that that order was failed in some way.
0:05:11 There’s been a lot of media releases
0:05:14 about companies that have released solutions in this space.
0:05:17 But largely they were based on sort of those
0:05:19 old kind of approaches using network telemetry.
0:05:23 Is that generally how they’re working now?
0:05:26 Or is there some other capabilities that they’ve released?
0:05:28 Because they give them AI names
0:05:29 and you just immediately assume
0:05:30 that they’re doing something fancy.
0:05:31 That’s right, yeah.
0:05:32 So blocking on the network
0:05:36 is basically how the majority of these old school products work.
0:05:39 They do analysis before the traffic reaches your application
0:05:42 and then you never know what the result of that was.
0:05:44 And that just doesn’t fly anymore.
0:05:47 It’s insufficient for being able to build modern applications.
0:05:49 Particularly with AI coming in
0:05:51 where something like OpenAI
0:05:54 has four or five different types of bots
0:05:56 and some of them you might want to make
0:05:58 a more restrictive decision over.
0:06:00 But then others are going to be taking actions
0:06:01 on behalf of a user search.
0:06:05 And we’re seeing lots of different applications
0:06:06 getting more signups.
0:06:08 Businesses actually getting higher conversions
0:06:10 as a result of this AI traffic.
0:06:13 And so just blocking anything that is called AI
0:06:15 is too blunt of an instrument.
0:06:17 You need much more nuance.
0:06:18 And the only way you can do that
0:06:20 is with the application context,
0:06:22 understanding what’s going on inside your code.
0:06:24 I mean, I’d say we’re seeing across the industry
0:06:27 that AI is driving incredible amounts
0:06:28 of new revenue to companies.
0:06:30 And if you use an old world tool
0:06:31 to just block any of that traffic,
0:06:33 you’re probably dooming your business.
0:06:33 That’s right.
0:06:36 Or you’re putting it into some kind of maze
0:06:37 where it’s seeing irrelevant content.
0:06:39 And then by doing that,
0:06:41 you are kind of downranking your site
0:06:44 because the AI crawler is never going to come back.
0:06:46 It’s kind of like blocking Google
0:06:47 from visiting your site.
0:06:49 It’s like, yeah, Google doesn’t get you in,
0:06:51 you’re no longer in Google’s index,
0:06:53 but then you’re no longer in Google’s index.
0:06:54 And so anyone searching
0:06:56 is not going to find you as a result.
0:06:59 Well, and I believe we had sort of standards
0:07:00 in the old days that developed
0:07:03 or quasi standards like robots.txt, right?
0:07:04 Which would tell you like until the crawlers,
0:07:06 hey, don’t crawl these directories.
0:07:08 Are we doing something similar
0:07:09 for this new age agentic world?
0:07:13 So robots.txt is still the starting place.
0:07:15 And it’s kind of a voluntary standard.
0:07:19 It evolved over several decades ago now.
0:07:20 It’s been around a long time.
0:07:22 Bots have been a problem for a long time.
0:07:24 And the idea is you describe
0:07:25 the areas of your application
0:07:29 and tell any robot that’s coming to your site
0:07:31 whether you want to allow that robot
0:07:33 to access that area of the site or not.
0:07:35 And you could use that to control
0:07:36 the rollout of new content.
0:07:39 You could protect certain pages of your site
0:07:40 that you just don’t want to be indexed
0:07:41 for whatever reason.
0:07:43 And you can also point the crawler
0:07:44 to where you do want it to go.
0:07:46 You can use the sitemap for that as well.
0:07:49 But the robots.txt file format
0:07:50 has evolved over time
0:07:53 to provide these signals to the likes,
0:07:55 to crawlers like search engines
0:07:56 from Google and so on.
0:07:59 The challenge with that is it’s voluntary
0:08:01 and there’s no enforcement of it.
0:08:04 So you’ve got good bots like Googlebot
0:08:05 that will follow the standard
0:08:07 and you’ll be able to have full control
0:08:08 over what it does.
0:08:11 But there are newer bots that are ignoring it
0:08:13 or even sometimes using it as a way
0:08:15 to find the parts of your site
0:08:16 that you don’t want it to access
0:08:18 and they will just do that anyway.
0:08:20 And so this becomes a control problem
0:08:21 for the site owner.
0:08:23 And you really want to be able to understand
0:08:26 not just what the list of rules are
0:08:27 but how they are enforced.
0:08:28 Totally.
0:08:30 Maybe it’d be great to walk through
0:08:32 what these agents are.
0:08:34 Maybe get some more understanding
0:08:36 of sort of how they operate,
0:08:38 what people are using them for,
0:08:40 perhaps go through a couple of the use cases.
0:08:42 And then it’d be great to understand
0:08:44 sort of like how you do control it
0:08:47 because it seems like a far more complicated problem
0:08:48 than just bad IP addresses.
0:08:48 Right.
0:08:51 So if we think about OpenAI as an example
0:08:53 because they have four or five different crawlers,
0:08:56 there’s one and they all have different names
0:08:57 and they all identify themselves
0:08:58 in different ways.
0:09:01 So one actually is crawling to train
0:09:03 the OpenAI models on your site.
0:09:05 And that’s the one that probably everyone
0:09:07 is thinking about when they’re thinking about
0:09:09 I want to block AI, the training.
0:09:11 And you have different philosophical approaches
0:09:12 to how you want to be included
0:09:14 in the training data.
0:09:15 The others are more nuanced
0:09:17 and will require more thought.
0:09:19 So there’s one that will go out
0:09:23 when a user is typing something into the chat
0:09:24 and is asked a question
0:09:26 and OpenAI will go out and search.
0:09:29 It’s built up its own search index.
0:09:31 And so that’s equivalent of Googlebot.
0:09:33 You probably want to be in that index
0:09:35 because as we’re seeing,
0:09:37 sites are getting more signups,
0:09:37 they’re getting more traffic.
0:09:40 The discovery process is being part
0:09:42 of just another search index is super important.
0:09:42 Gotcha.
0:09:44 So like when I ask OpenAI,
0:09:46 when is John F. Kennedy’s birthday?
0:09:47 If it doesn’t know the answer,
0:09:48 it goes out and searches the web.
0:09:49 Yeah, that’s right.
0:09:50 Or if it’s trying to get open hours
0:09:51 for something,
0:09:53 it might go to a website for a cafe or whatever
0:09:55 and pass it and then return the results.
0:09:57 So that’s really just like a classic
0:09:58 search engine crawler
0:10:01 except it’s kind of happening behind the scenes.
0:10:02 The other one is something
0:10:04 that’s happening in real time.
0:10:06 So you might give the agent
0:10:07 a specific URL
0:10:09 and go and ask it to summarize it
0:10:11 or to look up a particular question
0:10:13 in the docs for a developer tool
0:10:14 or something like that.
0:10:15 And then that’s a separate agent
0:10:16 that will go out,
0:10:17 it will read the website
0:10:18 and then it will return
0:10:20 and answer the query.
0:10:22 For both of these two examples,
0:10:23 OpenAI and others
0:10:26 are now starting to cite those sources.
0:10:27 And you’ll regularly see,
0:10:28 and this is kind of the recommendation,
0:10:31 is you get the result from the AI tool
0:10:33 but you shouldn’t trust it 100%.
0:10:34 You go and then verify
0:10:35 and you look at the docs.
0:10:37 And maybe it’s like
0:10:38 when you used to go to Wikipedia
0:10:39 and you’d read the summary
0:10:40 and then you’d look at the references
0:10:41 and you’d go to all the references
0:10:43 and check to make sure
0:10:44 what had been summarized
0:10:45 was actually correct.
0:10:46 But all three of those examples,
0:10:48 you clearly could see
0:10:48 why you would want them
0:10:49 accessing your site.
0:10:50 Right.
0:10:52 Why like blocking all of OpenAI’s crawlers
0:10:53 is probably a very bad idea.
0:10:54 Yeah, it’s too blunt.
0:10:55 It’s too blunt an instrument.
0:10:56 You need to be able to distinguish
0:10:57 each one of these
0:10:59 and determine which parts of your site
0:11:00 you want them to get into.
0:11:03 And this then comes to the fourth one
0:11:04 which is the actual agent.
0:11:06 This is the end agent,
0:11:08 the computer operator type feature.
0:11:09 Headless web browsers.
0:11:11 Headless web browsers, yeah.
0:11:12 But even a web browser,
0:11:12 a full web browser
0:11:14 operating inside a VM.
0:11:16 And those are the ones
0:11:17 that require more nuance
0:11:20 because maybe you’re booking a ticket
0:11:22 or doing some research
0:11:23 and you do want the agent
0:11:24 to take actions on your behalf.
0:11:26 Maybe it’s going to your email inbox
0:11:27 and triaging things.
0:11:30 From the application builder’s perspective,
0:11:32 that’s probably a good thing.
0:11:33 You want more transactions,
0:11:35 you want more usage of your application.
0:11:37 But there are examples
0:11:39 where it might be a bad action.
0:11:40 So for example,
0:11:41 if you’re building a tool
0:11:42 that is going to try and
0:11:44 buy all of the concert tickets
0:11:46 and then sell them on later,
0:11:47 that becomes a problem
0:11:48 for the concert seller
0:11:50 because they don’t want to do that.
0:11:50 They want the true fans
0:11:52 to be able to get access to those.
0:11:53 And again, you need the nuance.
0:11:55 Maybe you allow the bot
0:11:56 to go to the homepage
0:11:57 and sit in a queue.
0:11:58 But then when you get
0:11:59 to the front of the queue,
0:12:00 you want the human
0:12:01 to actually make the purchase
0:12:02 and you want to rate limit that
0:12:03 so that maybe the human
0:12:04 can only purchase,
0:12:05 let’s say, five tickets.
0:12:06 You don’t want them
0:12:07 to purchase 500 tickets.
0:12:08 And so this gets into
0:12:10 the real details of the context,
0:12:11 each one,
0:12:12 about what you might want to allow
0:12:13 and what you might want to restrict.
0:12:15 That’s incredibly complicated.
0:12:16 I mean, if I remember back
0:12:18 why we made a lot
0:12:18 of the decisions we made
0:12:19 on blocking bots
0:12:21 was strictly because of scale.
0:12:23 So, you know,
0:12:25 you’ve got 450,000 IP addresses
0:12:26 sending you terabits of traffic
0:12:27 through a link
0:12:28 that only can do gigabit
0:12:30 and you’ve got to just
0:12:31 start dropping stuff, right?
0:12:32 And you take, you know,
0:12:34 it’s the battlefield triage
0:12:35 of the wounded, right?
0:12:36 It’s like some of you
0:12:37 aren’t going to make it
0:12:39 and it becomes a little brutal.
0:12:40 That sounds incredibly sophisticated.
0:12:43 How do you do that sort of
0:12:44 fine-grained control
0:12:45 of traffic flow
0:12:47 at internet scale?
0:12:48 So this is about
0:12:49 building up layers of protections.
0:12:51 So you start with the robots.txt,
0:12:53 just managing the good bots.
0:12:54 Then you look at IPs
0:12:56 and start understanding,
0:12:57 well, where’s the traffic coming from?
0:12:58 In an ideal scenario,
0:12:59 you have one user per IP address,
0:13:00 but we all know that
0:13:02 that doesn’t happen.
0:13:02 That never happens.
0:13:04 And so you can start to build up
0:13:05 databases of reputation
0:13:06 around the IP address
0:13:08 and you can access
0:13:09 the underlying metadata
0:13:10 about that address
0:13:11 knowing which country
0:13:12 it’s coming from
0:13:13 or which network it belongs to.
0:13:15 And then you can start
0:13:16 building up these decisions
0:13:17 thinking, well,
0:13:18 we shouldn’t really be getting
0:13:20 traffic from a data center
0:13:22 for our signup page.
0:13:23 And so we could block
0:13:24 that network.
0:13:26 But it becomes more challenging
0:13:27 if we have that agent example.
0:13:30 The agent with a web browser
0:13:31 or headless browser
0:13:31 is going to be running
0:13:32 on a server somewhere.
0:13:33 It’s probably in a data center.
0:13:35 And then you have
0:13:36 the compounding factor
0:13:37 of the abusers
0:13:39 will purchase access
0:13:39 to proxies
0:13:41 which run on residential
0:13:41 IP addresses.
0:13:43 So you can’t easily rely
0:13:44 on the fact
0:13:45 that it’s part of
0:13:47 a home ISP block anymore.
0:13:48 And so you have to build up
0:13:49 these patterns
0:13:50 understanding the reputation
0:13:51 of the IP address.
0:13:52 Then you have
0:13:53 the user agent string
0:13:55 that is basically
0:13:56 a free text field
0:13:57 that you can fill in
0:13:58 with whatever you like.
0:13:58 There is kind of
0:13:59 a standard there,
0:14:00 but the good bots
0:14:01 will tell you who they are.
0:14:02 It’s been surprising
0:14:04 getting into the details
0:14:05 of this how many bots
0:14:06 actually tell you
0:14:06 who they are.
0:14:07 And so you can block
0:14:07 a lot of them
0:14:08 just on that heuristic
0:14:10 combined with the IP address.
0:14:11 Or allow them.
0:14:12 Or allow them.
0:14:13 Yeah, I’m the shopping bot
0:14:13 from OpenAI.
0:14:14 Right.
0:14:14 Come on in,
0:14:15 buy some stuff.
0:14:15 Exactly.
0:14:16 And Googlebot,
0:14:16 OpenAI,
0:14:18 they tell you who they are
0:14:19 and then you can verify that
0:14:20 by doing a reverse DNS
0:14:21 lookup on the IP address.
0:14:22 So even though
0:14:23 you might be able
0:14:24 to pretend to be Googlebot,
0:14:25 you can check to make sure
0:14:26 that that’s the case or not
0:14:28 with very low latency lookups.
0:14:30 So we can verify that,
0:14:30 yes, this is Google,
0:14:31 I want to allow them.
0:14:33 yes, this is the OpenAI bot
0:14:35 that is doing the search indexing,
0:14:36 I want to allow that.
0:14:37 The next level from that
0:14:39 is building up fingerprints
0:14:40 and fingerprinting
0:14:41 the characteristics
0:14:42 of the request.
0:14:43 And this started
0:14:45 with the JA3 hash
0:14:45 which was invented
0:14:46 at Salesforce
0:14:47 and has now been developed
0:14:48 into a JA4.
0:14:50 Some of them are open source
0:14:50 these algorithms,
0:14:52 some of them are not.
0:14:53 So essentially you take
0:14:53 all of the metrics
0:14:54 around a session
0:14:55 and you create a hash of it
0:14:56 and then you stick it
0:14:56 in a database.
0:14:57 Exactly.
0:14:58 And you look for matches
0:14:58 to that hash.
0:14:59 You look for matches
0:15:00 and then the idea
0:15:01 is that the hash
0:15:02 will change based
0:15:03 on the client
0:15:04 so you can allow
0:15:05 or deny certain clients
0:15:06 but if you have
0:15:07 a huge number
0:15:07 of those clients
0:15:08 all spamming you
0:15:09 then they all
0:15:10 look the same,
0:15:10 they all have
0:15:11 the same fingerprint
0:15:12 and you can just
0:15:13 block that fingerprint.
0:15:14 So this is almost like
0:15:15 if you think of
0:15:17 I always think of things
0:15:18 in terms of the classic
0:15:18 sort of network stack
0:15:20 like layer 0 up to layer 7
0:15:22 like this is almost like
0:15:24 layer 2 level identity
0:15:25 for devices, right?
0:15:26 Right.
0:15:27 It’s looking at the TLS
0:15:28 handshake on the network level
0:15:30 and then you can go up
0:15:31 the layers
0:15:32 and there’s one called
0:15:33 the JA4H
0:15:35 which looks at the HTTP headers
0:15:37 and the earlier versions
0:15:39 of this would be working
0:15:40 on the ordering
0:15:40 of the headers
0:15:41 for instance
0:15:42 so an easy way
0:15:43 to work around it
0:15:44 is just to shift
0:15:44 the headers
0:15:46 the hashing has improved
0:15:47 over time
0:15:48 so that even changing
0:15:49 the ordering of the headers
0:15:51 doesn’t change the hash
0:15:52 and the idea is
0:15:53 that you can then combine
0:15:54 all of these different signals
0:15:56 to try and come to a decision
0:15:57 about whether you think
0:15:57 this is
0:15:58 or who it is
0:16:00 basically making the request
0:16:01 and if it’s malicious
0:16:02 you can block it
0:16:02 based on that
0:16:03 and if it’s someone
0:16:04 that you want to allow
0:16:05 then you can do so.
0:16:05 And this is before
0:16:06 you even get into
0:16:08 kind of the user level
0:16:09 what’s actually happening
0:16:10 in the application, right?
0:16:10 That’s right, yeah.
0:16:12 So this is the logic
0:16:13 on top of that
0:16:14 because you have to identify
0:16:14 who it is first
0:16:16 before you apply the rules
0:16:17 about what you want them to do.
0:16:18 Gotcha, so it’s almost like
0:16:19 you’re adding an authentication layer
0:16:21 or an identity layer
0:16:22 to sort of the transport side.
0:16:23 That’s right, yeah.
0:16:25 Or the application side
0:16:26 I guess you should say.
0:16:27 Yeah, the application, yeah.
0:16:29 But it’s throughout the whole stack
0:16:30 the whole OSI model
0:16:31 and the idea is
0:16:32 you have this
0:16:33 consistent fingerprint
0:16:34 that you can then
0:16:36 apply these rules to
0:16:36 and identity
0:16:37 kind of layers
0:16:38 on top of that
0:16:39 and we’ve seen
0:16:40 some interesting developments
0:16:42 in fingerprinting
0:16:43 and providing signatures
0:16:45 based on
0:16:45 who the request
0:16:46 is coming from.
0:16:47 So a couple of years ago
0:16:48 Apple announced
0:16:49 Privacy Pass
0:16:52 which is a hash
0:16:52 that is attached
0:16:54 to every request
0:16:54 you make
0:16:55 if you’re in the
0:16:55 Apple ecosystem
0:16:56 using Safari
0:16:57 on iPhone
0:16:58 or on Mac
0:16:59 then there is a way
0:17:01 to authenticate
0:17:01 that the request
0:17:02 is coming from
0:17:03 an individual
0:17:04 who has a subscription
0:17:05 to iCloud
0:17:06 and Apple has
0:17:07 their own fraud analysis
0:17:08 to allow you
0:17:09 to subscribe to iCloud
0:17:09 so it’s a very
0:17:11 it’s an easy assumption
0:17:11 to make
0:17:12 that if you have
0:17:12 a subscription
0:17:14 and this signature
0:17:15 is verified
0:17:16 then you’re a real person.
0:17:17 There’s a new one
0:17:18 that Cloudflare
0:17:19 recently published
0:17:21 around doing the same thing
0:17:23 for automated requests
0:17:24 and having a fingerprint
0:17:25 that’s attached
0:17:25 to a signature
0:17:26 inside every single request
0:17:27 which you can then use
0:17:29 public key cryptography
0:17:30 to verify
0:17:31 these are all emerging
0:17:32 as the problem
0:17:33 of being able
0:17:34 to identify
0:17:35 automated clients
0:17:36 increases
0:17:37 because you want
0:17:38 to be able to know
0:17:39 who the good ones are
0:17:40 to allow them through
0:17:41 whilst blocking
0:17:42 all the attackers.
0:17:43 Yeah it’s just like
0:17:43 the old days
0:17:44 with Kerberos right
0:17:45 every large vendor
0:17:46 is going to have
0:17:46 their flavor
0:17:48 and if you’re a shop
0:17:48 and you’re trying
0:17:49 to sell to everybody
0:17:50 you’ve got to kind of
0:17:50 work with all of them.
0:17:51 That’s right
0:17:52 and you just need
0:17:53 to be able to understand
0:17:54 is this a human
0:17:55 and is our application
0:17:56 built for humans
0:17:57 and then you allow them
0:17:58 or is it
0:17:59 that we’re building
0:17:59 an API
0:18:00 or do we want
0:18:01 to be indexed
0:18:01 and we want
0:18:02 to allow this traffic
0:18:03 it’s just giving
0:18:04 the site owner
0:18:05 the control.
0:18:06 Yeah I mean I think
0:18:07 what’s really interesting
0:18:09 to me is that
0:18:10 in my own use
0:18:11 and in my own life
0:18:13 like I interact
0:18:13 with the internet
0:18:15 less and less directly
0:18:16 like almost every day
0:18:17 and I’m going through
0:18:18 some sort of
0:18:19 AI type thing
0:18:20 it could be an agent
0:18:20 it could be
0:18:21 a large language model
0:18:22 it could be
0:18:23 any number of things
0:18:24 but I generally
0:18:25 don’t query stuff
0:18:26 directly as much
0:18:27 as I used to
0:18:28 and it seems like
0:18:28 we’re moving
0:18:29 to a world
0:18:29 where almost
0:18:31 the layer you describe
0:18:32 the agent type
0:18:34 activity you describe
0:18:34 will become
0:18:35 the primary consumer
0:18:36 of everything
0:18:36 on the internet.
0:18:38 Well if 50%
0:18:38 of the traffic
0:18:39 is already
0:18:40 bots
0:18:41 it’s already
0:18:41 automated
0:18:42 and agents
0:18:43 are only really
0:18:44 just getting going
0:18:45 most people
0:18:45 are not using
0:18:46 these computer use
0:18:47 agents
0:18:48 because they’re
0:18:48 too slow
0:18:49 right now
0:18:49 they’re not
0:18:50 they’re still
0:18:51 like previews
0:18:52 but it’s clear
0:18:52 that’s where
0:18:53 everything is going
0:18:54 then we’re going
0:18:55 to see an explosion
0:18:57 in the traffic
0:18:57 that’s coming
0:18:58 from these tools
0:18:58 and just blocking
0:18:59 them just because
0:19:00 they’re AI
0:19:01 is the wrong answer
0:19:02 you’ve really got
0:19:03 to understand
0:19:04 why you want them
0:19:05 what they’re doing
0:19:06 who they’re coming
0:19:06 from and then
0:19:07 you can create
0:19:08 these granular rules
0:19:08 I mean I hate
0:19:09 to use the analogy
0:19:09 but these things
0:19:10 are almost like
0:19:11 avatars right
0:19:12 they’re running
0:19:13 around on someone’s
0:19:13 behalf
0:19:14 and you need
0:19:14 to figure out
0:19:15 who that someone
0:19:16 is and what
0:19:16 the objectives
0:19:17 are
0:19:18 and control them
0:19:19 very granularly
0:19:20 and the old
0:19:20 school methods
0:19:22 of doing that
0:19:23 assume malicious
0:19:23 intent
0:19:25 which isn’t
0:19:26 always the case
0:19:26 and increasingly
0:19:27 is going to be
0:19:28 not the case
0:19:28 because you want
0:19:29 the agents
0:19:30 to be doing things
0:19:31 and the signals
0:19:31 just no longer
0:19:33 work when you’re
0:19:33 expecting traffic
0:19:34 to come from
0:19:35 a data center
0:19:35 or you’re expecting
0:19:36 it to come from
0:19:37 an automated
0:19:38 Chrome instance
0:19:39 and being able
0:19:40 to have the
0:19:41 understanding
0:19:42 of your application
0:19:43 to dig into
0:19:44 the characteristics
0:19:45 of the request
0:19:45 is going to be
0:19:46 increasingly important
0:19:47 in the future
0:19:48 of distinguishing
0:19:49 how criminals
0:19:50 are using
0:19:51 AI
0:19:52 what we’ve seen
0:19:52 so far
0:19:52 is either
0:19:53 training
0:19:54 and people
0:19:55 have that opinion
0:19:55 of whether they
0:19:56 want to train
0:19:56 or not
0:19:57 or it’s bots
0:19:58 that maybe
0:19:58 have got something
0:19:59 wrong
0:20:00 they’re accessing
0:20:00 the site
0:20:01 too much
0:20:01 because they
0:20:02 haven’t thought
0:20:02 about throttling
0:20:04 or they’re ignoring
0:20:04 robots.txt
0:20:05 rather than looking
0:20:06 at agents.txt
0:20:07 which is distinguishing
0:20:09 between an agent
0:20:09 you want to access
0:20:10 your site
0:20:11 and some kind
0:20:11 of crawler
0:20:13 and the examples
0:20:14 that we’ve seen
0:20:15 are just bots
0:20:15 coming to websites
0:20:16 and just downloading
0:20:17 the content
0:20:17 continuously
0:20:19 there’s no world
0:20:20 where that should
0:20:20 be happening
0:20:22 and this is
0:20:23 where the cost
0:20:23 is being put
0:20:24 on the site owner
0:20:25 because they currently
0:20:26 have no easy way
0:20:26 to manage
0:20:27 the control
0:20:30 the traffic
0:20:30 that’s coming
0:20:31 to their site
0:20:32 directionally
0:20:33 things are improving
0:20:34 because
0:20:34 you might have
0:20:35 looked back
0:20:36 18 months
0:20:37 and the bots
0:20:38 have no rate
0:20:38 limiting
0:20:39 they’re just
0:20:39 downloading content
0:20:40 all the time
0:20:42 today we know
0:20:42 that these bots
0:20:43 can be verified
0:20:44 they are identifying
0:20:45 themselves
0:20:46 they are much
0:20:47 better citizens
0:20:48 of the internet
0:20:48 and they are
0:20:49 starting to follow
0:20:50 the rules
0:20:51 and so over the
0:20:52 next 18 months
0:20:53 I think we’ll see
0:20:54 more of that
0:20:55 more of the AI
0:20:56 crawlers that we want
0:20:57 following the rules
0:20:58 doing things in the right way
0:20:59 and it will start
0:21:00 to split into
0:21:01 making it a lot easier
0:21:02 to detect the bots
0:21:03 with criminal intent
0:21:04 and those are the ones
0:21:05 that we want to be blocking
0:21:06 So with the transition
0:21:08 of bots
0:21:09 from being these
0:21:10 entities on the internet
0:21:11 that represent
0:21:12 third parties
0:21:13 and organizations
0:21:14 to this new world
0:21:16 where these AI agents
0:21:16 could be representing
0:21:17 organizations
0:21:17 they could be
0:21:18 representing customers
0:21:19 they could be
0:21:20 representing any number
0:21:20 of people
0:21:21 and this is probably
0:21:22 the wave of the future
0:21:24 it seems to me like
0:21:25 detecting
0:21:26 that it’s AI
0:21:27 or a person
0:21:27 is going to be
0:21:28 an incredibly difficult
0:21:28 challenge
0:21:29 and I’m curious
0:21:31 like how are you
0:21:31 thinking about
0:21:33 proving humanness
0:21:34 on the internet
0:21:34 right
0:21:35 proofing
0:21:37 is a tale
0:21:38 as old as time
0:21:39 there’s a NIST
0:21:39 working group
0:21:40 on proofing identity
0:21:41 that’s been running
0:21:42 I think for 35 years
0:21:43 and like still
0:21:44 hasn’t really gotten
0:21:45 to something
0:21:45 that’s implementable
0:21:46 there’s 15 companies
0:21:47 out there right
0:21:48 the first wave
0:21:50 of ride share services
0:21:51 and gig economy
0:21:52 type companies
0:21:53 needed to have proofing
0:21:53 right
0:21:54 because you’re hiring
0:21:54 these people
0:21:55 in remote places
0:21:56 where you don’t
0:21:56 have an office
0:21:57 and it’s still
0:21:58 not a solved problem
0:21:59 I’m curious
0:21:59 like it feels
0:22:00 like maybe AI
0:22:02 can help get us there
0:22:03 or maybe there’s
0:22:03 something that’s
0:22:04 happening in that space
0:22:04 right
0:22:06 well the pure solution
0:22:07 is digital signature
0:22:07 right
0:22:08 but we’ve been
0:22:09 talking about that
0:22:10 for so long
0:22:12 and the UX
0:22:12 around it
0:22:13 is basically impossible
0:22:15 for normal people
0:22:16 to figure out
0:22:17 and it’s why
0:22:17 something like
0:22:18 email encryption
0:22:19 no one encrypts
0:22:19 their email
0:22:21 you have encrypted chat
0:22:21 because it’s built
0:22:22 into the app
0:22:23 and it can do
0:22:24 all the difficult
0:22:24 things like the
0:22:26 key exchange
0:22:26 behind the scenes
0:22:28 so that solution
0:22:29 isn’t really going to work
0:22:31 but AI has been used
0:22:32 in analyzing traffic
0:22:33 for at least over a decade
0:22:34 it’s just it was called
0:22:35 machine learning
0:22:36 and so you start
0:22:37 with machine learning
0:22:38 and the question is
0:22:39 well what does
0:22:40 the new generation
0:22:42 of AI allow us to do
0:22:43 the challenge with
0:22:45 the LLM type models
0:22:46 is just the speed
0:22:47 at which they are
0:22:48 doing analysis
0:22:49 because you often
0:22:51 want to take a decision
0:22:52 on the network
0:22:53 or in the application
0:22:54 within a couple of milliseconds
0:22:55 otherwise you’re going to be
0:22:56 blocking the traffic
0:22:57 and the user’s going to
0:22:57 become annoyed
0:22:59 and so you can do that
0:22:59 with kind of
0:23:01 classic machine learning models
0:23:01 and do the inference
0:23:02 really quickly
0:23:03 and where I think
0:23:04 the interesting thing
0:23:05 in the next few years
0:23:06 is going to be
0:23:07 is how we take
0:23:08 this new generation
0:23:10 of generative AI
0:23:11 using LLMs
0:23:12 or other types
0:23:14 of LLM-like technology
0:23:15 to do analysis
0:23:17 on huge traffic patterns
0:23:18 I think that can be done
0:23:19 in the background
0:23:19 initially
0:23:20 but we’re already seeing
0:23:22 new edge models
0:23:23 designed to be deployed
0:23:24 to mobile devices
0:23:25 and IoT
0:23:26 that use very low amounts
0:23:28 of system memory
0:23:29 and can provide
0:23:30 inference responses
0:23:31 within milliseconds
0:23:32 I think those
0:23:33 are going to start
0:23:33 to be deployed
0:23:35 to applications
0:23:37 over the next few years
0:23:38 I think you’re exactly right
0:23:38 like I think
0:23:40 so much of what
0:23:41 we’re seeing now
0:23:42 is just being restricted
0:23:43 by the cost of inference
0:23:44 and that cost is
0:23:45 dropping incredibly fast
0:23:46 right
0:23:46 we saw this with
0:23:47 cloud
0:23:47 where like
0:23:49 S3 went to being
0:23:50 the most expensive storage
0:23:50 you could buy
0:23:51 to being free
0:23:52 essentially free
0:23:52 Glacier is essentially free
0:23:53 right
0:23:53 free is beer
0:23:53 right
0:23:54 whatever
0:23:55 and so like
0:23:56 we’re seeing that
0:23:58 even at a more
0:23:58 accelerated rate
0:23:59 for inference
0:23:59 like the cost
0:24:00 is just falling
0:24:00 incredibly
0:24:01 and then
0:24:02 when you look
0:24:03 at the capabilities
0:24:04 of these
0:24:05 new technologies
0:24:06 to drop
0:24:07 a suspicious email
0:24:08 into chat GPT
0:24:09 and ask if it’s
0:24:09 suspicious
0:24:10 and it’s like
0:24:11 100% accurate
0:24:11 right
0:24:12 like if you want
0:24:13 to like find
0:24:14 sensitive information
0:24:15 you ask
0:24:15 the LLM
0:24:16 is a sense
0:24:16 of information
0:24:17 and it’s like
0:24:18 100% accurate
0:24:18 like
0:24:20 it’s amazing
0:24:21 like as you squint
0:24:22 and look at the future
0:24:23 you can start to see
0:24:24 these really incredible
0:24:25 use cases
0:24:25 right
0:24:26 like to your point
0:24:27 of inference
0:24:27 on the edge
0:24:27 like
0:24:29 do you think
0:24:29 do you think
0:24:29 we all end up
0:24:30 eventually
0:24:30 with like
0:24:31 an LLM
0:24:32 running locally
0:24:33 that’s basically
0:24:34 going to be clippy
0:24:34 but for CISOs
0:24:35 like it pops up
0:24:36 and says
0:24:36 hey it looks like
0:24:36 you’re doing
0:24:37 something stupid
0:24:38 like is that
0:24:39 is that kind of
0:24:39 where you think
0:24:40 we land
0:24:40 that’s what we’re
0:24:41 working on
0:24:41 is getting
0:24:42 this analysis
0:24:43 into the process
0:24:43 so that for
0:24:44 every single request
0:24:45 that comes through
0:24:45 you can have
0:24:46 a sandbox
0:24:47 that will analyze
0:24:48 the full request
0:24:49 and give you a response
0:24:50 whereas now
0:24:50 you can wait
0:24:51 maybe two to five
0:24:53 seconds to delay
0:24:53 an email
0:24:54 and do the analysis
0:24:55 and decide whether
0:24:57 to flag it for review
0:24:57 or send it
0:24:58 to someone’s inbox
0:24:59 delaying an HTTP request
0:25:00 for five seconds
0:25:02 that’s not going to work
0:25:02 and so I think
0:25:05 the trend that we’re seeing
0:25:05 with the improvement
0:25:06 cost
0:25:08 the inference cost
0:25:09 but also the latency
0:25:10 in getting the inference
0:25:11 decision
0:25:12 that’s going to be the key
0:25:14 so we can embed this
0:25:14 into the application
0:25:16 you’ve got the full context
0:25:16 window
0:25:17 so you can add
0:25:17 everything you know
0:25:18 about the user
0:25:19 everything about the session
0:25:20 everything about your application
0:25:22 alongside the request
0:25:23 and then come to decision
0:25:24 entirely locally
0:25:25 on your web server
0:25:26 on the edge
0:25:27 wherever it happens
0:25:27 to be running
0:25:28 as I listen to you
0:25:29 say that
0:25:30 and describe this process
0:25:30 all I can think
0:25:31 is that advertisers
0:25:32 are going to love this
0:25:34 it just seems like
0:25:35 the kind of technology
0:25:36 built for sort of like
0:25:37 hey he’s looking at this product
0:25:38 show him this one right
0:25:38 yeah
0:25:40 super fast inference
0:25:40 on the edge
0:25:41 coming to a decision
0:25:43 and for advertisers
0:25:44 stopping click spam
0:25:46 that’s a huge problem
0:25:47 and being able to
0:25:47 come to that decision
0:25:48 before it even goes
0:25:50 through your ad model
0:25:51 and the auction system
0:25:52 who would have ever thought
0:25:53 that non-deterministic
0:25:55 incredibly cheap compute
0:25:57 would solve these use cases
0:25:57 right
0:25:59 we’re in a weird world
0:26:01 that’s it for this episode
0:26:03 thanks again for listening
0:26:04 and remember to keep listening
0:26:05 for some more great episodes
0:26:07 as the AI space matures
0:26:08 we need to start thinking
0:26:09 more practically
0:26:10 about how the technology
0:26:11 coexists with the systems
0:26:12 and platforms
0:26:13 we already use
0:26:15 that’s what we try to do here
0:26:16 and we’ll keep examining
0:26:16 these questions
0:26:17 in the weeks to come
Taken from the AI + a16z podcast, Arcjet CEO David Mytton sits down with a16z partner Joel de la Garza to discuss the increasing complexity of managing who can access websites, and other web apps, and what they can do there. A primary challenge is determining whether automated traffic is coming from bad actors and troublesome bots, or perhaps AI agents trying to buy a product on behalf of a real customer.Joel and David dive into the challenge of analyzing every request without adding latency, and how faster inference at the edge opens up new possibilities for fraud prevention, content filtering, and even ad tech.Topics include:
- Why traditional threat analysis won’t work for the AI-powered web
- The need for full-context security checks
- How to perform sub-second, cost-effective inference
- The wide range of potential actors and actions behind any given visit
As David puts it, lower inference costs are key to letting apps act on the full context window — everything you know about the user, the session, and your application.
Follow everyone on social media:
Check out everything a16z is doing with artificial intelligence here, including articles, projects, and more podcasts.
Stay Updated:
Let us know what you think: https://ratethispodcast.com/a16z
Find a16z on Twitter: https://twitter.com/a16z
Find a16z on LinkedIn: https://www.linkedin.com/company/a16z
Subscribe on your favorite podcast app: https://a16z.simplecast.com/
Follow our host: https://x.com/eriktorenberg
Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures.
Leave a Reply