We offer a range of predefined tags that you can use to filter and sanction web requests. These tags are generated by a behavioral component, which analyzes the traffic based on heuristics and AI models. Using these tags, you can configure tag-based rules both in the Customer Portal and via API.

Check the following table for a full list of predefined tags, their API slugs, and descriptions. For details on how to create tag-based rules, check our dedicated guide.

Tag nameAPI slugDescription
Abnormal Dynamic RequestsabnormaldynamicrequestsThis session makes a high number of requests based on the site’s average number of requests.
Abnormal Request VolumeabnormalrequestvolumeThe traffic from this client is relatively high for this domain.
Abnormal Traffic VolumeabnormaltrafficvolumeThe traffic from this IP is relatively high for this domain.
Abuse.chabusechThis malicious client was detected by Abuse.ch.
Ajax ScraperajaxscraperThe number of ajax requests in this session is much higher compared to other sessions on this domain.
Anonymized TrafficanonymizedtrafficThis IP’s provisioned traffic has several requests from an unidentified client.
Anonymizer FingerprintanonymizedfpThis fingerprint belongs to an anonymizer service.
Apache StrutsapsThis client attempted to exploit an Apache Struts vulnerability.
Authentic User AgentauthenticuseragentThe user agent reported by the client is valid.
Automated ClientautomatedclientThis client made identical, automated requests to the site’s resources.
Automated Dynamic RequestsautomateddynamicrequestsThis client made automated requests to the site’s dynamic pages.
Automation DriverautomationdriverThis client uses an unidentified headless browser.
BlockList.deblocklistdeThis malicious client was detected by BlockList.de.
Botnet ClientbotnetclientThis IP is part of a botnet network.
Browser Based BotbrowserbasedbotThis session attempts to refresh the same page continuously to check for any changes.
Brute Force AttemptbruteforceattemptThis client attempted to forcefully enter a web application’s login page.
Captcha Farm Bot FingerprintcaptchafarmbotfpThis client’s fingerprint failed the CAPTCHA challenge multiple times.
Captcha Farm Bot UsertagcaptchafarmbotutThe client associated with this UserTag failed the CAPTCHA challenge multiple times.
Captcha Validation FailedcaptchavalidationfailedThe CAPTCHA challenge was completed by a CAPTCHA farm. Thus, the user isn’t legitimate.
CDNcdnThis range belongs to a content delivery network company.
Client FloodclientfloodMultiple clients behind this IP perform requests simultaneously.
CMS ScannercmsscannerThis client scans web applications to find specific content management system administration or vulnerable pages.
Code InjectioncijThis client attempted to inject his code into the web application.
Common Web ApplicationcfgThis client attempted to exploit a common web application vulnerability.
Confirmed AutomationconfirmedautomationThis client has been confirmed as being automated, based on the client’s behavior and the inability to pass WAAP response pages.
Multiple Repeated RequestsmultiplerepeatedrequestsThe IP address is making multiple repeated requests to a domain.
Cross Site Request ForgerycsrfThis client attempted an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
Cross Site ScriptingxssThis client attempted Cross-Site Scripting (XSS) injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code.
DDOS ClientddosclientThis IP was part of multiple DDoS attacks on this domain.
DOM AutomationdomautomationThis client uses a document object model automation tool to make requests to this site.
Drupal AdmindrupaladminThis client is the admin of this Drupal site.
Dynamic Page ScraperinjectedscraperThe number of dynamic requests in this session is much higher compared to other sessions on this domain.
Evasive ClientevasiveclientThis client failed to return a JavaScript fingerprint.
Evasive TrafficevasivetrafficThis IP had multiple sessions that failed to return a JavaScript fingerprint.
Exceptionally High Request VolumeexceptionallyhighrequestvolumeThis session made a high number of requests. Thus, it was blocked.
Fake User-AgentfakeuseragentThis client has been identified with a user agent that’s not compatible with browser properties.
Fast Form SubmissionfastformsubmissionThe duration between POST and GET requests is noticeably higher than the average duration for this domain.
Glove ExtensiongloveextensionThis client installed the Glove extension.
Headless BrowserheadlessbrowserThis client uses a web browser without a graphical user interface (GUI).
Headless Browser FingerprintheadlessbrowserfpThis client has a fingerprint of a headless browser.
Hosting ServiceshostingservicesThis IP belongs to a web hosting company.
Identified AutomationidentifiedautomationThis client has been identified as being automated based on its behavior.
Injection AttackinjectionattackThis client has been identified as a confirmed perpetrator of injection attacks.
Injection AttemptinjectionattemptMultiple injection attempts were detected.
Intensive Traffic from FingerprintintensivetrafficfromfpThere is prolonged traffic coming from this fingerprint.
Invalid Captcha ValidatorinvalidcaptchavalidatorThe client has completed the CAPTCHA challenge automatically.
Invalid CookieinvalidcookieThis client presented invalid Gcore’s WAAP cookies.
Invalid FingerprintinvalidfpThis client’s fingerprint is not valid.
Invalid User AgentsuagThis client has an invalid user agent, a request header string that lets servers and network peers identify the application, operating system, vendor, or version of the client.
IP SwapperipswapperThis client is switching IPs.
Joomla AdminjoomlaadminThis client is the admin of this Joomla site.
Katalon ExtensionkatalonextensionThis client installed the Katalon extension.
Known BotknownbotThis client is a known bot.
Local File InclusionlfiThis client attempted to trick the web application into including local files with malicious code.
Magento AdminmagentoadminThis client is the admin for this Magento site.
Malicious CrawlermaliciouscrawlerThis client violates robots.txt directives.
Mechanical RequestsmechanicalrequestsThis client makes requests at a steady rate.
Modx AdminmodxadminThis client is the admin of this Modex site.
Mouse DevicemousedeviceThis client uses a device with a mouse.
MOZ Automation ExtensionmozautomationextensionThis client installed a suspicious extension.
Multiple Captcha Validation FailsmultiplecaptchavalidationfailsThis client failed the captcha challenge multiple times.
Multiple Client ErrorsmultipleclienterrorsThis client received multiple, consecutive 4XX errors.
Multiple Concurrent ClientsmultipleconcurrentclientsMultiple stable sessions are coming from this IP.
Multiple Consecutive ChallengesmultipleconsecutivechallengesThis client didn’t complete challenges for multiple consecutive sessions.
Multiple ErrorsmultipleerrorsA session that attempts to map a web application’s directory structure.
Multiple Failed ChallengesmultiplefailedchallengesThis session failed challenges multiple times.
Multiple Fake User Agent SessionsmultiplefakeuasessionsThis IP had multiple sessions with a user agent that didn’t match the actual client type.
Multiple Forbidden Ajax RequestsmultipleforbiddenajaxrequestsThis IP was forbidden in multiple, consecutive AJAX requests.
Multiple Forbidden RequestsmultipleforbiddenrequestsThis IP was denied access in multiple requests.
Multiple Large SessionsmultiplelargesessionsMultiple clients behind this IP have a high number of requests.
Multiple No Event SessionsmultiplenoeventsessionsThis client had multiple sessions with no UI events.
Multiple Refreshed PagesmultiplerefreshedpagesThis client refreshed the same URL multiple times consecutively.
Multiple Repeated ViolationsmultiplerepeatedviolationsThis client repeatedly failed to complete challenges. As a result, it was confirmed to be automated.
No Browser Ajax CallsnobrowserajaxcallsThis client made requests to AJAX URLs without a browser.
No Plugins FingerprintnopluginsfpThis client’s fingerprint indicates that the client’s browser doesn’t have a plugin installed.
No UI EventsnouieventsThis client didn’t create UI events.
Non-Scriptable ClientnonscriptableclientThis client doesn’t have a JavaScript engine.
Not Unique FingerprintfpnotuniqueThere is a high probability that this fingerprint represents multiple clients.
Open RedirectordAn open redirect attack has been detected. These attacks happen when an attacker manipulates URL queries to redirect users offsite.
Personal Identifiable InformationpiiAn exposure of personally identifiable information was detected.
PhantomJSphantomjsThis client uses PhantomJS, a scripted, headless browser used for automating web page interaction.
PimCore AdminpimcoreadminThe PimCore cookie for logged-in admin users was detected.
Prolonged Ajax TrafficprolongedajaxtrafficThe AJAX requests from this IP continued for a long time.
Prolonged API TrafficprolongedapitrafficThe API requests from this IP continued for a long time.
Prolonged Dynamic TrafficprolongedinjectedtrafficThe dynamic requests from this IP continued for a long time.
Prolonged Not Injected TrafficprolongednotinjectedtrafficThe requests from this IP continued for a long time.
Protocol AttackrhiA protocol attack was detected.
Proxy NetworkproxynetworkThis IP is part of the anonymizer proxy network.
Rapid RequestsrapidbehaviourThis client made multiple fast requests in one or multiple sessions.
Remote File InclusionrfiThis client attempted to trick the web application into including remote files with malicious code.
Request Maker ExtensionrequestmakerextensionThis client installed the Request Maker extension.
ScannerscannerA client that scans web applications.
SeleniumseleniumThis client uses Selenium, a portable software-testing framework for web applications.
Selenium ExtensionseleniumextensionThis client installed the Selenium extension.
Sensitive Data ExposuresdeAn exposure of sensitive data was detected.
Session via Multiple CountriesmultiplecountriesThis client changed their country-of-origin multiple times in this session.
Sessionless ClientsessionlessclientThis client doesn’t maintain a session.
Shell InjectionshiA shell (command) injection attack was detected.
ShellShock AttackshsThis client attempted a ShellShock vulnerability, which in Bash allows remote code execution without confirmation.
Sideex ExtensionsideexextensionThis client installed the Sidexx extension.
Site MappersitemapperThis client attempts to map a web application’s directory structure.
SP Honeypot ScannerbaitscannerThis IP was detected by scanning random servers.
Spam BotspambotThis IP’s client uses automation to generate multiple POST events that are suspected of being spam.
Spam ClientspamclientThis client made multiple consecutive POST requests with no referrer header.
SpamhausspamhausThis malicious client was detected by Spamhaus.
SQL InjectionsqlThis client attempted insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, etc.
Static ScraperstaticscraperThe number of static requests in this session is much higher compared to other sessions on this domain.
Stop Forum SpamstopforumspamThis malicious client was detected by Stop Forum Spam.
Suspected AutomationsuspectedautomationThis traffic is suspected of being automated based on the traffic’s behavior.
Suspected Automation FingerprintsuspiciousfpThis fingerprint belongs to a suspicious client.
Suspected Automation User TagsuspiciousutThis user tag belongs to a suspicious client.
Suspected Proxy NetworksuspectedproxynetworkThis IP is suspected of being part of a proxy network.
Suspicious Local IPsuspiciouslocalipThis session is making a high number of web page requests.
Suspicious ScrapernotinjectedscraperThe number of suspicious requests in this session is much higher compared to other sessions on this domain.
Thousand Eyes ExtensionthousandeyesextensionThis client installed the Thousand Eyes extension.
TOR NetworktorThis client is part of a TOR anonymizer network.
Touch DevicetouchdeviceThis client uses a touch device.
UI Events DetecteduieventdetectedThis client created UI events.
UI Events PauseuieventspauseThis client stopped creating UI events.
Unique FingerprintfpuniqueThere is a high probability that this fingerprint represents a single client.
Unverified Anonymized FingerprintunverifiedanonymizedfpThis fingerprint is suspected of being part of a VPN / proxy network.
Verified Headless BrowserverifiedheadlessbrowserThis client has been verified as a headless browser.
Visit Multiple DomainsvisitmultipledomainsThis client has visited a high number of Gcore domains.
VPN NetworkvpnnetworkThis IP is part of a VPN network service.
Vulnerability ScannervulnerabilityscannerA client that scans web applications for vulnerabilities.
Vulnerable ResourcevulnAn attempt to access a vulnerable resource was detected.
Web ShellwbsThis client attempted to upload a web shell. A shell-like interface that enables a web server to be remotely accessed, often for cyber-attacks.
WebdriverwebdriverThis client is controlled by automated tools.
Wordpress AdminwordpressadminThis client is the admin of this WordPress site.
WordPress Admin DetectionwadA WordPress admin dashboard was detected.
WordPress VulnerabilitywpsThis client attempted to exploit a vulnerability related to the WordPress CMS.
XML External EntityxxeAn XML external entity attack was detected. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, and other system impacts.