BCS and Cloudflare Bot Management: how they fit together

BCS is not an alternative to Cloudflare — it is the behavioral governance layer that sits above it.

Short answer

Keep your Cloudflare Bot Management setup unchanged. Add BCS as a lightweight additional check on the automated traffic Cloudflare correctly lets through. Cloudflare handles volumetric threats and pattern-based detection; BCS classifies individual operators by observed conduct.

Where each layer sits

Internet
   │
   ▼
Cloudflare edge
  (DDoS mitigation, WAF, IP reputation,
   known-bad blocking, Bot Management if Enterprise)
   │
   ▼
Cloudflare lets the request through
   │
   ▼
Your origin server receives the request
   │
   ├─ 3-5 line middleware: POST to BCS /api/score
   │    ↓
   │    BCS returns verdict (allow / throttle / challenge / block)
   │    ↓
   └─ Policy applied by your application

What each layer is good at

Concern	Cloudflare Bot Management	BCS
Volumetric DDoS	✅ Excellent	Not the purpose
Known malicious IP blocking	✅ Excellent	Not the purpose
JS challenge / Turnstile	✅ Native	Not the purpose
WAF rules	✅ Excellent	Not the purpose
Per-operator behavioral reputation	Partial, Enterprise-only	✅ Purpose
Verifiable cryptographic identity for named bots	Cloudflare Web Bot Auth (separate product)	Complementary — BCS adds conduct score to the identity
Granular policy per operator	Limited to static allow-lists	✅ Dynamic score-based policy
Audit trail for AI agent conduct	Logs only	✅ Structured behavioral record
Integration complexity	CDN-level, often requires Enterprise plan	3-5 lines of middleware
Price for mid-market	Bot Management Enterprise-only	$99/mo starter tier

Integration pattern

The common pattern is a two-layer policy:

# Site middleware — conceptual
request_passed_cloudflare = True  # Cloudflare already let it through

verdict = bcs.score(
    user_agent=request.headers["User-Agent"],
    path=request.path,
    headers=dict(request.headers),
)

if verdict["score"] >= 90 and verdict["certified"]:
    allow()  # Fast Pass for certified exemplary operators
elif verdict["action"] == "block":
    return 403
else:
    throttle_or_challenge()  # rate-limit, captcha, etc.

When this combination makes sense

You already use Cloudflare for DDoS and IP reputation. You are satisfied with how it handles volumetric threats. But:

You are getting too many false-positive blocks of legitimate partner crawlers or AI agents.
Your compliance team needs an audit trail of which AI agents accessed which endpoints.
You want granular policy (rate limit X, full access Y, challenge Z) based on operator reputation.
You run Cloudflare Pro ($20/mo) and cannot justify Enterprise ($200+/mo) just for Bot Management.

When this combination does NOT make sense

You run Cloudflare Enterprise with full Bot Management and are satisfied with the granularity.
Your site receives no meaningful automated traffic worth differentiating.
Your policy is strictly binary: allow all bots or block all bots.

Cloudflare Web Bot Auth vs BCS

Cloudflare's Web Bot Auth is a separate product that proves identity (cryptographic proof of who a bot is). BCS scores conduct (how the bot behaves). Both layers are complementary:

Web Bot Auth: the bot is authenticated as being GPTBot. Cryptographic proof.
BCS: GPTBot's behavioral score is 100/100. Observed conduct.

A site using both gets a complete picture: verified identity + verifiable conduct. A bot can have one without the other (e.g., a Web Bot Auth-verified new crawler with no conduct history scores neutral until behavior accumulates).

For Cloudflare users: BCS does not require any Cloudflare configuration change. The integration is entirely on your origin server. If you are interested in combining BCS with Cloudflare Workers at the edge rather than at origin, contact us — we have a reference pattern.

Free tier available. 5,000 verdicts/month, no credit card.

Start integration →

Questions or feedback: hello@botconduct.org · @botconduct