What is Castle.io?
Castle is a powerful fraud prevention platform designed to stop bots, fake accounts, and account takeovers before they harm your app or business. Instead of juggling multiple security tools, Castle gives you one unified system that works both at the edge (before traffic hits your servers) and in-app (monitoring real user behavior). This dual-layer approach means threats blocked early help improve detection later—making your defenses smarter over time.
With Castle, you can go from zero protection to active monitoring in minutes—no DNS changes, no long contracts, and no engineering headaches. Whether you're fighting credential stuffing, spam registrations, or multi-account abuse, Castle combines device intelligence, behavioral analytics, and AI-powered scoring to protect your users without adding friction for legitimate customers.
What are the features of Castle.io?
- Dual-Layer Defense: Runs simultaneously at the edge and inside your app, sharing signals between layers for smarter, faster threat detection.
- Real-Time Risk Scoring: Uses self-learning AI to generate Bot, Account Takeover (ATO), and Abuse Scores for every user interaction.
- 99.5% Accurate Device Fingerprinting: Detects headless browsers, emulators, tampering, and links devices across sessions—even when cookies are cleared.
- No-Code Cloudflare Integration: Deploy instantly with Cloudflare or use your own edge infrastructure without backend changes.
- Custom Rules Engine: Create, test, and deploy allow/challenge/deny rules based on velocity, location, email reputation, or your own business logic—no code required.
- Email & IP Intelligence: Flags disposable emails, proxy IPs, datacenter traffic, and suspicious domains in real time.
- Historical Analytics & Backtesting: Analyze up to 18 months of enriched user data and test new rules against past events to avoid false positives.
- State Management: Maintain dynamic blocklists, allowlists, and trusted device lists that update automatically based on policy actions or manual review.
What are the use cases of Castle.io?
- Stop Fake Signups: Block users creating accounts with disposable emails or from known abusive devices.
- Prevent Account Takeovers: Detect login attempts from new devices, impossible travel patterns, or credential stuffing attacks.
- Combat Multi-Accounting: Limit one account per device or IP to stop promo abuse or unfair advantages.
- Reduce SMS Pumping: Throttle or block excessive SMS verification requests from bots or scripts.
- Protect APIs & Mobile Apps: Secure REST endpoints and mobile apps using server-side SDKs where client-side code isn’t possible.
- Fight Content Spam: Identify and block users posting repetitive or malicious content based on behavior and velocity.
- Control Account Sharing: Enforce your terms by detecting unusual device or location switching on a single account.
- Stop Transaction Fraud: Prevent credit card testing by analyzing device history and transaction velocity before payment processing.
How to use Castle.io?
- Start in Monitoring Mode: Install the Castle SDK or connect via Cloudflare and observe traffic without blocking anything initially.
- Review High-Risk Events: Use the dashboard to explore flagged logins, signups, or password resets and understand why they were scored as risky.
- Create Custom Policies: Build rules like “Deny registration if abuse score > 90 AND disposable email = true” using the visual rule builder.
- Test Rules with Backtesting: Validate new policies against historical data to ensure they won’t disrupt real users.
- Switch to Blocking Mode: Once confident, enable automatic deny or challenge actions—like step-up authentication via email or authenticator app.
- Integrate Alerts: Set up Slack notifications or webhooks to alert your team or trigger automated workflows for high-severity events.
