Chaff - Autonomous Bot Defense

• 

  Landing page

• 

  Chatbot query + ES Log call

• 

  Bot Traffic vs User Traffic

• 

  Threats Tab

• 

  Campaigns Tab (Block rules, Fingerprinting, Live IP)

Inspiration

Most websites do not have a traffic problem. They have a visibility problem.

Security teams can collect millions of web requests, but the hard question is still the same: which traffic is human, which traffic is useful automation, and which traffic is malicious bot activity hiding in plain sight?

That problem inspired Chaff—Autonomous Bot Defense.

Modern applications are constantly targeted by scrapers, scanners, fake browsers, credential-stuffing tools, and automated crawlers probing login pages, APIs, admin panels, and exposed endpoints. A single request to /login or /api may look harmless. But across thousands of events, those requests can reveal a coordinated bot campaign.

I built Chaff for the Google Cloud Rapid Agent Hackathon because the challenge is about moving beyond chatbots and building agents that can reason, plan, and take action. Chaff is designed as an autonomous security agent that investigates traffic, reasons over evidence, and turns suspicious behavior into defensive action.

Instead of only telling a user that traffic looks suspicious, Chaff helps answer the next question:

What should I do about it?

What it does

Chaff is an AI-powered Elastic security agent for autonomous bot defense.

It connects to Elasticsearch traffic logs, investigates suspicious web activity, separates real users from malicious bots, and converts evidence into actions such as honeypot traps, campaign tracking, threat findings, and mitigation-ready block rules.

Chaff can:

• Analyze Elasticsearch web traffic logs without copying raw customer logs into its own database
• Detect scrapers, scanners, credential-stuffers, fake browsers, and suspicious automation
• Use an agent workflow to search logs, inspect request samples, reason over suspicious patterns, and record structured threat findings
• Enrich suspicious IPs using reverse DNS, verified bot checks, AbuseIPDB reputation, Tor indicators, datacenter signals, and User-Agent heuristics
• Generate honeypot trap URLs that silently catch aggressive crawlers
• Track suspicious behavior over time through bot campaigns
• Show live traffic activity for real-time investigation
• Generate mitigation-ready block rules for IPs and User-Agents
• Provide security teams with explainable evidence instead of vague alerts

The core workflow is:

$$ \text{Raw Web Logs} \rightarrow \text{Agent Investigation} \rightarrow \text{Evidence} \rightarrow \text{Honeypots + Block Rules} $$

The goal is not just bot detection. The goal is to turn noisy traffic into a clear, explainable, and actionable security workflow.

How we built it

I built Chaff as a full-stack agentic security platform.

The frontend uses React, Vite, Tailwind, TanStack Router, TanStack Query, and Recharts to power dashboards for threats, live traffic, honeypots, campaigns, block rules, and agent investigations.

The backend uses TanStack Server Functions to handle secure server-side actions such as Elasticsearch queries, agent tool calls, onboarding, threat recording, honeypot generation, campaign tracking, rescanning, and mitigation rule creation.

For authentication, saved configurations, campaigns, honeypots, and threat findings, Chaff uses Supabase Auth and PostgreSQL.

For the traffic intelligence layer, Chaff connects directly to Elasticsearch. This was one of the most important design choices. Instead of copying sensitive raw logs into Chaff, the system performs remote reads against Elasticsearch and stores only high-confidence findings, configurations, and investigation results.

For the hackathon’s agent workflow, Chaff is positioned around Gemini, Google Cloud Agent Builder, and the Elastic MCP partner track. The agent’s job is not just to answer questions about traffic. It uses Elastic-backed log search as its operational context, investigates suspicious patterns, and produces defensive actions.

The agent can:

• Use search_logs to run Elasticsearch aggregations
• Use sample_requests to inspect raw request examples
• Use record_threat to save structured security findings
• Generate investigation summaries and reports
• Support continuous rescanning for new suspicious traffic

This makes the agent behave more like a security analyst. It does not simply guess. It has to inspect data, compare signals, reason over evidence, and then record a finding.

Chaff also uses Firecrawl during activation to inspect the user’s website, identify exposed paths, understand the attack surface, and help tailor detection logic to the actual application.

For bot classification, Chaff combines multiple signals instead of relying on one weak indicator. It looks at request volume, suspicious User-Agents, known automation tools, missing browser signals, reverse DNS, verified bot validation, AbuseIPDB reputation, cloud-provider infrastructure, Tor patterns, honeypot hits, and campaign behavior.

That multi-signal approach is what makes Chaff realistic. Real bot defense is not about one suspicious request. It is about connecting many small clues into a confident decision.

Challenges we ran into

The biggest challenge was making Chaff feel like a real security product instead of a simple AI wrapper around logs.

The first challenge was safe log access. Web traffic logs can contain sensitive information, so Chaff needed to investigate traffic without becoming another place where raw logs are stored. I solved this by querying Elasticsearch remotely and saving only the findings that matter.

The second challenge was separating malicious bots from legitimate automation. Not every bot should be blocked. Search engine crawlers and other verified services can generate automated traffic, but they may be legitimate. Chaff handles this by using reverse DNS and forward-confirmation checks before trusting a claimed bot identity.

The third challenge was turning noisy traffic into useful confidence. A datacenter IP alone does not prove abuse. A suspicious User-Agent alone does not prove abuse. But a datacenter IP with a high request rate, suspicious paths, poor browser behavior, abuse reputation, and a honeypot hit tells a much stronger story.

The fourth challenge was closing the loop from detection to action. Many security tools stop at alerts. Chaff needed to go further by helping users investigate the issue, preserve evidence, track campaigns, deploy traps, and generate block rules.

The final challenge was building an agent that is useful but controlled. In security, an AI agent should not have unlimited freedom. Chaff’s agent is constrained to specific investigation and recording tools, making its workflow more reliable, explainable, and safer.

Accomplishments that we're proud of

I am most proud that Chaff became more than a log dashboard. It became a complete agentic security workflow.

Chaff can start with raw web traffic, investigate suspicious activity, enrich the evidence, identify bot behavior, create honeypot traps, track campaigns, and generate block rules. That full path from detection to action is what makes the project feel practical.

I am also proud of the safe architecture. Chaff does not need to copy raw Elasticsearch logs into its own database to be useful. It brings intelligence to the data, performs remote analysis, and stores only the security findings that matter.

Another major accomplishment was designing the bot scoring system. Instead of relying on a single indicator, Chaff combines multiple signals such as traffic volume, User-Agent behavior, DNS identity, abuse reputation, Tor indicators, datacenter infrastructure, verified bot checks, and honeypot hits.

The strongest part of Chaff is that it gives defenders evidence they can understand. It does not just say “suspicious.” It explains what happened, why it matters, and what action can be taken next.

What we learned

Building Chaff taught me that bot defense is not only a detection problem. It is an evidence problem.

A useful security system has to explain why something is suspicious. It needs to show the traffic pattern, affected endpoints, IP context, User-Agent behavior, reputation signals, and confidence behind the finding.

I also learned that agents are strongest when they are connected to real tools and real data. A chatbot can describe what a security analyst might do. Chaff actually performs parts of that workflow: searching logs, inspecting samples, recording findings, generating traps, and preparing mitigation rules.

Most importantly, I learned that the best security tools do not just create more alerts. They help defenders make decisions.

Chaff turns messy web traffic into a practical bot-defense workflow:

$$ \text{Investigate} \rightarrow \text{Prove} \rightarrow \text{Trap} \rightarrow \text{Block} $$

That is why Chaff fits this hackathon: it is not just AI answering questions. It is an agent taking action on a real-world security problem.

What's next for Chaff - Autonomous Bot Defense

Next, I want to make Chaff even more operational for real security teams.

The first step is deeper Elastic MCP integration, allowing the agent to interact with Elastic-backed traffic and security data more naturally through the hackathon’s partner workflow.

The second step is stronger Google Cloud deployment support, including a cleaner production path for running the agent workflow, storing configuration securely, and connecting to cloud-native security systems.

I also want to expand the mitigation layer so Chaff can push block rules directly into tools such as Cloudflare, NGINX, load balancers, and WAF platforms after user approval.

Another future improvement is campaign intelligence. Chaff could cluster suspicious IPs, User-Agents, paths, and timing patterns into larger bot campaigns, making it easier to identify coordinated abuse instead of treating every IP as a separate event.

Long term, Chaff could become an autonomous bot-defense copilot for modern web applications: one that continuously watches traffic, explains suspicious behavior, deploys traps, recommends mitigations, and helps defenders act before automated abuse turns into real damage.

Built With

• elasticsearch
• gemini
• ipinfo.io
• postgresql
• react
• supabase
• tailwind
• tanstack
• vite