Inspiration
Every large Reddit community has a story about the raid that almost broke it. A coordinated wave of bot accounts floods the feed with identical spam, a harassment campaign targets a specific user, or a pump-and-dump network pushes crypto links faster than any human can respond. The existing defenses — AutoModerator rules, external Python bots running on a moderator's personal laptop — were built for a different era. They're brittle, they require technical expertise to maintain, and they collapse under the load of a real coordinated attack precisely when you need them most.
We wanted to build something that worked the way a professional security system works: always on, running inside the platform itself, responding in milliseconds rather than minutes, and requiring zero ongoing maintenance from the mod team. The question was whether Devvit's native infrastructure could support that level of real-time processing. It can.
What it does
RaidShield is a real-time threat detection and automated response engine that runs natively inside Reddit. It monitors every post and comment through three independent detection layers:
Velocity Monitor — tracks submission rate using a Redis sliding window. A sudden spike beyond the configured threshold trips an automatic circuit breaker.
Text Cluster Detector — fingerprints every submission by normalizing its text (stripping homoglyphs, zero-width characters, casing variations) and hashing the result. When multiple unique accounts post identical content within a 3-minute window, it triggers lockdown. Catches coordinated spam even when bots slightly obfuscate their messages.
New-Account Swarm Detector — monitors the age distribution of submitters in real time. When newly created accounts make up a disproportionate share of traffic during an elevated-volume period, it flags a coordinated swarm.
When any engine detects a threat: flagged content is silently moved to the mod queue (preserved, not deleted), the community enters lockdown, and the entire mod team receives an immediate modmail notification. The mod dashboard — a pinned custom post only moderators can see in full — updates live every 5 seconds without a page refresh, showing incident history, threat count, and a one-click emergency lockdown button. All thresholds are configurable live with no redeployment.
How we built it
The entire stack runs on Devvit's native platform with no external dependencies.
Detection runs through PostCreate and CommentCreate background triggers — firing after AutoModerator has processed content, so we're acting on submissions that actually made it through Reddit's first filter layer. Each trigger executes a pipeline: circuit breaker fast-path check, velocity window evaluation, swarm ratio calculation, and text cluster lookup — all against Redis, completing well under Devvit's execution timeout.
Rate tracking uses Redis sorted sets with ZADD / ZREMRANGEBYSCORE for true sliding window semantics. No cron jobs, no scheduled cleanup — entries expire naturally as the window advances. Memory is bounded by ZREMRANGEBYRANK to prevent unbounded growth under extreme load.
Text fingerprinting uses a djb2 hash over normalized text. Normalization strips zero-width spaces, substitutes common Cyrillic-to-Latin homoglyphs, collapses whitespace, and removes non-alphanumeric characters before hashing — so bots can't bypass detection by adding invisible characters or swapping lookalike letters.
The dashboard is a Devvit Blocks custom post type with a mod gate enforced at render time via getModPermissionsForSubreddit. Settings use useForm so all Redis writes happen server-side, avoiding the ServerCallRequired error that affects inline async onPress handlers. Live updates use useInterval polling at 5-second intervals.
Configuration is stored as JSON in Redis with no TTL, so settings survive indefinitely and take effect on the next incoming event — no redeployment needed.
Challenges we ran into
The ServerCallRequired wall. Devvit Blocks serializes onPress handlers and runs them in a context where direct Redis calls fail with ServerCallRequired. The fix — routing all Redis writes through useForm submit handlers, which run server-side — wasn't obvious from the documentation and took significant debugging to isolate.
Trigger event naming. Devvit 0.12 has both PostSubmit/CommentSubmit (fires at submission time, before AutoMod) and PostCreate/CommentCreate (fires after AutoMod processing). Using the wrong pair means either double-processing content or acting on posts that AutoMod will remove a moment later. The correct choice for a raid shield is PostCreate/CommentCreate — we want to act on content that survived the platform's first filter.
State freshness without WebSockets. Devvit Blocks doesn't have a native push/subscribe mechanism for UI state. The dashboard would show stale data until the user manually refreshed. We solved this with useInterval polling at 5-second intervals, which gives near-real-time feedback without requiring a full page reload.
Text normalization depth. Simple exact-match hashing is trivially bypassed by adding a space or changing one character. Building a normalization pipeline that handles homoglyphs, zero-width characters, Unicode lookalikes, and whitespace manipulation — while remaining fast enough to run on every single submission — required careful design to avoid false positives on legitimate content.
Accomplishments that we're proud of
The end-to-end latency from a submission hitting Reddit to RaidShield quarantining it sits comfortably under 200ms in testing — well inside Devvit's execution limits and fast enough that the content never appears in the live feed.
The settings system works exactly as intended: a mod changes a threshold in the dashboard, and the very next trigger execution uses the new value. No redeploy, no restart, no propagation delay. That's the kind of operational flexibility that professional security tooling requires.
The mod gate on the dashboard — where non-mods see a clean public notice while mods get the full console — means the app can be pinned and stickied without leaking operational information to the community or to bad actors who might use threshold knowledge to calibrate their attacks just below detection limits.
The modmail notification system means the entire mod team is alerted the moment an automatic lockdown fires, even if no one is actively watching the dashboard. On a large community with a distributed mod team across time zones, that's the difference between a contained incident and a community-wide crisis.
What we learned
Devvit's execution model is more constrained than it appears from the documentation. The boundary between client-side and server-side execution in Blocks is real and strict — understanding exactly which hooks and handlers run where is essential before writing any stateful UI. The useForm pattern for server-side mutations is the correct architecture, but it's not prominently documented.
Redis sorted sets are the right primitive for sliding window rate limiting at this scale. Simple counters with TTLs create race conditions and don't give you true window semantics. The ZADD / ZREMRANGEBYSCORE pattern is O(log N) per operation and handles concurrent writes correctly without any application-level locking.
Text normalization for spam detection is a deeper problem than it looks. The space of Unicode obfuscation techniques is large, and any normalization pipeline is a tradeoff between recall (catching more spam) and precision (avoiding false positives on legitimate multilingual content). The current implementation handles the most common attack vectors; a production system would benefit from a continuously updated normalization ruleset.
What's next for RaidShield
Approved user allowlist — mods should be able to mark specific accounts as trusted, exempting them from detection entirely. Useful for established community contributors who post at high volume legitimately.
Per-detection-type lockdown — instead of a single community-wide circuit breaker, allow velocity and cluster detections to trigger different responses (e.g., velocity trips a comment slowmode rather than a full lockdown).
Historical analytics — a 7-day and 30-day incident chart showing attack frequency, peak times, and which detection engine fires most often. Gives mod teams data to tune their thresholds intelligently over time.
Flair-based exemptions — users with specific post flair or user flair could be excluded from new-account swarm detection, useful for communities that run AMAs or verified contributor programs.
Cross-subreddit threat sharing — an opt-in network where subreddits running RaidShield can share fingerprints of active attack campaigns, so a raid that starts on one community is pre-blocked on others before it arrives.
Built With
- devvit
- modmail
- redditapi
- redis
- typescript
Log in or sign up for Devpost to join the conversation.