Defending against bad actors: WorkOS Radar vs Castle vs Auth0 vs Stytch vs Arcjet

Bad actors are everywhere. From opportunistic users who try to abuse your free tier by signing up for multiple accounts under different pseudonyms to AI bots, to script kiddies, to hackers, the bigger you get and the more complicated your authentication setup gets, the more of a target you are.

Nowadays, basic username/password auth falls short of providing the protection that modern SaaS apps require. Even OAuth can't protect against abuse, as motivated users will simply sign up for multiple email addresses to open additional accounts. And techniques like CAPTCHAs have been rendered ineffective at stopping coordinated account takeover schemes. With AI agents becoming more capable every day, the need for intelligent and adaptable defense against bad behavior has never been greater.

You need more; you need a product that specializes in detecting, verifying, and blocking bad actors in real-time.

In this article, we will review the key features you should look for when evaluating a solution and how some of the solutions available today compare.

What you should be looking for

Before we examine some of the available products today, let’s consider some of the most important features the solution you choose should have.

• Device fingerprinting: Device fingerprinting (or browser fingerprinting) is the process of uniquely identifying a device (or browser) based on its specific configuration. Good device fingerprinting assembles dozens of clues about your device to create a unique identifier. These fingerprints persist even after you clear your browsing data, making them a powerful security and fraud prevention tool. Device fingerprinting is a cornerstone for bot detection and prevention, fraud prevention, and more. To learn more, see What is device fingerprinting and how does it work?.
• Progressive rate limiting: The best solutions use device fingerprinting in order to decide what traffic to block. This will allow you to apply progressive rate limiting that becomes stricter as suspicious behavior continues instead of blocking solely based on IP addresses. This way, the attacker can't reset their limit by simply switching IPs, and you won't have a lot of false positives that affect users on shared networks.
• Out-of-the-box detections: The solution you choose should automatically detect a number of patterns that may indicate undesirable or malicious activity. Things like bot detection, brute force attacks, credential stuffing, impossible travel, new devices, etc. The more out-of-the-box detections the tool you choose offers, the less your team will have to manually implement and the faster your product will be protected.
• Support for custom rules: Besides automatically detecting malicious patterns, a good solution should allow you to implement custom rules and restrictions that are specific to your business (e.g., deny authentication to specific devices, restrict sign-ins to a corporate IP ranges, etc).
• Easy integration: You should have to do the least work possible to get the solution up and running. This will free up resources to work on your product and will protect your business from day one.

Now let’s see which are some of the solutions available today, what they offer, and how they compare to one another.

WorkOS Radar

WorkOS Radar collects signals on the behavior of users as they sign in to your app. These signals feed into an engine that is looking for abusive or anomalous behavior. When the engine detects a suspicious authentication attempt, it can block or challenge that attempt based on the settings you configure.

WorkOS Radar leverages proprietary device fingerprinting based on over 20 characteristics to identify which device is being used to authenticate with AuthKit. Just like a person’s fingerprint, this is used to differentiate between legitimate users and others who are attempting attacks or fraud.

It automatically blocks common threats like credential stuffing and brute force attacks, with flexible settings that can be tailored to your app, and tracks every authentication attempt to uncover suspicious or impossible sign-ins. WorkOS Radar will alert you when this happens in real-time, allowing your admins to intervene and alert your users that their accounts might be compromised.

Key features:

• Dashboard-only configuration: You don’t need to add any scripts to your app for WorkOS Radar to work. Once the feature is enabled, you get protection out of the box.
• Bot detection and blocking: WorkOS Radar can determine that authentication is coming from a bot or an AI agent and allow or deny that attempt, even if the credentials are correct. This bot detection goes beyond simple pattern matching. It can differentiate between AI agents, search engine crawlers, automation scripts, and testing tools.
• Intelligent rate-limiting using device fingerprinting: Instead of focusing solely on IP addresses, WorkOS Radar also identifies clients through device fingerprinting. This way you can apply progressive rate limiting that becomes stricter as suspicious behavior continues. These limits apply to the device fingerprint, not just the IP address. This means an attacker can't reset their limit by simply switching IPs.
• Unknown devices: Using device fingerprinting, WorkOS Radar maintains a history of known devices per user and can trigger additional verification for new devices.
• Brute force attacks: WorkOS Radar can prevent attacks on the same account from multiple devices using device fingerprinting. The system tracks:
  • Authentication frequency per client.
  • Pattern matching across multiple accounts.
  • Password variation patterns.
  • Geographic distribution of attempts.
• Stale accounts: WorkOS Radar monitors dormant accounts (no successful logins in 30+ days) and can notify both the end-user and the administrators when they become active (i.e. login successfully) - a common indicator of account takeover.
• Credential stuffing: Bad actors might try to sign in to your app using a list of leaked credentials from other breaches. Since it is common for people to reuse passwords across multiple websites, it’s possible that the same emails/passwords are valid credentials for your app. However, this will take many authentication attempts. WorkOS Radar will notice when a single client or device repeatedly signs in to your app and blocks these attempts for a short period of time.
• Impossible travel: By tracking device geolocation, WorkOS Radar can block or alert when subsequent authentication requests are spread around the globe. While this might be just due to the use of a VPN, the system can flag this behavior and leave it up to you to decide what to do.
• Custom restrictions: Devs can set custom rules to allow or deny authentication to specific devices, users, domains, or IP ranges. This enables a myriad of use cases, such as restricting sign-ins to a corporate IP range or allowing certain users to bypass detections that are false positives.
• Incorporate device fingerprinting into your app’s own models: Combining WorkOS Radar with Actions allows you to extend its capabilities by incorporating device fingerprinting into your app’s fraud or abuse models. For example, if one device is shared among many accounts, this could be a sign that one person is opening up many accounts to circumvent restrictions placed on usage. Or if many devices are being used to sign in to one account, it’s a strong indication that this account is being shared among many individuals.

Limitations:

• As of January 2025, WorkOS Radar works only with AuthKit, a fully customizable user management system, powered by WorkOS and Radix. The ability to use it with your own login box is on the roadmap.

Castle

Castle is a fraud prevention platform that offers you a view of risky customers and lets you implement mitigation workflows. It also enables you to monitor, analyze, and alert on up to 18 months of historical data to stop evolving abuse trends.

Key features:

• Device fingerprinting: Castle can perform device fingerprinting to uniquely identify devices that survive resets.
• AI scoring: Use risk scoring to detect bots, account takeovers, and general account abuse. Castle uses machine learning models to calculate risk scores as measures of how likely a user's action will result in abuse. Scores are computed in real-time.
• Whitelist/blacklist: Use lists to block or trust any entity, including devices, IPs, and users.
• Custom rules: Castle enables you to add policies specific to you. This way you can implement business domain-specific rules to make sure you're catching fraud specific to your platform.
• Custom signals: Besides the out-of-the-box signals (event properties that represent a risk behavior) Castle allows you to use custom signals to implement real-time velocity queries that'll tag risky events.
• Behavioral analysis: You can set up rate-limiting rules based on time and counters, e.g., to block requests with more than 10 failed logins per IP in the last hour or when the number of users per device exceeds 2.
• Bot detection: You can identify bots based on the real-time calculated risk score.
• Email intelligence: Assess email reputation and risk. Detect disposable domains and enumeration patterns.

Limitations:

• Castle needs to collect application usage data to detect signals of abuse and this is not done by simply enabling it from a dashboard. Developers need to include a Castle javascript in their app.

Auth0

Auth0 can detect attacks and stop malicious attempts to access your application such as blocking traffic from certain IPs and displaying CAPTCHA.

Key features:

• Bot detection: Auth0 triggers a CAPTCHA step when a login attempt comes from an IP suspected of use by a bot. To determine whether it’s a bot, Auth0 uses IP reputation computed by analyzing the quality of traffic seen for each IP.
• Suspicious IP throttling: Detects when a bot/script tries too many identifier/password combinations within a short period of time and blocks the IP.
• Brute force protection: Detects when a bad actor tries to log in to an account too many times within a period of time. When this happens, Auth0 blocks the IP and sends a notification via SMS or email to the affected user.
• Breached password detection: Stops users from using passwords that are known to be breached in some 3P sites. Auth0 blocks new users from signing up or logging in with stolen credentials.

Limitations:

• Auth0 does not offer device fingerprinting and works solely with IP detection and blocking, making the defense easy to bypass and prone to false positives that can affect users on shared networks.
• The attack protection part of Auth0 still lacks features that solutions like WorkOS Radar and Castle have, such as intelligent rate limiting, behavioral analysis, protection against stale accounts, and more.

Stytch

Stytch offers a Fraud & Risk API that offers bot detection and prevention.

Key features:

• Device fingerprinting: Stytch’s device fingerprinting combines a number of unique characteristics to help detect humans vs. bots.
• Customizable rules: Implement business domain-specific rules for device groupings, as well as individual device IDs

Limitations:

• Although Stytch offers device fingerprinting, CAPTCHA, and the ability to write custom rules, it still lacks features that solutions like WorkOS Radar and Castle have, like intelligent rate limiting, behavioral analysis, stale accounts protection, and more.
• Each custom rule can be assigned to a single fingerprint id. This is challenging to scale, since it's common for popular apps to have hundreds of thousands of fingerprints across their customer base.

Arcjet

Arcjet helps developers protect their apps in a few lines of code.

Key features:

• Bot detection: Detect and manage traffic by automated clients and bots. Bot traffic is identified by the IP address.
• Rate limiting: Define rules that limit the number of requests a client can make over a period of time. If Arcjet detects rate limit excesses, it will block further traffic based on a fingerprint of the client, which includes the IP address by default. This decision is cached locally for a period based on the rate limit configuration.
• Email validation: Arcjet allows you to validate & verify an email address. This is useful for preventing users from signing up with fake email addresses and can significantly reduce the amount of spam or fraudulent accounts
• PII detection: Protect against clients sending personal information — such as credit card numbers and email addresses — that you do not wish to handle. Arcjet’s “block sensitive information” rule prevents detected sensitive information from reaching your application. The rule runs entirely locally, so no data ever leaves your environment.

Limitations:

• Arcjet detects bot traffic, based on a fingerprint of the client, which includes the IP address. This could temporarily block traffic from legitimate clients using the same IP address. This can have a lot of false-positives and affect users on shared networks.
• Without proper device fingerprinting, Arcjet’s rate limiting is constrained to tracking the number of requests made by a client based on certain characteristics, like an IP or an authentication token. This means an attacker can reset their limit easily.

Which should you choose?

From the solutions presented here today WorkOS Radar and Castle are the most complete feature-wise. With WorkOS Radar all protections are up automatically once it's enabled for your account, while with Castle you need to include a script in your app so they can collect application usage data to detect signals of abuse.

While Stytch offers device fingerprinting, it lacks out-of-the-box protections. The developers would have to implement the logic.

The solutions Auth0 and Arcjet offer are more basic and rely a lot on IP addresses, making the defense easy to bypass and prone to false positives.

When evaluating the proper solution for you, besides the fees, evaluate how much time the engineering team will have to dedicate to implement and support this, as well as how sturdy the defenses you are paying for really are.