If you run a ticketing platform, a promoter, or a major venue, you already know the pattern. Tickets go on sale. Within 60 seconds the front page shows "sold out". Within 24 hours the same seats reappear on secondary markets at three to ten times face value. Fans call the ticketing platform — not the scalper — asking why the on-sale was rigged. Press follow up. The artist's team asks awkward questions.
Prosopo is anti-scalping bot protection designed for exactly this problem: to keep on-sale inventory in front of real fans, and to keep the ticketing platform out of the next Guardian story about a botched drop.
How bad is it? The German Football Association reported over 160 million bot ticket requests for the DFB Cup Final alone. Ticketmaster cancelled bulk Oasis Reunion Tour purchases in 2025 after detecting scalper activity. The FIFA Club World Cup lottery was overwhelmed by automated traffic. This is not a niche threat.
Modern scalping toolkits are professionally engineered software. They hit five endpoints, and any single one is enough to break the drop:
- Signup and account warm-up — accounts created weeks in advance to look "aged" and legitimate.
- Queue and virtual waiting room — parallel session pools that hold thousands of queue spots.
- Announce and drop APIs — polled at millisecond frequency to catch the on-sale moment before any human can.
- Ticket search and availability — hammered to find remaining inventory the moment it appears.
- Add-to-cart and checkout — completed in tens of milliseconds through payment integrations.
Any single-layer defence (a login CAPTCHA, a queue-page check, a rate limit) is defeated because the scalper only needs to win at one endpoint to hoard inventory. Effective anti-scalping runs on every one of these endpoints, with a shared risk signal.
Prosopo runs in front of every ticketing endpoint and decides — for every request — whether the visitor is a real fan, a trusted agent acting on a fan's behalf, or a scalper bot. The decision combines several layers that traditional CAPTCHAs cannot see:
- Network-wide behavioural modelling. Cursor dynamics, scroll cadence, typing rhythm and device signals are continuously modelled across our platform. A scalper toolkit operating on one venue today looks the same as one we caught on another venue last week — so the second venue stops it the first time.
- Residential proxy and real-device farm detection. Scalper toolkits route traffic through residential IPs and real-device farms to look like ordinary fans. Prosopo's risk scoring labels those networks even when the IP itself has a clean reputation, so the trick stops working.
- Out-of-country ASN surge detection. A normal on-sale sees most traffic from the venue's home market. The moment a coordinated surge appears from hosting networks abroad, our decision engine escalates verification on that traffic without touching legitimate buyers — and the surge can be auto-banned by rule.
- Advanced ML adapting during the drop. Scalper tactics evolve mid-on-sale. Prosopo's machine-learning models retrain continuously against new attack patterns, so countermeasures emerge while the drop is still live — not in a postmortem after the fans have lost out.
- Invisible for humans and trusted agents. Real fans (and any AI shopping agent acting on their behalf) pass invisibly. Suspicious traffic gets a CAPTCHA challenge-response; known-bad traffic is blocked outright.
The result: fans get to checkout, trusted agents stay welcome, and scalper bots stop dead on the page they were trying to harvest.
- GDPR-first by design. Procaptcha is a GDPR-compliant CAPTCHA with no third-party tracking cookies and EU-hosted processing endpoints on request. Your DPA, cookie banner and privacy notice stay clean.
- Deploys anywhere. Backend SDK, CDN edge (Cloudflare Workers, Lambda@Edge, Fastly Compute@Edge), or API gateway — same verification, same behavioural model. No CDN lock-in.
- Real free tier and predictable pricing. 10,000 verifications per month free; $39/month up to 100K. No per-assessment surprise invoices.
- Doesn't blanket-block AI agents. Authorised AI shopping agents pass; only unauthorised scalper automation is challenged.
- Ready before the on-sale. Typical integration is a single afternoon for web checkouts, one day for CDN-edge deployments. Behavioural models baseline your legitimate traffic in the days before a major drop.
- Access Control — throttle datacenter traffic during high-demand drops and block hosting ASNs scalper bots use.
- Risk Scoring — auto-ban the most obvious automation before it even gets a challenge.
- API Protection — defend ticket-drop endpoints against bot inventory hoarding and rapid checkout attempts.
- Invisible CAPTCHA — the widget that fans see (or, mostly, don't) at the checkout page.
Ready to protect your enterprise from bots?
Request Demo →