DocumentationCommerceCommerce on Cloud Guide

Adobe Commerce Advanced Security

Last update: May 14, 2026

CREATED FOR:

  • Admin
  • Developer

Adobe Commerce Advanced Security is a product that works with Adobe Commerce on Cloud Infrastructure to keep your online store fast, available, and secure. This can help protect revenue, reduce downtime, and maintain customer trust during peak traffic events and automated attacks.

Adobe Commerce on Cloud Infrastructure includes built-in Layer 3 and 4 DDoS protection and a Web Application Firewall (WAF). Under the shared responsibility model, Layer 7 DDoS detection, bot protection, and proactive IP blocking are merchant responsibilities, which Adobe Commerce Advanced Security is designed to address.

Advanced Security extends storefront protection through Fastly-powered edge security capabilities, which delivers bot management, advanced rate limiting, and Layer 7 DDoS protection as part of a unified edge platform that combines scale, performance, and security at the network edge.

NOTE
Advanced Security is available for Adobe Commerce on Cloud Infrastructure (PaaS) projects only.

Core capabilities

Adobe Commerce Advanced Security includes the following additional protections:

  • Bot Management—Identifies and mitigates unwanted bot activity on your web applications. The Bot Management service distinguishes between legitimate bots (search engine crawlers, social media bots) and malicious ones, providing real-time classification at the network edge with options to block, allow, challenge, or rate-limit traffic.

  • DDoS Protection—Provides Layer 7 (application layer) DDoS protection beyond the existing Layer 3 and 4 protection included with all Adobe Commerce on Cloud Infrastructure projects. The DDoS Protection service absorbs large-scale volumetric attacks and ensures continuous application availability during distributed denial-of-service (DDoS) events, protecting revenue during peak traffic periods.

  • Advanced Rate Limiting—Provides configurable rate limiting rules that protect specific URLs, API endpoints, and application resources from abuse. The Advanced Rate Limiting service goes beyond the basic rate limiting available through the Fastly CDN module to target specific traffic patterns and attack vectors, reducing infrastructure strain and cloud costs.

NOTE
Advanced Security configurations currently require submitting a support ticket. Self-service configuration through the Admin UI is planned for a future release. Refer to Request Advanced Security for more information.

Threat coverage

Advanced Security protects storefronts from a range of automated and application-layer threats.

Advanced Security positioning in the Adobe Commerce security stack

Bot-driven abuse

  • Credential stuffing—Automated attempts to log in using stolen credentials from data breaches.
  • Account takeover—Bots that attempt to gain unauthorized access to customer accounts.
  • Account creation abuse—Automated creation of fake accounts for fraud or abuse purposes.
  • Card testing—Bots that test stolen credit card numbers against your payment processor.
  • Content scraping—Automated extraction of product data, pricing, or content from your storefront.
  • Inventory hoarding—Bots that hold products in carts to prevent legitimate purchases.

AI bot management

  • AI crawler detection—Identifies and manages AI crawlers that scrape content to train large language models without consent.
  • AI fetcher control—Controls AI fetchers used in real-time AI search results.
  • Configurable AI bot policies—Distinguishes between verified and suspected AI bots with configurable signal types for policy enforcement.

Application-layer attacks

  • Layer 7 DDoS attacks—Distributed attacks targeting the application layer that bypass built-in Layer 3 and 4 protections. Advanced Security absorbs these volumetric attacks at the edge before they reach your origin servers.
  • URL and API abuse—Attacks targeting specific URLs or API endpoints spread across a large number of IP addresses, where individual IP blocking is not effective.
  • Cache-busting attacks—Requests with manipulated query parameters designed to bypass CDN caching and overwhelm the origin server.

Additional capabilities

  • Dynamic Challenges—Automatically assigns the optimal challenge to suspicious traffic. Leverages Private Access Tokens (PAT) to seamlessly validate a portion of requests without impacting the user experience.
  • Deception technology—Addresses account takeover attempts by returning false information to attackers, mitigating their attack while disrupting their ability to operate at scale.

Choosing the right protection

Use the following guidance to determine whether Advanced Security is the right solution for your storefront protection needs, or whether existing protections or alternative solutions are more appropriate.

When to use Advanced Security

The following scenarios are best addressed with Advanced Security:

Scenario
How Advanced Security helps
Your site experiences bot-driven attacks such as credential stuffing, content scraping, or inventory hoarding
Bot Management identifies and mitigates automated threats at the edge before they reach your application
You need Layer 7 DDoS protection beyond the built-in Layer 3 and 4 coverage
DDoS Protection absorbs application-layer attacks that bypass network-level protections
Specific URLs or API endpoints are targeted by high-volume distributed traffic that cannot be blocked by IP
Advanced Rate Limiting provides granular controls for specific endpoints and traffic patterns
You want to manage AI crawlers and fetchers accessing your storefront content
Bot Management includes configurable AI bot detection and enforcement policies
You need an Adobe-supported edge security solution integrated with your existing Fastly CDN
Advanced Security runs on the same Fastly edge platform already serving your storefront

When to use existing protections

The following scenarios are best addressed with existing protections:

Scenario
Recommended approach
A single IP or small set of identifiable IPs is flooding your site with requests
Block the IPs using the Commerce Admin or Fastly API. Use built-in Layer 3/4 DDoS protection and existing IP blocklist VCL snippets.
You need to block SQL injection, cross-site scripting (XSS), or other OWASP Top Ten threats
The included WAF service blocks these threats automatically.
Your DDoS attack patterns can be controlled with basic VCL blocking rules
Use the existing custom VCL snippets already available with Adobe Commerce.

When to use alternative protections

The following scenarios are best addressed with alternative protections that can complement Advanced Security:

Scenario
Recommended approach
You need transaction-level fraud scoring or payment fraud prevention
Use a dedicated fraud prevention platform. Advanced Security protects at the edge network level and does not evaluate individual payment transactions.
You require identity and access management (IAM)
Implement a dedicated IAM solution. User authentication and session management remain customer responsibilities.
You need static or dynamic application security testing (SAST/DAST)
Use dedicated application security testing tools. Code-level vulnerability scanning is not provided.
You require comprehensive API security beyond rate limiting (such as schema validation or API gateway features)
Consider a dedicated API security platform.
You need regulatory compliance tooling such as PCI scanning or SOC reporting
Use dedicated compliance management tools.
TIP
If you currently use a third-party bot protection provider, consolidating to Advanced Security can reduce operational complexity, and eliminate inconsistent security coverage across providers. Contact your Adobe Account team to evaluate Advanced Security for your project.

Security stack positioning

Advanced Security fits within the broader Adobe Commerce security architecture as an additional layer of edge-based protection. It works alongside — and does not replace — the WAF and Layer 3/4 DDoS protections already included with Adobe Commerce on Cloud Infrastructure. The following sections clarify how it relates to existing protections and the responsibilities that remain with the customer.

Included protections

Adobe Commerce on Cloud Infrastructure includes the following security features:

  • Web Application Firewall (WAF)—Managed protection against SQL injection, Cross-Site Scripting (XSS), and other Open Web Application Security Project (OWASP) Top Ten threats. Available on Production environments only.
  • Layer 3 and 4 DDoS protection—Built-in protection against network-layer attacks such as SYN floods, UDP floods, ICMP-based attacks, and TCP-level attacks. Enabled automatically with Fastly CDN.
  • SSL/TLS certificates—Domain-validated encryption certificates for secure HTTPS traffic.
  • Origin cloaking—Ensures all traffic routes through Fastly, blocking direct access to origin servers.
  • VCL-based security snippets—Custom Varnish Configuration Language (VCL) rules for IP blocking, allowlisting, and request filtering.

Advanced Security

Advanced Security provides increased protection beyond the built-in protections included with Adobe Commerce on Cloud Infrastructure, but at an additional cost:

  • Bot Management—Edge-based bot detection and mitigation with AI bot management.
  • Layer 7 DDoS Protection—Application-layer DDoS absorption and defense.
  • Advanced Rate Limiting—Granular rate controls for URLs and API endpoints.
  • Dynamic Challenges and Deception Technology—Automated challenge assignment and account takeover mitigation.

Customer responsibility

  • Fraud prevention—Transaction-level fraud scoring and payment fraud detection.
  • Identity and access management—Customer authentication, authorization, and session management.
  • Application security testing—SAST/DAST and vulnerability scanning.
  • Custom security configurations—VCL-based rules, IP allowlists, and blocklists.
  • Compliance tooling—PCI scanning, SOC compliance reporting, and regulatory audit tools.
  • Application-level hardening—Token-based API authentication, query parameter normalization, and caching strategy design.

For a complete overview of Adobe and customer security responsibilities, see the shared responsibility model.

Common attack patterns and protections

The following table maps common attack patterns to the appropriate protection layer within the Adobe Commerce security stack.

Attack pattern
Type
Protection
Single IP or set of identifiable IPs sending a large number of requests
DDoS + Bot
Block IPs using the Commerce Admin or Fastly API. Built-in Layer 3/4 DDoS protection filters this traffic at the network edge.
Attacks on specific URLs or APIs spread across a large number of IPs
DDoS + Bot
Advanced Security: Advanced Rate Limiting restricts request volume per URL. Bot Management identifies and blocks distributed bot traffic.
Automated attacks on REST API endpoints without proper authentication
Bot + DDoS
Verify that API endpoints use token-based authentication. Rotate credentials if the token is compromised. Advanced Security: Advanced Rate Limiting can protect exposed endpoints.
Cache-busting attacks using manipulated query parameters
Bot + DDoS
Exclude non-essential query parameters from cache keys. Normalize and restrict query parameters at the application level. Advanced Security: Bot Management detects and blocks automated cache-busting traffic.
SQL injection or cross-site scripting (XSS) attempts
WAF
The included WAF service blocks these threats automatically using managed security rules.

WAF blocking behavior

The following WAF behavior applies to all Adobe Commerce on Cloud Infrastructure projects, regardless of whether Advanced Security is enabled. The included WAF service uses the following blocking behavior for common attack signals:

  • SQL injection requests are blocked immediately, even for a single matching request.
  • Requests identified with the following threat signals from a known malicious IP are blocked immediately: Backdoor, Attack Tooling, CMDEXE, Log4J JNDI, Traversal, and XSS.
  • Requests from non-malicious IPs that exhibit the above threat signals are blocked when they exceed the following thresholds:
Interval
Threshold
Check frequency
1 minute
50 requests
Every 20 seconds
10 minutes
350 requests
Every 3 minutes
1 hour
1,800 requests
Every 20 minutes

Request Advanced Security

To request Advanced Security:

NOTE
Advanced Security is available at an additional cost and requires an active Adobe Commerce on Cloud Infrastructure (PaaS) subscription.

  1. Contact your Adobe Account team or Adobe Sales representative to discuss Advanced Security for your project.

  2. After purchasing Advanced Security, submit an Adobe Commerce Support ticket requesting Advanced Security enablement. Include your Adobe Commerce on Cloud Infrastructure project ID and the environments requiring enablement (for example, Production and Staging).

  3. Adobe activates Advanced Security on your Fastly service and configures the initial protection policies. Enablement is usually completed within a few business days of ticket submission.

  4. You receive confirmation that Advanced Security is active, along with details about the protections enabled for your environments.

NOTE
Configuration changes to Advanced Security currently require submitting a support ticket. Self-service configuration through the Admin UI is planned for a future release.

Limitations

Advanced Security provides edge-layer storefront protection. The following capabilities are not available and are best addressed with complementary solutions:

  • Transaction-level fraud scoring—Advanced Security does not evaluate individual payment transactions for fraud risk. Use a dedicated fraud prevention platform for transaction-level scoring.
  • Identity and access management (IAM)—Advanced Security does not manage user authentication, authorization, or session management. These remain customer responsibilities.
  • Static and dynamic application security testing (SAST/DAST)—Advanced Security does not include code-level vulnerability scanning or penetration testing.
  • API security—While Advanced Rate Limiting can protect API endpoints from abuse, comprehensive API security features such as schema validation and API gateway management are not provided.
  • Full fraud prevention—Advanced Security focuses on edge-layer storefront protection and is not a complete fraud management platform.
  • Compliance tooling—Advanced Security does not provide PCI scanning, SOC compliance reporting, or regulatory audit capabilities.
recommendation-more-help
commerce-on-cloud-help-cloud-guide