# DDactic > Automated DDoS resilience testing for CISOs whose CDN/WAF stack has never actually been validated under attack. DDactic discovers the public attack surface your DDoS protection is supposed to cover, simulates L3-L7 attacks from a 23+ provider multi-cloud bot fleet, and produces vendor-specific hardening commands validated by stage-reprobe after the client applies them. Built for security teams that already own Cloudflare, Akamai, Imperva, AWS Shield, or Radware and need an independent, attacker's-perspective check, not another paper questionnaire. The differentiating capability is real bot-detection bypass research (25 vendors fingerprinted) and protection-group-aware testing that maps which subdomains share fate with which origin. ## Product - [Free Attack Surface Scan](https://ddactic.net/free-scan): Passive recon, exposed origins, third-party SDK leaks, breach correlations. No auth, no install. - [DDoS Readiness Quiz](https://ddactic.net/readiness-quiz): 2-minute self-assessment that produces an OPI score and a ranked test plan. - [OPI Score (Open Protection Index)](https://ddactic.net/opi): Apache 2.0 open standard for grading external DDoS posture across discovery, validation, and hardening. - [ROI Calculator](https://ddactic.net/roi-calculator): Compares DDactic continuous testing against a single incident's downtime cost. - [Footprint Calculator](https://ddactic.net/footprint-calculator): Estimates your real exposed surface from one apex domain. - [Protection Analysis](https://ddactic.net/protection-analysis): Inferred CDN/WAF/scrubbing topology per asset, with shared-fate clustering. - [Attack Simulator](https://ddactic.net/attack-simulator): Browser-side preview of attack vectors before authorized live testing. - [Live DDoS Challenge](https://challenge.ddactic.net): Public attack invitation against a hardened DDactic-protected target. - [Pricing](https://ddactic.net/pricing): Founding Design Partner tier (first 5 customers, 90% off, deadline 2026-04-30) and standard tiers. - [Solutions](https://ddactic.net/solutions): Industry-specific framings (FinTech, Insurance, Gaming, Healthcare). ## Research - [Bot Detection Reverse Engineering — 20 Vendors](https://ddactic.net/blog/BLOG_POST_BOT_DETECTION_RE): JS sensor RE notes for Cloudflare, Akamai, Imperva, DataDome, PerimeterX, Distil, F5 Shape, Arkose, hCaptcha, GeeTest, and 10 more. - [The JA3 Myth](https://ddactic.net/blog/BLOG_POST_JA3_MYTH): Why JA3 alone is insufficient and how cross-layer (TCP + JA3 + HTTP/2 SETTINGS + UA) consistency catches bots that JA3-only misses. - [The gRPC Blind Spot](https://ddactic.net/blog/BLOG_POST_GRPC_BLIND_SPOT): Bot-management vendors fall back to weaker stacks for non-browser API traffic; gRPC is largely unprotected. - [DDoS Anatomy](https://ddactic.net/ddos-anatomy): 233 attack mechanisms across 23 protocol families, mapped to CVE / design-vector / technique categories. - [HTTP/2 Fingerprinting](https://ddactic.net/blog/BLOG_POST_HTTP_FINGERPRINT): SETTINGS frames, pseudo-header order, and window updates as bot-detection signals. - [DNS Fingerprinting](https://ddactic.net/blog/BLOG_POST_DNS_FINGERPRINT): Resolver fingerprints and DNS-layer detection. - [Mobile API Attack Surface](https://ddactic.net/blog/BLOG_POST_MOBILE_API): Android/iOS SDK traffic interception, cert pinning bypass, and OkHttp/URLSession fingerprint baselines. - [CDN Bypass Techniques](https://ddactic.net/blog/BLOG_POST_CDN_BYPASS): How attackers find origin IPs that the CDN was supposed to hide. - [Origin Discovery Methods](https://ddactic.net/blog/BLOG_POST_ORIGIN_DISCOVERY): 22+ techniques to surface unprotected origins. - [Tunnel Protocols & DDoS](https://ddactic.net/blog/BLOG_POST_TUNNEL_PROTOCOLS): GRE, IPIP, WireGuard amplification and abuse vectors. - [Rate Limit Baseline Methodology](https://ddactic.net/blog/BLOG_POST_RATE_LIMIT_BASELINE): Why every rate limit needs a traffic baseline before tuning. - [Attack Complexity Scoring](https://ddactic.net/blog/BLOG_POST_ATTACK_COMPLEXITY): 1-10 complexity rubric for DDoS test plan prioritization. - [Multi-Cloud Bot Fleet](https://ddactic.net/blog/BLOG_POST_MULTICLOUD_FLEET): How DDactic deploys across 23+ providers for realistic geographic and ASN diversity. - [Recon Pipeline](https://ddactic.net/blog/BLOG_POST_RECON_PIPELINE): The 9 intelligence sources and how they're stitched together. - [Full Pipeline Walkthrough](https://ddactic.net/blog/BLOG_POST_FULL_PIPELINE): End-to-end discover → simulate → harden → re-validate flow. - [Cloud vs On-Prem WAF](https://ddactic.net/blog/BLOG_POST_CLOUD_VS_ONPREM_WAF): When each is the right choice and how to test each. - [Breach Intelligence Correlation](https://ddactic.net/blog/BLOG_POST_BREACH_INTEL): HIBP, DeHashed, LeakCheck, LeakIX, Hudson Rock infostealer feeds and how they cross-reference exposed assets. - [API DDoS Patterns](https://ddactic.net/blog/BLOG_POST_API_DDOS): Application-layer abuse against JSON/REST/gRPC endpoints. - [WAF Configuration Pitfalls](https://ddactic.net/blog/BLOG_POST_WAF_CONFIG): Common misconfigurations in Cloudflare, AWS WAF, Imperva. - [OPI Introduction](https://ddactic.net/blog/BLOG_POST_OPI_INTRODUCTION): Why we built an open protection index. - [OPI Benchmarks](https://ddactic.net/blog/BLOG_POST_OPI_BENCHMARKS): Cross-industry baseline OPI scores from public scans. - [Self-Scan Findings](https://ddactic.net/blog/BLOG_POST_SELF_SCAN): What DDactic's own external surface looked like before we hardened it. - [Incident Response Automation](https://ddactic.net/blog/incident-response-automation): Auto-response pipeline behind the public DDoS challenge. - [DDoS Cost Analysis](https://ddactic.net/blog/BLOG_POST_DDOS_COST): Real downtime cost figures by industry. - [DDoS Insights](https://ddactic.net/blog/BLOG_POST_DDOS_INSIGHTS): Field notes from hands-on resilience work. ## Comparisons - [DDactic vs MazeBolt](https://ddactic.net/mazebolt-alternative): Continuous automated testing without the consulting engagement. - [Compare Tools](https://ddactic.net/compare-tools): DDactic vs MazeBolt, Red Button, RedWolf, NimbusDDoS, k6, Pentera. - [DORA DDoS Testing](https://ddactic.net/dora-ddos-testing): EU DORA regulatory mapping for financial-services DDoS testing requirements. ## Documents - [Whitepaper](https://ddactic.net/WHITEPAPER/) - [Pitch Deck](https://ddactic.net/pitch-deck.html) - [One-Pager](https://ddactic.net/ONE_PAGER) - [Case Study (ACME)](https://ddactic.net/CASE_STUDY_ACME) - [Architecture](https://ddactic.net/architecture) - [Technical Deep Dive](https://ddactic.net/technical-deep-dive) - [Protocol Stack Coverage](https://ddactic.net/protocol-stack) - [Simulation Methodology](https://ddactic.net/simulation) - [Product Tour](https://ddactic.net/product-tour) - [API Docs](https://ddactic.net/api-docs) - [FAQ](https://ddactic.net/faq) ## Optional - [About / Founder](https://ddactic.net/about): Stav David, DDoS-resilience engineer with 4 years in the field. - [Contact](https://ddactic.net/contact) - [Email](mailto:contact@ddactic.net) - [LinkedIn (Company)](https://www.linkedin.com/company/ddactic) - [GitHub Org](https://github.com/DDactic): OPI Calculator and other open-source research. - [Price List (detailed)](https://ddactic.net/PRICE_LIST) - [Authorization to Test](https://ddactic.net/RESPONSIBLE_TESTING_GUIDELINES): Signed ATT, kill-switch, controlled IP ranges. - [Responsible Testing Guidelines](https://ddactic.net/RESPONSIBLE_TESTING_GUIDELINES) - [Privacy Policy](https://ddactic.net/PRIVACY_POLICY) - [Terms of Use](https://ddactic.net/TERMS_OF_USE) - [Safety Policy](https://ddactic.net/SAFETY_POLICY) - [Cookie Policy](https://ddactic.net/COOKIE_POLICY) - [llms-full.txt](https://ddactic.net/llms-full.txt): Full-text index of every public page.