Blog

    Three months of Bunny Shield: a look at what we’ve launched, learned, and just introduced

    Posted by:
    Joe Connolly

    Joe Connolly

    Wall clock

    August 5, 2025

    Three months ago, we launched Bunny Shield with one mission: to make serious, scalable security something every builder could rely on, without needing a security team, an enterprise budget, or a sales call.

    Since then, Bunny Shield has quietly helped defend thousands of websites and APIs around the world. It stops zero-day exploits before they hit production. It absorbs targeted DDoS floods at the edge. It’s been doing exactly what it was built to do: keeping things fast, online, and secure without missing a hop.

    Over the past few months, we’ve listened closely, shipped fast, and learned a lot. Today, we’re excited to share what we’ve built so far, what we’ve seen across the network, and where Bunny Shield is heading next.

    Expanding the Shield

    Since launch, Bunny Shield has been evolving quickly, shaped by what we’ve seen in the wild and what you’ve told us you need.

    Modern threats don’t wait, and without strong defenses in place, it’s easier than ever for bots, scrapers, and attackers to slip through the cracks. That’s why we’ve focused on building smarter protection that doesn’t just react, but actively defends your services before issues escalate.

    We’ve added powerful new capabilities that make Bunny Shield more flexible, more adaptive, and more effective at stopping threats in real time. This includes more intelligent automation filtering and better traffic control. Two of the most requested features, Bot Detection and Access Lists, are now live and available to use today.

    Smarter defense against modern bots

    Bots are getting smarter. They rotate IPs, mimic browsers, and attack quietly enough to pass as real users. Traditional filters aren’t enough anymore.

    Our new Bot Detection system is now available on the Advanced, Business, and Enterprise plans. It analyzes behavior, fingerprints traffic patterns, and uses real-time IP reputation to identify and stop malicious bots at the edge.

    It’s built directly into the edge and works out of the box to analyze and mitigate threats in real time. It filters out the noise quietly, while letting your real users flow through without friction.

    Take control with Access Lists

    Modern attacks don’t come from a handful of bad IPs anymore. They arrive from rotating proxy networks, autonomous systems (ASNs), and botnets that span dozens of countries. Static blocklists can’t keep up, and overly broad filters risk blocking real users.

    Access Lists put you in control. Instead of relying on static blocklists or generic filters, you decide exactly who gets through, and who doesn’t. You can allow, block, challenge, or log traffic based on IP addresses (IPs), IP ranges (CIDRs), autonomous systems (ASNs), or entire countries. Every rule is enforced instantly at the edge, with no additional latency or configuration overhead. And with curated threat feeds available on the Advanced, Business, and Enterprise plans, Bunny Shield adapts automatically to fast-moving threats, without needing constant upkeep.

    Plans that scale with you

    To support the new features we’ve introduced, and the evolving needs of the teams using them, we’ve also reimagined how Bunny Shield is structured and scaled. This update is shaped by your feedback and built to give you more room to grow, with transparency at the core.

    Introducing the Business plan

    Between the flexibility of the Advanced plan and the scale of Enterprise, we heard a clear message from growing teams: you needed something in between. A plan with room for real-world traffic, support for advanced features like Complex Bot Detection, and the ability to scale without committing to Enterprise.

    That’s why we’ve introduced the new Business plan, designed for teams moving fast, facing bigger challenges, and needing protection that can keep up.

    Business – $99/month

    • 25 global rate limiting rules
    • 25 custom WAF rules with full RegEx support
    • 250 million clean requests per month
    • Overage pricing at $0.60 per million requests
    • Complex Bot Detection
    • 15 curated threat access lists
    • 10 custom Access Lists with 15,000 unique allowed entries
    • Increased request body inspection limits
    • Unlocks expanded usage and feature depth for upcoming API Guardian

    It’s a straightforward plan for projects that have moved beyond the early stages, not quite ready for Enterprise, but already hopping into serious scale.

    Clear limits, same promise

    Since launch, Bunny Shield has operated under a fair usage policy for all plans. It helped us maintain performance and stability across our network while supporting everything from small personal sites to large-scale platforms.

    But over the past few months, we heard a recurring theme in user feedback:

    To address this uncertainty and give users more confidence, we’re now making things clear and measurable. We’ve introduced transparent, published clean request limits for every Bunny Shield plan.

    These are not new restrictions. They reflect the same fair usage model we've always followed, now with visible numbers instead of guesswork. These limits will appear directly in your Shield Overview page soon, so you can plan with confidence.

    We didn’t pull these numbers out of thin air. Instead, we carefully reviewed usage across our entire customer base and set thresholds that align with real-world behavior. Today, more than 99% of websites fall comfortably within their included limits without any additional cost.

    Just as before, only clean requests count towards usage. Anything blocked by Bunny Shield, whether by WAF rules, rate limiting, DDoS mitigation, Access Lists, or Bot Detection, will not count against your limits.

    This continues our mission to bring powerful, scalable security within reach of every team, without surprise costs or hidden limits.

    Plan usage at a glance

    Basic – Free

    • 25 million clean requests per month
    • Overages charged at $0.70 per million requests

    Advanced – $9.50/month

    • 50 million clean requests per month
    • Overages charged at $0.65 per million requests

    Business – $99/month

    • 250 million clean requests per month
    • Overages charged at $0.60 per million requests

    Enterprise – Contact Sales

    These limits will be visible in your dashboard soon. We won’t begin billing for any overages until September 1, 2025, giving you plenty of time to adjust and plan ahead without any surprises.

    These limits don’t change how Bunny Shield protects you. They simply make it easier to understand what you’re getting. No guesswork. No uncertainty. Just fair, predictable usage you can rely on.

    Observations from the edge

    You’ve seen what we’ve built. Now here’s what Bunny Shield has been up against.

    In just three months, Bunny Shield has processed more than 9.7 billion requests across thousands of websites, APIs, and services. Scrapers have probed, bots have stuffed credentials, and attackers have launched floods and application-layer assaults. Bunny Shield has stood firm against them all.

    Here’s what that looks like at the edge:

    • Bot Detection
      • 82.9 million requests challenged
      • 114.6 million logged for suspicious behavior
    • DDoS Attacks
      • 822.6 million requests challenged
      • 11.9 million actively blocked
      • 56.4 million logged for anomaly detection
    • WAF Rules
      • 35.3 million requests blocked by custom or managed WAF rules
      • 561.6 million logged for insights and rule tuning

    Accuracy is just as important as protection. That’s why we’re continually improving our WAF profiles to reduce false positives without weakening security. Bunny Shield supports a wide range of websites and applications, so every WAF rule is built with flexibility in mind.

    We’ve also designed the onboarding flow to minimize friction. WAF rules default to Learning Mode for the first 7 days, running in a safe logging-only state to help surface potential issues before enforcement begins. Combined with AI-powered rule insights, Bunny Shield can recommend disabling specific rules that may not be relevant to your setup, helping you fine-tune your protections with confidence.

    These threats are becoming more subtle, more distributed, and more persistent. Bunny Shield is designed to detect and mitigate them in real time, without slowing down your users or adding unnecessary complexity to your infrastructure.

    What’s coming next

    The past few months have been about building the foundation, bringing Bunny Shield from a powerful idea to a trusted part of your stack. But security doesn’t sit still, and neither do we.

    As attacks continue to evolve, we’re expanding what Bunny Shield can do to protect modern applications, APIs, and user-generated content. Here’s a look at what’s on the way.

    API Guardian

    APIs are a growing target for abuse, fraud, and automated attacks. API Guardian adds schema-aware request inspection, authorization header validation, and early support for AI-specific protections through our AI Security Suite, designed to detect prompt injection and enforce custom guardrails at the edge.

    Upload scanning

    File uploads are a common entry point for malware and abusive content. Bunny Shield will soon support real-time scanning at the edge, detecting and blocking threats like malware or CSAM before they reach your infrastructure.

    Like everything in Bunny Shield, these features will be easy to manage from your dashboard and built to work hand-in-paw with your existing protections. No extra setup, just more ways to stay safe.

    Looking ahead

    Launching Bunny Shield was just the beginning. Since then, we’ve focused on refining the experience, listening to feedback, and delivering protection that works out of the box in real-world environments.

    As we expand Bunny Shield’s capabilities, we’re also preparing for general availability (GA) later this year. That means continuing to improve the user experience, making Shield easier to navigate, increasing visibility into attacks and ongoing threats, eliminating false positives, and ensuring the stability to support growth at any scale with protection that just works.

    Whether you’re protecting your first project or securing a global platform, Bunny Shield is built to grow with you. It adapts to new threats, scales with your traffic, and stays out of your way.

    Thanks to everyone who’s joined us so far. Your feedback continues to shape what comes next.

    Hop in and get protected

    If you’re already using Bunny Shield or just getting started, it’s easy to hop into stronger protection today.

    Here’s how to get going:

    • Log in or sign up on bunny.net, and open one of your Pull Zones.
    • Navigate to the Shield tab.
    • Enable Bot Detection, configure Access Lists, and take full control with built-in DDoS mitigation, WAF protection, and global rate limiting.

    Usage limits will be visible soon, and if you need more room to grow, the new Business plan is ready when you are.

    Built for real threats. Ready for whatever hops in next.