I have been writing new SaaS software and I noticed thinking about bots. I can see that Google's reCaptcha or Cloudflare Turnstile are suitable for public, low-risk, consumer sites, but not suitable for sites which expect bots which utilize sophisticated techniques. Why? Because:

- bots are becoming more advanced - email verification is broken i.e. bots can do it too - current captchas are not effective enough

My problems with bots are:

1. Fake registration and login prevention * Accounts used to run fraud or cyber attacks later * Bots hammer login endpoints using leaked passwords

2. Resource consumption * Compute costs (especially with bot army) including APIs * Denial-of-Service for legitimate users

3. Current CAPTCHAs are not cost-effective * Costs 0.50-3.00 USD per 1000 challenges (if accounting all challenges) * Too easy to bypass at scale, ineffective cost-to-benefit ratio

Are you looking to protect your SaaS software against bots too? Do you share my problems?