FloodGuard

Your WAF stops bots. But not their $500K SMS pumping scheme.

Fraudsters exploit your OTP flows with premium-rate numbers, farming SMS requests to collect telecom kickbacks. Single attacks cost $50K-$500K. Twitter lost $60M annually. Your WAF doesn't detect this because it doesn't validate phone numbers.

SMS pumping costs your customers $50K-$500K per attack. Twitter lost $60M annually. Your WAF doesn't validate phone numbers.

Get in touch

Our Process

Why WAF Vendors Can't Stop SMS Pumping

WAFs secure the application layer. SMS fraud happens at the telecom layer.

Step 1

What WAFs Detect

Standard web application and network layer threats

Your WAF

Malicious bots

Credential stuffing

DDoS Attacks

SQL Injections & XSS

Rate limiting by IP

Your WAF

Malicious bots

Credential stuffing

DDoS Attacks

SQL Injections & XSS

Rate limiting by IP

Step 2

What WAFs Miss

Telecommunications fraud vectors outside HTTP scope

FloodGuard

Premium-rate phone numbers

Sequential number patterns

Disposable/burners

High risk carriers

Velocity abuse

FloodGuard

Premium-rate phone numbers

Sequential number patterns

Disposable/burners

High risk carriers

Velocity abuse

Step 3

Why the Gap exists?

WAF vendors analyze HTTP traffic - headers, payloads, IP behavior. They don't have

Telecom carrier databases

Identifies 900+ carriers globally, premium-rate prefixes, IRSF risk zones

Historical SMS fraud patterns

Detects sequential number testing (+1, +2, +3...), velocity spikes, geographic anomalies

Global phone reputation data

Real-time scoring: disposable numbers, VoIP lines, recent fraud history across networks

Telecom carrier databases

Identifies 900+ carriers globally, premium-rate prefixes, IRSF risk zones

Historical SMS fraud patterns

Detects sequential number testing (+1, +2, +3...), velocity spikes, geographic anomalies

Global phone reputation data

Real-time scoring: disposable numbers, VoIP lines, recent fraud history across networks

Step 4

How to close the Gap?

One API call before OTP delivery validates phone risk using telecom intelligence

You + FloodGuard

Your clients

You + FloodGuard

Your clients

Case Studies

What are your colleagues saying?

Take a look various WAFs and their use base

"Users are getting OTP SMS and we are incurring SMS costs. Do you have any solution?"
Real customer posted this in Cloudflare's official forum after bots triggered thousands of OTP deliveries. Cloudflare's response? "Try adding a third-party CAPTCHA." Translation: No native solution exists.
Impact :
$0.03-$7 per SMS to premium numbers
$50K-$500K per SMS pumping attack
Zero phone validation in Cloudflare WAF
Cloudflare does not protect their users.
"Bad actors deploy bots to sign up accounts, resulting in significant SMS volume in a short period."
AWS published this blog explicitly acknowledging SMS pumping fraud. But here's the catch: AWS WAF doesn't prevent it. Their solution? Application-layer fixes in Cognito only. No phone validation at WAF level.
Impact :
$6.7B global SMS OTP fraud (2023)
AWS acknowledges problem but no WAF solution
Cognito-only fix leaves other users unprotected
AWS Fraud Control ATP uses breach databases for credentials. It doesn't validate phone numbers or detect carrier fraud.
"I'm not aware of Azure WAF having any of those features."
A customer asked Microsoft directly: "Does Azure WAF prevent account takeover, OTP/SMS fraud protection?" Microsoft's official answer: We don't have this. Try "another product."
Impact :
Customer is un-protected
AWS has ATP, Azure doesn't
70+ Hours Saved/Month
Summary
"Users are getting OTP SMS and we are incurring SMS costs. Do you have any solution?"
Real customer posted this in Cloudflare's official forum after bots triggered thousands of OTP deliveries. Cloudflare's response? "Try adding a third-party CAPTCHA." Translation: No native solution exists.
Impact :
$0.03-$7 per SMS to premium numbers
$50K-$500K per SMS pumping attack
Zero phone validation in Cloudflare WAF
Cloudflare does not protect their users.
"Bad actors deploy bots to sign up accounts, resulting in significant SMS volume in a short period."
AWS published this blog explicitly acknowledging SMS pumping fraud. But here's the catch: AWS WAF doesn't prevent it. Their solution? Application-layer fixes in Cognito only. No phone validation at WAF level.
Impact :
$6.7B global SMS OTP fraud (2023)
AWS acknowledges problem but no WAF solution
Cognito-only fix leaves other users unprotected
AWS Fraud Control ATP uses breach databases for credentials. It doesn't validate phone numbers or detect carrier fraud.
"I'm not aware of Azure WAF having any of those features."
A customer asked Microsoft directly: "Does Azure WAF prevent account takeover, OTP/SMS fraud protection?" Microsoft's official answer: We don't have this. Try "another product."
Impact :
Customer is un-protected
AWS has ATP, Azure doesn't
70+ Hours Saved/Month
Summary
"Users are getting OTP SMS and we are incurring SMS costs. Do you have any solution?"
Real customer posted this in Cloudflare's official forum after bots triggered thousands of OTP deliveries. Cloudflare's response? "Try adding a third-party CAPTCHA." Translation: No native solution exists.
Impact :
$0.03-$7 per SMS to premium numbers
$50K-$500K per SMS pumping attack
Zero phone validation in Cloudflare WAF
Cloudflare does not protect their users.
"Bad actors deploy bots to sign up accounts, resulting in significant SMS volume in a short period."
AWS published this blog explicitly acknowledging SMS pumping fraud. But here's the catch: AWS WAF doesn't prevent it. Their solution? Application-layer fixes in Cognito only. No phone validation at WAF level.
Impact :
$6.7B global SMS OTP fraud (2023)
AWS acknowledges problem but no WAF solution
Cognito-only fix leaves other users unprotected
AWS Fraud Control ATP uses breach databases for credentials. It doesn't validate phone numbers or detect carrier fraud.
"I'm not aware of Azure WAF having any of those features."
A customer asked Microsoft directly: "Does Azure WAF prevent account takeover, OTP/SMS fraud protection?" Microsoft's official answer: We don't have this. Try "another product."
Impact :
Customer is un-protected
AWS has ATP, Azure doesn't
70+ Hours Saved/Month
Summary
"Users are getting OTP SMS and we are incurring SMS costs. Do you have any solution?"
Real customer posted this in Cloudflare's official forum after bots triggered thousands of OTP deliveries. Cloudflare's response? "Try adding a third-party CAPTCHA." Translation: No native solution exists.
Impact :
$0.03-$7 per SMS to premium numbers
$50K-$500K per SMS pumping attack
Zero phone validation in Cloudflare WAF
Cloudflare does not protect their users.
"Bad actors deploy bots to sign up accounts, resulting in significant SMS volume in a short period."
AWS published this blog explicitly acknowledging SMS pumping fraud. But here's the catch: AWS WAF doesn't prevent it. Their solution? Application-layer fixes in Cognito only. No phone validation at WAF level.
Impact :
$6.7B global SMS OTP fraud (2023)
AWS acknowledges problem but no WAF solution
Cognito-only fix leaves other users unprotected
AWS Fraud Control ATP uses breach databases for credentials. It doesn't validate phone numbers or detect carrier fraud.
"I'm not aware of Azure WAF having any of those features."
A customer asked Microsoft directly: "Does Azure WAF prevent account takeover, OTP/SMS fraud protection?" Microsoft's official answer: We don't have this. Try "another product."
Impact :
Customer is un-protected
AWS has ATP, Azure doesn't
70+ Hours Saved/Month
Summary

DRAG TO EXPLORE

"AI-driven forecasting cut inventory waste by 40% for TrailForge"

TrailForge, a suitcase brand, faced stock issues and inefficiencies. Our AI forecasting optimized inventory and production cycles, helping them save costs and deliver faster.

Impact :

40% Less Inventory Waste

35% Faster Production

20% More Accurate Forecasting

Summary

"AI-driven forecasting cut inventory waste by 40% for TrailForge"

TrailForge, a suitcase brand, faced stock issues and inefficiencies. Our AI forecasting optimized inventory and production cycles, helping them save costs and deliver faster.

Impact :

40% Less Inventory Waste

35% Faster Production

20% More Accurate Forecasting

Summary

"Bad actors deploy bots to sign up accounts, resulting in significant SMS volume in a short period."

AWS published this blog explicitly acknowledging SMS pumping fraud. But here's the catch: AWS WAF doesn't prevent it. Their solution? Application-layer fixes in Cognito only. No phone validation at WAF level.

Impact :

$6.7B global SMS OTP fraud (2023)

20% Cost Reduction

$50K-$500K per SMS pumping attack

Cognito-only fix leaves other users unprotected

"Bad actors deploy bots to sign up accounts, resulting in significant SMS volume in a short period."

Impact :

$6.7B global SMS OTP fraud (2023)

20% Cost Reduction

$50K-$500K per SMS pumping attack

Cognito-only fix leaves other users unprotected

"AI integration helped ScaleByte close 3x more deals in less time"

ScaleByte’s sales team struggled with follow-up delays. Our AI sales assistant automated outreach, lead scoring, and CRM updates—resulting in faster responses and more closed deals.

Impact :

3x More Deals

40% Faster Responses

95% Lead Accuracy

Microsoft's fraud tools are scattered across 3 disconnected products. None integrate with Azure WAF.

"AI integration helped ScaleByte close 3x more deals in less time"

ScaleByte’s sales team struggled with follow-up delays. Our AI sales assistant automated outreach, lead scoring, and CRM updates—resulting in faster responses and more closed deals.

Impact :

3x More Deals

40% Faster Responses

95% Lead Accuracy

Microsoft's fraud tools are scattered across 3 disconnected products. None integrate with Azure WAF.

Benefits

Turn Product Gap Into Revenue Stream

Your existing customers. Their SMS pumping pain. Your new offering.

White-Label OEM

Your brand, our technology. Flat licensing or revenue share. Full customization.

White-Label OEM

Your brand, our technology. Flat licensing or revenue share. Full customization.

Technology Partnership

Co-branded solution. Joint GTM. Integrated into your partner program.

Technology Partnership

Co-branded solution. Joint GTM. Integrated into your partner program.

Marketplace Integration

AWS/Azure ISV programs. Transactable offers. Co-sell eligible.

Marketplace Integration

AWS/Azure ISV programs. Transactable offers. Co-sell eligible.

Marketplace Integration

AWS/Azure ISV programs. Transactable offers. Co-sell eligible.

Marketplace Integration

AWS/Azure ISV programs. Transactable offers. Co-sell eligible.

What you get

$0

R&D Investment

0 ML/Fraud Engineers

99%

Accuracy Models

FAQs

We’ve Got the Answers You’re Looking For

Quick answers to your AI automation questions.

How does FloodGuard integrate with our WAF?

What's the API latency impact?

How accurate is SMS pumping fraud detection?

What happens if your API goes down?

Can we test without affecting production traffic?

How does FloodGuard integrate with our WAF?

What's the API latency impact?

How accurate is SMS pumping fraud detection?

What happens if your API goes down?

Can we test without affecting production traffic?

Add FloodGuard to your offering

Book a call and let's talk

Book a free call