FriendlyCaptcha · gzuidhof · Mar 23, 2026 · Mar 18, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/docs/use-cases/account-takeover.md b/docs/use-cases/account-takeover.md
@@ -0,0 +1,36 @@
+# Account Takeover
+
+Account takeover (ATO) is a type of identity theft where an attacker gains unauthorized access to a user's account.
+
+This can lead to various malicious activities, such as stealing personal information, making unauthorized transactions, or using the account for further attacks. ATO attacks often occur through methods like phishing, credential stuffing, or brute force attacks.
+
+## Preventing ATO even if the user's credentials are compromised
+
+You can implement additional layers of security beyond just relying on passwords. You may add multi-factor authentication (MFA), which requires users to provide an additional form of verification (like a code sent to their phone) in addition to their password. This can significantly reduce the risk of account takeover, as it adds an extra barrier for attackers.
+
+But what if MFA is not an option for your users, or if you are concerned with the increased friction that MFA can cause for legitimate users? In that case, you can implement a **Risk-Based Authentication** (RBA) approach.
+
+With Risk-Based Authentication you require additional verification only for requests that are deemed risky. This way, you can protect against account takeover while still allowing legitimate users to access their accounts without unnecessary friction.
+
+[Risk Intelligence](https://developer.friendlycaptcha.com/docs/v2/risk-intelligence/) is a product that allows you to implement risk-based authentication in a matter of hours instead of weeks.
+
+Friendly Captcha assesses the visitor, sharing risk scores and information about the browsing session with your backend, so you can make informed decisions about how to handle requests.
+
+You could for example have a policy where you require MFA for requests that have a high risk score, but allow requests with a low risk score to proceed without additional verification.
+
+Alternatively you can store information about the user's previous browsing sessions, and if a request comes in that deviates significantly from the user's normal behavior (e.g. a login attempt from a new device or location), you can require additional verification for that request.
+
+<p align="center">
+	<img src="/mockups/risk-auth-email.png" alt="Example of a Risk-Based Authentication verification email" />
+</p>
+<p align="center">
+	<em>Example verification email shown for a risky login attempt from a new location.</em>
+</p>
+
+## Passive monitoring for account takeover
+Even if you don't want to implement risk-based authentication, you can still use Risk Intelligence for passive monitoring of account takeover attempts. By logging signals associated with critical user interactions, you can analyze patterns of behavior and identify potential security threats. For example, you might notice a spike in high-risk scores from a particular network, geographic region or device type, which could indicate a coordinated attack. You can feed this data into your SIEM (Security Information Event Management) system to correlate it with other security events.
+
+## Gettings Started
+To learn more about risk-based authentication in general, the [riskbasedauthentication.org](https://riskbasedauthentication.org/) website is a great resource.
+
+To get started with implementing risk-based authentication using Friendly Captcha's Risk Intelligence, you can follow our [Getting Started](https://developer.friendlycaptcha.com/docs/v2/getting-started/) guide to set this up.
diff --git a/docs/use-cases/api-protection.md b/docs/use-cases/api-protection.md
@@ -0,0 +1,25 @@
+# API Protection
+
+Your websites and apps likely rely on APIs to function. These APIs are vulnerable to abuse and attacks, which can lead to data breaches, service disruptions, and other security issues. 
+
+While your APIs are intended for use by your users, an attacker may try to exploit them for malicious purposes. For example, they might use your API to scrape data, perform denial-of-service (DoS) attacks, or automate fraudulent activities.
+
+Friendly Captcha helps prevent abuse and attacks on your APIs by adding a layer of protection that can distinguish between legitimate users and malicious actors. This makes attacks more difficult and costly for attackers, while allowing legitimate users to access your services without friction.
+
+## How can Friendly Captcha protect your APIs?
+Friendly Captcha's challenge (the widget) is great for protecting forms and other user interactions on your website or app. But what about protecting your APIs, which may not have a user interface?
+
+[**Risk Intelligence**](https://developer.friendlycaptcha.com/docs/v2/risk-intelligence/) is a product we launched in 2026 that allows you to protect API endpoints that happen entirely in the background. Friendly Captcha assesses the visitor, sharing risk scores and signals with your backend, so you can make informed decisions about how to handle requests.
+
+For example, you might choose to block requests that have a high risk score, you may rate limit them more aggressively, or you might require additional verification for those requests. This way, you can protect your APIs from abuse while still allowing legitimate users to access your services.
+
+## What about machine-to-machine communication?
+Friendly Captcha's Risk Intelligence is designed to protect APIs that are accessed by users.
+
+You can assess the risk of machine-to-machine (M2M) communication based on the IP address of the request.
+
+We launched the [**IP Trust**](https://iptrust.co/) product to help with this usecase. That service allows you to look up information about an IP address, such as whether it's a known proxy or VPN, its geolocation, and more. This can help you make informed decisions about how to handle requests from that IP address.
+
+Other than most competitors, IP Trust offers a downloadable database, which means you can use it to protect M2M communication without needing to make an API call for each request. This can be especially useful for high-volume APIs where making an API call for each request would be impractical, or if you are concerned about the privacy implications of sharing your users' IP addresses with a third party.
+
+
diff --git a/docs/use-cases/credential-stuffing.md b/docs/use-cases/credential-stuffing.md
@@ -0,0 +1,12 @@
+# Credential Stuffing
+
+Credential stuffing is a cyberattack technique where attackers use automated tools to try large numbers of username and password combinations, often obtained from previous data breaches, to gain unauthorized access to user accounts. The goal is to exploit the fact that many people reuse passwords across multiple sites, allowing attackers to compromise accounts on various platforms using the same credentials.
+
+This attack involves the use of bots to rapidly test these credentials against a target website or application, much like in a [brute force attack](./brute-force-attacks.md). However, credential stuffing specifically relies on the use of stolen credentials, rather than trying every possible combination of characters.
+
+The first line of defense against credential stuffing is to encourage users to use unique, strong passwords for each of their accounts. However, even with strong password policies in place, attackers can still succeed if users reuse passwords or if they have access to a large number of stolen credentials.
+
+Friendly Captcha can help protect against credential stuffing attacks by adding an additional layer of security to your login forms. Friendly Captcha looks at various signals from the user's browsing session to determine the likelihood of a request being malicious. If it detects suspicious activity, the user has to solve a computationally expensive challenge which makes the attack more costly and time-consuming for the attacker, while still allowing legitimate users to access their accounts without friction.
+
+## Getting started
+To protect your login forms against credential stuffing attacks, you can integrate Friendly Captcha into your authentication flow. This involves adding the Friendly Captcha widget to your login form and configuring it to work with your backend. You can follow our [Getting Started](https://developer.friendlycaptcha.com/docs/v2/getting-started/) guide to set this up. 
diff --git a/docs/use-cases/fake-accounts.md b/docs/use-cases/fake-accounts.md
@@ -0,0 +1,17 @@
+# Fake Accounts
+
+Fake accounts are a common problem on platforms, and they can be used for a variety of malicious purposes, such as spreading misinformation, harassing other users, engaging in fraudulent activities, or abusing your service otherwise. These accounts are often created using automated bots, which can quickly generate large numbers of fake accounts to overwhelm a platform.
+
+Friendly Captcha helps protect your platform from fake accounts by adding a layer of security that can distinguish between legitimate users and automated bots. This makes it more difficult and costly for attackers to create fake accounts, while allowing legitimate users to access your services without friction.
+
+## How can Friendly Captcha protect against fake accounts?
+
+When a user attempts to create an account on your platform, you can integrate the Friendly Captcha widget into your registration form. When the user interacts with the form, Friendly Captcha assesses the visitor and gathers signals from their browsing session. If it detects suspicious activity that is indicative of a bot, it will require the user's device to solve a computationally expensive challenge. This adds a significant cost to carrying out fake account creation attacks, as automated bots will struggle to solve the challenges at scale. Meanwhile, legitimate users will typically be able to solve the challenges quickly, allowing them to access your services without unnecessary friction.
+
+## What about human attackers?
+While Friendly Captcha is effective at blocking automated bots, it may not be able to prevent fake accounts that are created by human attackers. While these users may be slowed down by the challenge, they can still potentially create fake accounts. 
+
+To prevent such fake accounts, you can use our [Risk Intelligence](https://developer.friendlycaptcha.com/docs/v2/risk-intelligence/) product, which provides you with risk scores and signals about the browsing session. This can help you identify potentially malicious users and take additional actions against them, such as flagging their accounts for review or requiring additional verification for their accounts. You can enrich the account creation process with the signals provided by Risk Intelligence, such as the user's IP address, device information, and behavior patterns, to make informed decisions about whether to allow account creation, implement additional security checks, and monitor suspicious accounts.
+
+## Getting started
+To get started with protecting your platform from fake accounts using Friendly Captcha, you can follow our [Getting Started](https://developer.friendlycaptcha.com/docs/v2/getting-started/) guide to install the widget on your signup form.
diff --git a/docs/use-cases/payment-fraud.md b/docs/use-cases/payment-fraud.md
@@ -0,0 +1,13 @@
+# Payment Fraud
+
+Payment fraud is a significant concern for businesses and consumers alike. It involves unauthorized transactions, identity theft, and various schemes that can lead to financial losses. To combat payment fraud, organizations can implement several strategies: 
+* Implementing strong authentication methods, such as multi-factor authentication (MFA), to verify the identity of users before allowing transactions.
+* Using machine learning algorithms to analyze transaction patterns and identify potentially fraudulent activities.
+* Implementing real-time monitoring and alerts to quickly detect and respond to suspicious transactions.
+
+Friendly Captcha can help protect against payment fraud in two ways:
+1. The Friendly Captcha widget can be integrated into your payment forms to add an additional layer of security. When a user interacts with the form, Friendly Captcha assesses the visitor and gathers signals from their browsing session. If it detects suspicious activity that is indicative of a bot, it will require the user's device to solve a computationally expensive challenge. This makes it more difficult and costly for attackers to carry out automated attacks on your payment forms, while still allowing legitimate users to access your services without friction.
+2. You can use our [Risk Intelligence](https://developer.friendlycaptcha.com/docs/v2/risk-intelligence/) product to feed our risk scores and signals into your existing fraud detection systems. This can help you identify potentially fraudulent transactions and take additional actions against them, such as flagging them for review or requiring additional verification for those transactions.
+
+## Getting started
+To get started with protecting your payment forms from fraud using Friendly Captcha, you can follow our [Getting Started](https://developer.friendlycaptcha.com/docs/v2/getting-started/) guide to install the widget on your payment forms. Additionally, you can explore our [Risk Intelligence](https://developer.friendlycaptcha.com/docs/v2/risk-intelligence/) product to enhance your ability to identify and mitigate fraudulent transactions.
diff --git a/docs/use-cases/spam-protection.md b/docs/use-cases/spam-protection.md
@@ -0,0 +1,22 @@
+g# Spam Protection
+
+Spam is a common problem for websites and apps that allow user-generated content or have a public-facing form. Spammers can use automated bots to flood your site with unwanted content, which can degrade the user experience, damage your reputation, and even lead to security issues. 
+
+Friendly Captcha helps protect your site from spam by adding a layer of security that can distinguish between legitimate users and malicious (automated) actors. This makes it more difficult and costly for spammers to abuse your site, while allowing legitimate users to access your services without friction.
+
+This challenge is a Proof of Work (PoW) cryptographic puzzle that happens entirely in the background. For an attacker, this challenge will be much more expensive to solve than it is for a legitimate user.
+
+## How does it work?
+You [install the Friendly Captcha widget on the forms you want to protect](https://developer.friendlycaptcha.com/docs/v2/getting-started). When a user or bot interacts with the form, Friendly Captcha makes an assessment of the visitor, and depending on the signals it gathers, it may require the user's device to solve a computationally expensive challenge. 
+
+This adds a significant cost to carrying out spam attacks, as automated bots will struggle to solve the challenges at scale. Meanwhile, legitimate users will typically be able to solve the challenges quickly, allowing them to access your services without unnecessary friction.
+
+## What about human spammers?
+While Friendly Captcha is effective at blocking automated spam bots, it may not be able to prevent spam that is generated by human spammers. While these users may be slowed down by the challenge, they can still potentially submit spam content. To mitigate this, you can implement additional measures such as content moderation, user reporting, or manual review processes to identify and remove spam content that may slip through the automated defenses.
+
+[Risk Intelligence](https://developer.friendlycaptcha.com/docs/v2/risk-intelligence/) helps with this by providing you with risk scores and signals about the browsing session, which can help you identify potentially malicious users. You can use this information to prioritize content for review or to take additional actions against users who are suspected of spamming.
+
+For example, if you are running a forum that is being targeted by spammers, you could use Risk Intelligence to identify users who are posting spam content and take actions such as temporarily banning them, requiring additional verification for their posts, or flagging their content for review.
+
+## Getting started
+To get started with protecting your site from spam using Friendly Captcha, you can follow our [Getting Started](https://developer.friendlycaptcha.com/docs/v2/getting-started/) guide to install the widget on your forms. Additionally, you can explore our [Risk Intelligence](https://developer.friendlycaptcha.com/docs/v2/risk-intelligence/) product to enhance your ability to identify and mitigate spam generated by human spammers.
diff --git a/sidebars.js b/sidebars.js
@@ -31,11 +31,7 @@ const sidebars = {
         type: "doc",
         id: "getting-started/index",
       },
-      items: [
-        "getting-started/setup",
-        "getting-started/install",
-        "getting-started/verify",
-      ],
+      items: ["getting-started/setup", "getting-started/install", "getting-started/verify"],
     },
     {
       type: "category",
@@ -131,7 +127,15 @@ const sidebars = {
         slug: "use-cases",
         description: "A collection of articles on various uses for Friendly Captcha.",
       },
-      items: ["use-cases/brute-force-attacks"],
+      items: [
+        "use-cases/brute-force-attacks",
+        "use-cases/credential-stuffing",
+        "use-cases/account-takeover",
+        "use-cases/payment-fraud",
+        "use-cases/spam-protection",
+        "use-cases/api-protection",
+        "use-cases/fake-accounts",
+      ],
     },
     {
       type: "category",