94% of the Bots, Gone Overnight: How Nostra Edge Protect Saved Marcella NYC's Analytics

Marcella NYC is a premium sustainable women's fashion brand on Shopify Plus, with predictable, healthy traffic patterns. Bots, in normal weeks, sit at around 12 to 13% of human session volume. The ambient background noise every ecommerce store lives with.

In late January, that changed. Anomalous session increases started showing up week over week, with concentrated bursts from countries Marcella doesn't sell to, like Morocco, Puerto Rico, the Dominican Republic, and Germany. Shopify and Google Analytics reporting diverged, a classic fingerprint of automated traffic that doesn't behave like a real browser.

The bot-to-human ratio climbed steadily, from the high teens, to the high 20s, to a stunning 54% by the first week of February. On the single peak day, bots reached roughly 90% of human traffic. The scraping was concentrated on a small set of Canadian collection pages, running continuously across dozens of countries.

Shopify Plus confirmed there was no security breach. hCaptcha was working, checkout was protected, no data was at risk. The damage was everywhere else. Fake sessions were polluting retargeting audiences. Conversion dashboards were diverging from real customer behavior. Geographic reporting had become unreliable. Bandwidth was being consumed by traffic that would never spend a dollar. A bot attack doesn't need to breach security to be expensive.

‍

Marcella's founder escalated on a Saturday. By the following Monday evening, Nostra Edge Protect was live on the storefront. A first-time vendor integration, deployed at the moment of peak bot activity.

The result was immediate. Overnight, bot sessions dropped by 94%. The scraping infrastructure was still pointing at Marcella's URLs. It just wasn't getting through. Edge Protect was filtering the traffic at the edge of the network, before any of it could fire a session event, reach Shopify's analytics, or seed an ad platform.

The defense kept hardening. When residual bot traffic later attempted a different attack path through a suspicious referrer pointed at the same collection pages, Nostra deployed challenge rules. Roughly 11% of the challenged traffic solved the captcha, confirming a small portion of real humans in the mix. The rest was filtered out. This is what edge-level bot mitigation looks like done well. Not a single switch, but a continuously hardening defense that adapts as attackers adapt, without affecting real shoppers.

Within a week of deployment, Marcella's bot-to-human ratio had returned to its normal baseline of around 12%. The traffic hitting the storefront was real again. Analytics were trustworthy. Ad audiences were clean. The conversion rate dashboard reflected real customer behavior. No security breach, no data exposure, and no transactional impact across the entire incident.

It's worth flagging the 12% baseline directly, because it answers the question most operators ask next: why not zero? The answer is intentional. The residual bot traffic in normal weeks is made up of good bots. Googlebot, Bingbot, ChatGPT, Claude, SEMrush, Ahrefs, and the other crawlers that help your site get indexed, ranked, cited in AI answers, and surfaced in third-party tools. Killing them would mean killing your discoverability. Edge Protect is surgical by design. Block the scrapers and scalpers that pollute your analytics and eat your bandwidth, let the bots that actively help your business through.

The deeper story is the one most ecommerce teams won't see until they're living through it. Shopify Plus and Captcha are exceptional at their jobs. Neither was built to filter bot traffic before it becomes a session, because that filtering has to happen one layer up the stack, at the edge of the network. Edge Protect operates in that gap. It's why the bot volume in Marcella's chart appears to fall off a cliff overnight.

One commercial detail worth repeating, because it's unusual in this category. Marcella took on Edge Protect with effectively no financial risk during the worst week of a sustained attack. Nostra doesn't get paid unless we're protecting real revenue. It's the only commercial model that makes sense when the product's job is to remove a problem the customer can no longer see.

‍