Blackpepper has deployed Fastly’s Next-Gen WAF across its eCommerce operations to protect shopping transactions and keep sites available during attacks and traffic surges.
The digital marketing company, which builds eCommerce platforms for multi-channel retailers in New Zealand and Australia, has rolled out the security system across its AWS environments, including Amazon EC2 and Lambda. The deployment is part of a broader use of Fastly services that has expanded over more than a decade.
Founded 25 years ago, Blackpepper focuses on linking online and in-store retail systems so transactions and account updates appear across channels without delay. That model has required it to manage several technical challenges at once, including media delivery, response times across multiple geographies, and a rise in attacks targeting online retail platforms.
Blackpepper first adopted Fastly in 2012 for content delivery. It later added image services, then put Fastly in front of its application servers for DDoS protection and rate limiting, before moving to the newer web application firewall and related security products in 2024.
Attack response
One of the most immediate changes came in how the team handles hostile traffic, particularly attacks targeting the checkout process. Before bot protection was introduced, staff were responding manually to recurring incidents, often outside working hours.
“You’ve got pager alerts and things going off at 2.00 or 3.00am,” said Alain Russell, Chief Executive Officer and Founder, Blackpepper.
Russell said that changed after bot controls were switched on. “Since deploying bot protection last year, we haven’t manually responded to an attack,” said Russell.
Automated responses now deal with threats as they occur, while Slack notifications provide operational updates to staff. Over nine to 12 months, Blackpepper also adjusted its rules to improve traffic visibility and block malicious requests across its platform.
The combination of the Next-Gen WAF, bot controls, and client-side protection has helped it address more sophisticated threats, including activity linked to account takeover attempts. Blackpepper also said the native AWS integration reduced operational complexity for teams managing those environments.
Demand spikes
Retail platforms face abrupt jumps in activity during major promotions, testing both scale and resilience. Russell pointed to Black Friday and Vogue Online Shopping Night as examples of events where traffic can multiply quickly.
“During major sale events like Black Friday and Vogue Online Shopping Night, Blackpepper regularly experiences traffic that doubles or triples within moments. Fastly ensures scalability during these critical times, helping eliminate downtime and preserve revenue,” added Russell.
Fastly’s shielding and real-time visibility tools have also changed how Blackpepper’s engineers manage infrastructure during these periods. The tools allow updates such as promotions or inventory changes to be pushed quickly during high-demand trading windows.
Regional growth
Blackpepper said its use of Fastly has also supported its expansion into the UK. It wanted the same delivery speeds and security controls used in New Zealand and Australia to extend to the new market without major changes to its existing model.
Russell has previously described speed as central to Blackpepper’s commercial approach because even small changes in site performance can affect retail conversion. “When you are processing 5 billion requests for every month, a change in performance of this nature has a massive impact on our customer websites. Some customers could not believe just how fast their pages were now loading.”
He added: “In a rapidly moving eCommerce landscape, we needed infrastructure that could keep pace, and Fastly delivers that speed better than anyone else.”
Compliance and testing
Blackpepper is also using the system to address payment security rules around content security policies. Russell said the company is preparing to use a web application firewall feature that identifies script changes and blocks unexpected code.
“Upcoming PCI compliance updates require stricter content security policies,” added Russell. “Next-Gen WAF now has a feature that allows us to essentially do that. It will hash scripts that are running on sites, tell us if they’ve changed, block scripts that we’re not expecting.”
In parallel, Blackpepper is testing edge computing for A/B testing through Growthbook, which connects with Fastly. The work is intended to let it assign users to test groups and render JavaScript tests closer to the user.
“There’s no lag or delay from a customer’s perspective,” added Russell. “The HTML coming directly out of edge compute will have the tests automatically included in them.”
For Russell, the operational effect remains the clearest measure of the rollout. “If I was going to describe my experience of Fastly, easy would be the word that I would use,” added Russell.
He added: “These products have truly simplified our workloads and made our lives so much easier.”
