How AI agents broke flight search

⚡ The Signal

The rise of autonomous AI agents has triggered an invisible infrastructure crisis for online travel platforms. Traditional search engines were designed for humans who run a dozen queries before booking a flight. Today, AI bots are hammering metasearch backends, with some AI-driven search queries climbing to nearly 900,000 requests per flight as agents programmatically brute-force infinite permutations of dates, routes, and pricing.

For online travel agencies and metasearch engines, this shift represents a structural threat. They pay for down-funnel global distribution system (GDS) and partner API queries, yet these programmatic crawlers have a conversion rate of effectively zero. The result is a massive cloud bill with no corresponding transaction revenue, shifting the economics of web search from a minor operational expense into a major margin drain.

🚧 The Problem

Existing security tools are fundamentally unequipped to handle AI agent traffic. Legacy Web Application Firewalls (WAFs) and bot mitigation platforms rely on identifying malicious behavior, such as credential stuffing, scrapers using outdated headers, or high-volume IP-based DDoS attacks.

But modern AI agents are highly sophisticated. They route requests through distributed residential proxy networks, execute queries using headless browsers that look identical to human behavior, and request legitimate search paths. Standard IP-based rate limits cannot block them without also blocking genuine users sharing the same public networks. If a travel platform uses a blunt block on these agents, they risk ruining their SEO presence or blocking legitimate downstream partnerships. Yet, allowing them to crawl unrestricted completely destroys API margins.

🚀 The Solution

Enter Bramble, an ultra-lightweight API gateway layer designed specifically to identify, score, and throttle runaway AI agent queries in real-time.

Instead of relying on crude IP blocks or intrusive CAPTCHAs that disrupt the user experience, Bramble analyzes query parameter entropy. By evaluating the structural variance of incoming searches—such as highly repetitive combinations of dates, destinations, or prices originating from a single browser fingerprint—Bramble calculates a programmatic confidence score.

Rather than blocking suspicious traffic outright, Bramble uses tarpitting: applying micro-delays to bot requests. This micro-throttling destroys the economic viability of scraping by delaying responses just enough to make massive scale runs impossible, while human travelers continue to experience seamless, sub-millisecond speeds.

🎧 Audio Edition

Listen to Ada and Charles discuss today's business idea.

If you're reading this in your email, you may need to open the post in a browser to see the audio player.

💰 The Business Case

Revenue Model

Bramble operates on a multi-tiered monetization strategy tailored to the scale of the customer:

• Usage-Based Tier: A developer-friendly, pay-as-you-go model starting at a flat rate per 100,000 API requests inspected.
• Enterprise Platform Tier: A fixed monthly platform fee for organizations requiring dedicated in-memory database instances, custom rate-limiting rulesets, and strict sub-millisecond SLA guarantees.
• Threat Intelligence Subscriptions: A secondary data play licensing Bramble’s real-time, validated directory of AI scraper signatures and IP networks directly to Content Delivery Networks (CDNs) and web hosting providers.

Go-To-Market

Bramble’s distribution strategy leverages bottom-up developer adoption paired with high-intent inbound resources:

• API Cost Leakage Calculator: A free web utility where platform engineers can securely drop a sample of their Nginx or Cloudflare gateway logs. The tool instantly isolates bot signatures and calculates the exact dollar value wasted on LLM and scraper queries vs. human traffic.
• Open Source Gateway Middleware: To drive bottom-up adoption, Bramble will release an open-source Cloudflare Worker and Envoy filter on GitHub. This gives engineering teams a free, basic entropy-tracking setup while creating an organic pipeline to Bramble’s enterprise hosting.
• Programmatic SEO Directory: A public, auto-updating index tracking known AI crawler IP ranges and agent behavior profiles. This acts as a primary search traffic driver for developers searching for terms like how to block LLM agents on AWS.

⚔️ The Moat

While general bot managers like DataDome, Cloudflare Bot Management, and Fingerprint.com focus on blocking security threats, Bramble specializes purely in the economics of API consumption.

Bramble’s primary defense is its Collaborative Threat Network. By sitting directly at the API gateway layer, Bramble accumulates anonymized query fingerprints across all customers. When a new agent scraping pattern is identified on a travel site in Europe, the threat fingerprint is immediately synchronized globally. A retail marketplace in the United States is instantly protected from that same agent footprint before the first request even lands. This shared intelligence network creates a defensive flywheel that static, isolated firewalls cannot compete with.

⏳ Why Now

The urgency for API-level protection has reached a boiling point. The industry is witnessing a structural shift where AI is fracturing travel search economics by creating an unsustainable volume of non-revenue-generating API requests.

This issue is set to compound rapidly. As major ecosystems push cheaper AI options to small developers, we are on the verge of an explosion of independent, highly localized AI travel agents and automated assistants. As these tools proliferate, the volume of automated API requests will grow exponentially. For travel platforms and consumer APIs, deploying a dedicated, intelligent gateway defense like Bramble is no longer about optimization—it is about economic survival.

🛠️ Builder's Corner

To build an MVP of Bramble, the engineering focus should be on raw speed and minimal memory footprint. One approach is to write a lightweight reverse proxy using Go, which can be easily deployed as a Cloudflare Worker or packaged in a lightweight Docker container to sit adjacent to existing gateway infrastructure.

For storing and analyzing query patterns in real-time, a fast in-memory database like Redis is ideal. The proxy can parse query parameters on incoming requests and track their sliding-window frequency. Instead of matching simple IP addresses, the Go proxy calculates query parameter entropy—such as detecting if a client is systematically changing a checkout date while holding all other parameters constant.

By applying a sliding-window algorithm, the system assigns a programmatic confidence score to the visitor. If the score indicates an automated agent, the proxy uses Go’s concurrency primitives to inject micro-delays into the response cycle. This tarpitting mechanism slows the scraper down to a crawl, rendering their operation economically unviable while leaving standard API pathways completely unimpeded for genuine users.

Legal Disclaimer: GammaVibe is provided for inspiration only. The ideas and names suggested have not been vetted for viability, legality, or intellectual property infringement (including patents and trademarks). This is not financial or legal advice. Always perform your own due diligence and clearance searches before executing on any concept.