Anti-Bot

What Is Imperva Incapsula?

By the Scrappey Research Team

What Is Imperva Incapsula? — conceptual illustration
On this page

Imperva Incapsula is the enterprise WAF and bot-protection product from Imperva (acquired by Thales in 2023). A WAF (web application firewall) filters incoming web traffic to block attacks. Incapsula is heavily deployed across banking, healthcare, government, and B2B SaaS — sectors that adopted WAFs before the modern bot-management category existed. Its detection leans mostly on Layer 1 checks (TLS fingerprint plus IP reputation — TLS is the encryption layer behind https) and a lightweight Layer 2 JavaScript challenge. That older design is simpler than newer behavioural systems, which is relevant when integrating with a service you are authorized to access.

Quick facts

Detection cookiesincap_ses_*, visid_incap_*, nlbi_*
Response headerX-Iinfo (4-segment debug info), X-CDN: Incapsula
Common sectorsBanking, healthcare, government, enterprise SaaS
Challenge styleiframe-loaded "Request unsuccessful" page with reload script
ArchitectureOlder two-layer design — TLS/IP checks plus a lightweight JS challenge
Commonly deployed onEnterprise sites and jobs marketplaces

How Incapsula scores a request

Incapsula checks a visitor in two stages. Layer 1 runs before any code executes: it inspects your TLS fingerprint (the signature pattern your encryption handshake produces), your IP and ASN reputation (how trustworthy your network is), how fast you are sending requests, and your static User-Agent against a known-bot blocklist. A datacenter IP or an obviously-scraper UA gets blocked right here, before any JavaScript runs. Layer 2 is a lightweight JavaScript challenge served in an iframe with the message "Request unsuccessful. Incapsula incident ID: …" — the script sets the incap_ses_* cookie after running and then reloads the page. Once you hold that cookie, later requests pass.

The X-Iinfo response header carries a 4-segment debug code (e.g. 8-12345678-12345678 NNNN RT(...)) that reveals which security policy fired. It is handy for debugging, but it is also a dead giveaway that you are behind Incapsula — no other CDN emits this header.

How the two layers behave

Layer 1 (TLS and IP). Because the first layer reads the client's TLS fingerprint and IP reputation, a datacenter IP or a default Python requests TLS profile (whose JA3 fingerprint — a hash of the TLS handshake — does not match a real browser) is filtered before any JavaScript runs. The incap_ses_* cookie is also bound to a single IP, so it is not portable across addresses.

Layer 2 (JS challenge). When a deployment serves the lightweight JavaScript challenge, a real browser session satisfies it; there is no behavioural ML (machine-learning scoring of mouse and timing patterns) involved, which is one way Incapsula differs from newer products.

Compared with DataDome or Akamai, Incapsula's infrastructure is older and its model is simpler. Many deployments pair the WAF with an aggressive request-rate rule, so when you are authorized to access a service, request pacing matters as much as a consistent browser configuration.

Telling Incapsula apart from generic WAFs

The X-Iinfo header alone identifies Incapsula. Even when it isn't visible, an incap_ses_* or visid_incap_* name on a Set-Cookie is diagnostic — these cookie names are unique to Incapsula and have been stable for years. The "Request unsuccessful. Incapsula incident ID" block page is a third tell. Older deployments also expose X-CDN: Incapsula.

Code example

python
# Detecting Incapsula from a response (use only on sites you are permitted to access)
from curl_cffi import requests

s = requests.Session(impersonate="chrome131")
proxies = {"https": "http://user:pass@residential:port"}

r = s.get("https://target.com/api/data", proxies=proxies)

# X-Iinfo is the giveaway header
if "x-iinfo" in r.headers:
    print(f"Incapsula confirmed: {r.headers['x-iinfo']}")
print(f"status: {r.status_code}, bytes: {len(r.text)}")

Related terms

Concept map

How Imperva Incapsula connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Frequently asked questions

Is Incapsula the same as Imperva WAF?

Incapsula is the cloud-hosted product; Imperva WAF historically referred to the on-prem appliance (software running on the customer's own hardware). Since Imperva consolidated its branding around 2020, the names are used interchangeably, and the cookie signatures are identical.

Why is Incapsula's architecture simpler than Akamai or DataDome?

It predates the modern bot-management category. There is no behavioural ML, no WASM challenge (a heavier check compiled to WebAssembly), and no multi-request trust accumulation (where trust is built up over several requests). Layer 1 — TLS plus IP — is the bulk of the detection, which is why its design feels closer to a traditional WAF than to newer scoring systems.

What does the X-Iinfo header tell me?

It is a 4-segment debug code containing the request type, account ID, the policy that fired, and round-trip metrics. Site owners use it to debug false positives. For scrapers it is mainly useful as a vendor identifier and to confirm whether the policy that triggered is a rate-limit (shown as RT) or a fingerprint check (shown as NNNN).

Last updated: 2026-05-31