I need a tailored set of Cloudflare WAF rules that operates as a Custom Bot Policy. The objective is straightforward: detect suspicious, automated traffic and have Cloudflare respond with a CAPTCHA challenge instead of an outright block. You’ll start by assessing my current Cloudflare configuration, then craft one or more custom WAF expressions that reliably flag bots through indicators such as abnormal request rates, header irregularities, IP reputation scores, or other signals you’ve had success with. Once matched, the rule action must be “Challenge (CAPTCHA).” Deliverables • Finalised WAF rule set added to my Cloudflare dashboard • Proof-of-concept tests showing legitimate users unaffected and bots challenged • A brief hand-over note explaining each expression and how to adjust thresholds in future Acceptance criteria – Only targeted traffic receives the CAPTCHA, normal traffic flows uninterrupted – No measurable increase in page-load times after rules are enabled – All work completed entirely within the Cloudflare interface; no server-side code changes required If you’re confident configuring Cloudflare WAF and fine-tuning bot policies, you should find this quick and precise.