Last quarter we mitigated a content-scrape attack against a media client. The pattern was distinctive: rotating IPs, no JS execution, unusual UA fingerprints.
The rule
We matched on the combination of: low cf_threat_score, missing accept-language, missing referer, and request method GET on /api paths. Action: block.
Within 90 seconds traffic stabilized at baseline.