Why Cloudflare Turnstile is the right engine underneath SheerID's Spring 2026 offer-protection feature — and why the qualifying conversation should happen now.
In their Spring 2026 ADP product update, SheerID rolled out a new Passive CAPTCHA feature. The architecture they picked — background analysis, zero-friction, no puzzles — is verbatim Turnstile positioning.
"Our new Passive CAPTCHA stops automated attacks in the background, blocking high-risk traffic. Zero-Friction UX: Legitimate users stay in the flow. Sophisticated background analysis replaces intrusive puzzles for nearly all users. Targeted Fraud Reduction: Block automated and bot-based abuse on your high-volume or high-risk programs."
Feature is off by default; turned on by emailing productsupport@sheerid.com. Implementation is still soft.
Passive CAPTCHA, background analysis, zero-friction — that's the right call.
Cloudflare Turnstile is that engine, sitting natively next to the WAF they already run.
www.sheerid.com on Cloudflare anycast today
server: cloudflare · cf-ray confirmed
One config flag in the same dashboard. Zero net-new vendors. Zero new subprocessor on customer DPAs.
Two structural advantages a third-party CAPTCHA vendor can't match.
www.sheerid.com already routes through Cloudflare's anycast network. WAF rules, DDoS protection, and SSL all live in the dashboard SheerID's security team already logs into.
Adding Turnstile = one rule. Not a new procurement cycle, not a new SOC 2 review, not a new line on the customer DPA.
→ Zero net-new vendors. Zero new subprocessor.
Cloudflare made a public, on-the-record commitment at Turnstile GA in September 2023: Managed mode is free for unlimited use, forever.
Whatever vendor SheerID's Passive CAPTCHA is using underneath is charging per-request or per-seat. That cost is baked into the offer-protection SKU SheerID sells to brands.
→ Vendor margin becomes product margin.
Two architectural advantages — edge placement and platform integration — that change the economics and the defense model.
verify.sheerid.com terminates on AWS ELB in us-east-1. If their CAPTCHA validates after the request hits AWS, every bot still consumes ELB capacity, bandwidth, and downstream Lambda compute.
Turnstile validates at the Cloudflare POP nearest the visitor. Bot traffic never reaches AWS. AWS bill thanks you.
→ Push the decision left. Save AWS spend.
Standalone CAPTCHA = binary yes/no door. Turnstile + Bot Management = continuous ML risk score across every request, learned from 25M+ Cloudflare sites.
Coupon-scraping, credential-stuffing, automated verification submission — two layers of defense, not one. For an offer-protection product, this is a different category of defense.
→ Yes/no door becomes risk-scored gate.
Turnstile sits inside Cloudflare's FedRAMP Moderate authorized package. GDPR, ePrivacy, CCPA, WCAG 2.2 AA — all built in. SheerID rides inside the Cloudflare entry they've already evidenced on customer questionnaires.
| Dimension | Generic Passive CAPTCHA | Cloudflare Turnstile |
|---|---|---|
| Underlying engine | Undisclosed (likely hCaptcha / reCAPTCHA Enterprise) | Cloudflare Challenge Platform — proof-of-work, browser-API probes, behavioral signals |
| Pricing | ✕Vendor margin baked into SheerID's offer-protection SKU | ✓Managed mode free, unlimited, forever |
| Where decision runs | ✕After traffic hits AWS | ✓At the Cloudflare edge, before AWS |
| Bot intelligence | ✕Standalone signal — yes/no | ✓Feeds Bot Management ML score |
| Compliance | Separate subprocessor entry on every customer DPA | ✓Inside existing Cloudflare DPA entry |
| FedRAMP | Vendor-dependent | ✓Inside FedRAMP Moderate authorized package |
| Accessibility | Audio fallback often | ✓WCAG 2.2 AA, no audio CAPTCHA ever |
Public, on-the-record numbers from Cloudflare's GA announcement (Sept 2023) and ongoing operations.
"Cloudflare will never issue another visual puzzle to anyone, for any reason."
"Even without asking users for any interactivity at all, Turnstile was just as effective as a CAPTCHA."
Stress-test moment: Eurovision 2023 final-vote pushed more challenge traffic through Turnstile in one hour than the combined 25M Cloudflare sites it normally serves. Handled without a hitch.
SheerID's Spring 2026 announcement is the qualifying event — they picked the passive-CAPTCHA architecture, which is Turnstile's home turf.
They're already on Cloudflare WAF. Turnstile Managed mode is free and unlimited, validates at the edge before AWS sees the traffic, feeds Bot Management's ML score, and rides inside their existing Cloudflare compliance posture.
The conversation is moving the engine underneath what they already shipped — and adding Bot Management on top of it.