Undermining Revenue, Trust, and Operational Integrity
For airline CIOs, CISOs, and revenue platform leaders, malicious bots are no longer just a nuisance. They are a direct assault on revenue integrity and customer trust. One of the most damaging and least understood manifestations of this threat is a practice known as seat spinning.
Seat spinning is not a theoretical edge case. It is a deliberate, fraudulent, automated attack designed to manipulate ticket availability and pricing dynamics at scale. And because it exploits business logic – or, how an application works – rather than technical vulnerabilities, traditional security controls consistently fail to prevent it. Understanding how it works – and why behavioral analysis is essential to stopping it – is a key requirement for protecting airline digital channels.
What Is Seat Spinning?
Seat spinning is a malicious, automated practice in which bots temporarily place airline seats into a pending reservation state without completing the purchase. By repeatedly holding inventory and allowing those holds to expire, bots create artificial scarcity in booking systems.
By locking inventory, bad actors create the illusion of full flights. Revenue systems interpret this as high demand and may increase prices. These price movements are then exploited to benefit secondary resale channels or competitive positioning.
From the outside, legitimate customers often see that:
- Seats are available but disappear during payment.
- Flights marked “sold out” suddenly show availability again hours later.
- Prices fluctuate up and down within short periods.
- Activity intensifies as departure dates approach.
When the hold window expires, the seats reappear, but often too late for optimal pricing or consumer confidence. The result is a distorted marketplace: customers experience hidden availability and booking failures, revenue management systems interpret bot-induced activity as genuine demand, and pricing engines respond accordingly by raising prices.
Seat Spinning Impacts
The impacts of seat spinning are felt by airlines worldwide, going far beyond the obvious revenue consequences. And in markets with long no-cost hold windows — historically common in parts of Asia Pacific — the damage can be further amplified.
Revenue Disruption
Bots hold seats for extended periods, preventing legitimate customers from purchasing them. Airlines lose the opportunity to sell seats at the right time and at the right price. Even temporary holds can disrupt dynamic pricing algorithms.
Operational Distortion
Airlines rely heavily on look-to-book ratios and booking velocity metrics. Seat spinning artificially inflates search and reservation activity, skewing demand signals. Revenue management teams receive false indicators, leading to mispriced inventory and degraded forecasting accuracy.
Customer Experience and Brand Damage
Passengers see flights marked as full or overpriced, only to see availability return later. This erodes trust and creates reputational harm when availability fluctuates within hours.
Why Traditional Security Fails
Seat spinning is not a classic intrusion attack. It is a form of business logic abuse powered by automation, exploiting workflow logic, not code vulnerabilities.
CAPTCHA Is Irrelevant
Seat spinning typically occurs before login or payment stages where CAPTCHA challenges are typically triggered. Even if deployed earlier, modern bots – especially in the age of AI – can easily solve or bypass CAPTCHA challenges.
IP Blocking Is Ineffective
Bots rotate IPs across residential proxies and cloud infrastructure. Blocking based on IP reputation results in false positives and has minimal impact.
Static Rate Limits Miss Intent
Sophisticated bots can throttle requests to mimic human behavior. From a request-by-request perspective, fraudulent activity may appear legitimate. The abuse only becomes visible when viewed across the full booking journey.
WAFs Don’t Understand Business Context
Web application firewalls are designed to block syntactic attacks like SQL injection, cross-site scripting, malformed payloads. They do not understand the difference between legitimate browsing and repeated seat holds with no purchase intent.
Why Behavioral Analysis Is the Only Viable Defense
To prevent seat spinning, detection must focus on booking behavior and purchase intent, not machine-versus-human classification. Understanding how legitimate customers research, select, and purchase tickets is as important as being able to successfully identify a malicious bot. Detection must occur as coordinated analysis across the entire booking flow, not just at individual request checkpoints.
When behavioral intent is modeled holistically, repetitive seat searches and fare recalculations that deviate from normal user behavior become clear indicators. Monitoring how often an entity holds seats without progressing to payment is a critical signal.
Once identified, malicious “spun” seats can be released back into inventory in real time, preserving revenue integrity and customer experience. Advanced solutions also incorporate “human-in-the-loop” capabilities to short-circuit the “impossible journeys” malicious bots embark upon – for example, executing high-frequency seat holds across geographically inconsistent patterns.
Cequence Bot Management – A Practical Defense Against Seat Spinning
Cequence’s Bot Management solution was designed from inception to not only defend against volumetric attacks but also highly sophisticated business logic attacks that exploit the way applications and APIs are actually supposed to work. It succeeds where traditional controls fail in no small part due to its understanding of behavioral intent. Simply discerning humans from bots and blocking IP addresses sending high volumes of traffic has been insufficient for some time. And today, AI bots are originating an ever-increasing percentage of traffic, some of which businesses want to allow as they are operating on behalf of their customers. Security solutions must determine human from synthetic and good activity from bad. Cequence’s experience in protecting applications and data through bot management and API security has enabled us to imbue our products with a deep understanding of user intent and user journeys as well as the business logic behind applications and APIs. With this understanding, we can identify unlikely or impossible user journeys and prevent business logic abuse and other sophisticated attacks.
The Strategic Imperative for Security Leaders
Seat spinning is economically motivated and strategically executed. It interferes directly with how airlines determine demand, availability, and pricing. Its impact crosses security, revenue management, digital commerce, and distribution teams. Left unattended, it degrades business performance and customer perception simultaneously.
For senior IT and security leaders, the solution is not more friction. It is deeper visibility and understanding. A sophisticated behavioral intent engine – powered by machine learning, cross-session analysis, and real-time enforcement – enables airlines to:
- Detect malicious booking intent before inventory distortion occurs
- Protect pricing models from artificial manipulation
- Preserve customer trust by stabilizing availability
- Maintain clean demand signals for revenue optimization
In an era where malicious actors are economically motivated and AI-assisted, seat spinning is not an anomaly. It is a preview of how fraud and business logic abuse is evolving across digital commerce. Organizations that shift from static defenses to behavioral intelligence will protect not just their applications, but their revenue engines.
Request a demo and let us show you how Cequence can protect you from seat spinning.
