This disclosure describes a technique to slow down or block creation of automated attack scripts by configuring a detector to discriminate whether particular attack-like activity is a true attack, or simply a hacker “testing” his or her automated attack script, and then permitting any such test script to continue working (attacking) the site, albeit on a limited basis. In this manner, the hacker receives an indication that his or her automated attack script is already working. Thereafter, when the detector later detects a launch of an actual attack based on or otherwise associated with the automated attack script (previously under test), the attack fails either because the script was not a working script in the first instance, or because information learned about the script is used to adjust the site as necessary to then prepare adequately for a true attack.