Protecting Global Ticketing Platforms While Maximizing Conversion, Performance, and User Experience - Transforming Security Teams into Revenue Enablers

Merlin Entertainments, Europe’s largest theme park operator and the second biggest globally after Disney ,operates some of the world’s most iconic entertainment brands - including Legoland, Madame Tussauds, Sea Life, Minecraft parks, and many more - serving millions of guests each year across theme parks, attractions, and global digital ticketing platforms. As Merlin expanded its digital presence and customer acquisition efforts, its websites began processing massive volumes of traffic from an increasingly diverse mix of sources, including paid campaigns, partnerships, affiliates, and emerging channels such as AI-driven discovery and LLM-based search.

During peak seasons and major campaigns, availability, performance, and user experience directly impact revenue. Security must ensure that only malicious traffic is blocked-while legitimate ticket buyers are allowed through without friction.

While Merlin relied on industry-leading WAF and edge technologies to protect its digital estate, operating these tools at global scale introduced new challenges. Traditional edge security solutions lack context, making it so difficult to tune-especially in environments where legitimate customer traffic, scraping, and malicious activity can look increasingly similar and hard to differentiate.

Merlin partnered with Huskeys to elevate its edge security posture-ensuring protection of revenue, brand trust, and guest experience, while enabling continued digital growth.

As Merlin’s digital footprint and online ticket sales continued to grow, several challenges became clear:

• Brand-level risks beyond pure edge security like subdomain takeover and brand abuse
• Legitimate ticket buyers were being blocked by generic managed WAF rules
• False positives impacted critical booking and checkout journeys
• Limited visibility across a complex environment spanning multiple providers, third parties, iframes, and integrations
• Complexity, that make it difficult to understand how security decisions impacted conversion, revenue, and performance
• Manual WAF tuning that could not keep pace with new traffic sources and campaigns

Merlin needed a way to protect its entire brand and digital ecosystem, while empowering marketing and digital teams to scale traffic confidently. At the same time, the security team wanted to transform operations and become a driver of business growth.

Huskeys provides a plug-and-play, AI-powered Control Plane that sits on top of existing WAF and edge infrastructure. Rather than replacing Merlin’s security stack, Huskeys added context, intelligence, and orchestration-aligning edge controls with business goals.

‍

With Huskeys, Merlin Gained:

‍

• Comprehensive edge & WAF assessment
  A deep evaluation of Merlin’s existing setup to identify misconfigurations, coverage gaps, shadow rules, cost-saving opportunities, and performance bottlenecks-improving both security posture and business outcomes.
• False-positive reduction with business context
  Rule tuning informed by real user journeys, endpoints, and revenue impact-not just static managed rules-providing clear insight into how WAF controls affected ticket selection, checkout, and payment flows.
• Brand and external surface protection
  Continuous discovery and monitoring of external assets to identify risks such as subdomain takeover, exposed services, and brand abuse-before exploitation.
• Unified visibility across teams
  A shared view of traffic, endpoints, and risk that enabled security, marketing, and e-commerce teams to operate from a single source of truth.
• Smart orchestration and automation
  Rapid conversion of findings-false positives, posture gaps, brand exposure risks, and incident signals-into validated, production-ready WAF and edge controls, deployed safely and quickly.

Posture, Performance, and Edge Optimization

By removing unnecessary friction at the edge, Huskeys helped Merlin protect revenue-generating journeys while maintaining strong, consistent security.

‍

Results:

• Overall edge and WAF posture improved by 70%+
• Thousands of dollars per month in cost savings through configuration and rule optimizations
• 40%+ improvement in website performance and availability
• Enhanced detection, investigation, and prevention of DDoS attempts, strengthening overall infrastructure resilience
• Better protection across booking flows, third-party integrations, and external-facing assets

‍

Continuous monitoring and defense against brand-level risks, including subdomain takeover and abuse.

‍

Faster, Safer Security Operations

Manual WAF tuning was replaced with intelligent automation and guided decision-making.

‍

Results

• Security changes and validations deployed in minutes instead of weeks
• 90%+ reduction in manual WAF tuning effort
• Faster support for new campaigns, traffic sources, and acquisition channels

‍

During the engagement, Huskeys identified and resolved false-positive patterns caused by existing managed WAF rules that were directly blocking legitimate users on ticketing and booking endpoints.

‍

In one scenario, legitimate users arriving from marketing campaigns were blocked by a default managed rule from the existing WAF vendor. An overly broad SQL injection detection—triggered by third-party tracking cookies - prevented users from accessing ticketing pages and directly impacted sales.

‍

Results

• 80%+ reduction in false positives across booking and checkout journeys
• Tens of thousands of unique legitimate ticket requests restored monthly
• Critical purchase flows no longer disrupted by generic managed rules
• Improved conversion and confidence during peak traffic periods
• Millions of dollars in revenue preserved by preventing unnecessary traffic loss