{"slug": "i-let-ai-bots-read-my-content-then-figured-out-how-to-charge-them", "title": "I let AI bots read my content, then figured out how to charge them 🤖💸", "summary": "A developer at First Step Technology deployed AI Traffic Monetization on AWS to charge AI bots for crawling content, using the API/CLI-only feature after discovering the WAF console lacks the monetize action. The developer also resolved a remote disk unlock issue with dropbear-initramfs by converting SSH keys to the required format.", "body_md": "I let AI bots read my content, then figured out how to charge them 🤖💸\n\n*A build-in-public story about AWS, encrypted disks that fight back, and teaching a compliance framework to talk to an AI agent*\n\nOkay so here's the thing nobody tells you about launching a compliance advisory business: at some point you end up in a terminal at 11pm arguing with a Mac Mini about a LUKS passphrase. This is that story. 🫠\n\n🏗️ The setup\n\nI run First Step Technology, a cybersecurity/compliance advisory shop. I also, apparently, cannot help myself when it comes to \"let's just build the infrastructure instead of paying someone else to.\"\n\nSo `ComplianceFirst.io`\n\nwent from idea to fully live AWS deployment: CloudFront + S3, layered WAF (IP reputation, OWASP core rules, known-bad-inputs, Bot Control), least-privilege IAM split between a console admin identity and a scoped CLI deployer. Standard stuff, mostly.\n\nThen I found out AWS shipped something wild: **AI Traffic Monetization**. You can literally charge AI bots — GPTBot, ClaudeBot, PerplexityBot, the whole crew — for crawling your content. Real USDC settlement via the x402 protocol, through Coinbase's developer platform.\n\nI was not going to let that sit unused. 👀\n\n🧱 The console doesn't have the button you're looking for\n\nHere's a fun one for anyone who's tried this: **the AWS WAF console straight up does not expose the Monetize action anywhere in the visual rule builder.** Allow, Block, Count, CAPTCHA, Challenge — that's it. I spent way too long convinced I was missing a button.\n\nTurns out the feature is real, it's just API/CLI-only right now. So instead of clicking, I ended up:\n\n```\naws wafv2 update-web-acl --generate-cli-skeleton > skeleton.json\ngrep -A 10 '\"Monetize\"' skeleton.json\n```\n\n…and built the rule directly against the real, live API schema instead of trusting a blog post (including mine, going forward — always verify against `--generate-cli-skeleton`\n\n, don't trust docs that might be stale). Turns out `PriceMultiplier`\n\nwants a whole number 1-100 as a *percentage*, not a decimal like I first assumed. AWS's own validation error caught that one for me. 🙏\n\n```\n{\n  \"Name\": \"monetize-verified-ai-bots\",\n  \"Statement\": {\n    \"LabelMatchStatement\": {\n      \"Scope\": \"LABEL\",\n      \"Key\": \"awswaf:managed:aws:bot-control:bot:category:ai\"\n    }\n  },\n  \"Action\": {\n    \"Monetize\": { \"PriceMultiplier\": \"100\" }\n  }\n}\n```\n\nRan it in test mode on Base Sepolia first, obviously. Within a day: **141 real requests** from GPTBot, ChatGPT-User, ClaudeBot, Bytespider, Perplexity, Meta's crawler, Cohere. Real companies, real traffic, all correctly labeled and ready to monetize once I flip to mainnet. 🎉\n\n🔐 Then the Mac Mini decided to fight me\n\nSeparate project, same week: standing up a third machine for internal docs + a compliance data pipeline. Full-disk LUKS encryption, because obviously — it's going to hold client compliance data eventually.\n\nProblem: encrypted disks don't unlock themselves, and this machine is headless. Enter `dropbear-initramfs`\n\n— a tiny SSH server that runs *before* the real OS even boots, so you can unlock the disk remotely instead of walking over with a keyboard every single reboot.\n\nI set it up. It \"worked.\" Then it didn't. `ssh root@ip`\n\n→ connection refused → dropbear clearly starting on screen → nothing listening. Spent a chunk of time convinced it was a networking issue.\n\nIt wasn't. The actual bug: **dropbear can't read standard OpenSSH-format private keys.** It needs its own binary format. My first pass just did a plain `cp`\n\nof the host key — which looks like it works, right up until dropbear tries to actually parse it and chokes.\n\n```\nsudo dropbearconvert openssh dropbear \\\n  /etc/ssh/ssh_host_ed25519_key \\\n  /etc/dropbear/initramfs/dropbear_ed25519_host_key\n```\n\nOne command. That was it. Also found a sneaky trailing space in `/etc/initramfs-tools/initramfs.conf`\n\non the `DEVICE=`\n\nline that wasn't helping. Config files really do just sit there quietly wrecking your day. 😤\n\n📜 Turning a PDF into something an AI agent can actually use\n\nThe actual point of that machine: a pipeline that pulls real NVD vulnerability data and NIST framework controls, then converts each requirement into structured JSON with plain-English guidance an AI coding assistant can act on.\n\n``` python\ndef generate_agent_rule(control_id, framework):\n    # pulls the stored control, wraps it with\n    # agent-readable guidance, saves to SQLite\n    ...\n```\n\nReal output, for real control 3.1.1 of NIST SP 800-171:\n\n```\n{\n  \"control_id\": \"3.1.1\",\n  \"requirement\": \"Limit system access to authorized users...\",\n  \"agent_guidance\": \"When generating or reviewing code/infrastructure,\n    ensure compliance with control 3.1.1... Flag any implementation\n    that does not satisfy: Limit system access to authorized users...\"\n}\n```\n\nDrop that into Claude Projects or a Copilot instructions file, and your AI assistant starts reasoning about compliance gaps *while you're writing code*, instead of everyone finding out three weeks before an audit. 110 controls done for CMMC Level 2, 15 more for CMMC Level 1 (fun fact: that one's not even a NIST framework, it maps to a completely different source, FAR 52.204-21 — learned that the hard way when NIST's own catalog search came up empty).\n\nImportant caveat I'm putting in writing for anyone building something similar: **this isn't a scanner.** It doesn't background-sweep your repo. It's context that makes your AI's *reasoning* better informed — think \"editor with a style guide,\" not \"automated compliance certification.\" Setting that expectation correctly with clients matters a lot more than the tech itself.\n\n🎯 What I'd tell someone starting this\n\n`--generate-cli-skeleton`\n\nbefore assuming you're wrong`cp`\n\n-ing a key file between two tools that both technically \"use SSH keys\" is not a safe assumption — formats differAnyway. Bots are reading my compliance articles and will soon be paying for the privilege, and my Mac Mini finally unlocks itself like a reasonable adult. Building in public is chaotic but I'm here for it. 🚀\n\n`#aws`\n\n`#buildinpublic`\n\n`#cybersecurity`\n\n`#compliance`\n\n`#selfhosted`\n\n`#linux`", "url": "https://wpnews.pro/news/i-let-ai-bots-read-my-content-then-figured-out-how-to-charge-them", "canonical_source": "https://dev.to/firststeptechnology/i-let-ai-bots-read-my-content-then-figured-out-how-to-charge-them-216o", "published_at": "2026-07-11 15:14:15+00:00", "updated_at": "2026-07-11 15:44:30.301578+00:00", "lang": "en", "topics": ["ai-infrastructure", "developer-tools", "ai-products"], "entities": ["First Step Technology", "AWS", "ComplianceFirst.io", "Coinbase", "GPTBot", "ClaudeBot", "PerplexityBot"], "alternates": {"html": "https://wpnews.pro/news/i-let-ai-bots-read-my-content-then-figured-out-how-to-charge-them", "markdown": "https://wpnews.pro/news/i-let-ai-bots-read-my-content-then-figured-out-how-to-charge-them.md", "text": "https://wpnews.pro/news/i-let-ai-bots-read-my-content-then-figured-out-how-to-charge-them.txt", "jsonld": "https://wpnews.pro/news/i-let-ai-bots-read-my-content-then-figured-out-how-to-charge-them.jsonld"}}