docs: captcha (#1849)

docs/kratos/concepts/security.mdx

@@ -28,8 +28,7 @@ Ory Network takes a proactive approach to combat bot and other automated attacks
 To detect bots and throttle suspicious IPs, Ory Network leverages the
 [Cloudflare Web Application Firewall (WAF)](https://www.cloudflare.com/en-gb/application-services/products/waf/) and
 [Cloudflare Bot Management](https://www.cloudflare.com/en-gb/application-services/products/bot-management/) services. These
-features are built into Ory Network and allow Ory to defend against automated threats without burdening users with unfriendly
-CAPTCHAs, IP throttling, rate limiting, and IP blocking.
+features are built into Ory Network and allow Ory to defend against automated threats without impacting the user experience.
 
 When using Ory Network, these automated attack defenses are provided as part of the platform's security infrastructure. For
 self-hosted instances of Ory Kratos Identity Server, it's the responsibility of the administrator to implement and manage
@@ -71,3 +70,19 @@ password policy, refer to the [password policy page](../../concepts/password-pol
 
 Ory OAuth2 and OpenID Connect is a certified OAuth2 and OpenID Connect provider. You can read more in the
 [OAuth 2.0 security overview](https://www.ory.sh/docs/hydra/security-architecture) documentation.
+
+## CAPTCHAs
+
+:::info
+
+Captcha protection is being tested and is not yet available for general use. If you are interested, please
+[contact us](https://ory.sh/contact).
+
+:::
+
+Ory Identities supports protecting the registration and login endpoints with captcha challenges. This is useful to prevent
+credential stuffing, brute force and other automated attacks.
+
+Supported captcha providers are:
+
+- [Cloudflare Turnstile](https://developers.cloudflare.com/turnstile)