Categories
Environment
Detects automation frameworks and headless browser indicators. Checks for:- WebDriver API presence (
navigator.webdriver) - Automation globals (
__playwright,__selenium,cdc_*) - Headless browser markers (zero plugins, missing APIs)
- Stealth plugin artifacts
Fingerprint
Analyzes the device’s hardware and software configuration for consistency:- WebGL renderer and extensions
- Canvas and audio fingerprinting
- Screen geometry anomalies
- Anti-detect browser noise patterns
Event trust
Distinguishes synthetic events from genuine user input. Like environment and fingerprint, this is a deterministic category:isTrusted === falseon pointer, keyboard, or touch events- Events dispatched with no corresponding hardware movement (e.g. a click with no preceding
mousemove) - Injected or replayed event sequences
Behavioral
Observes how the user interacts with the page. This spans three scoring categories — mouse, keyboard, and touch:- Mouse movement patterns (linearity, speed, Fitts’ Law compliance)
- Keyboard timing (inter-keystroke intervals, rollover patterns)
- Touch dynamics (for mobile devices)
- Form interaction timing
inconclusive verdicts.
Timing
Measures temporal patterns:- Time to first interaction
- Form completion speed
- Suspiciously regular intervals (100ms, 250ms, 500ms)
Anti-tamper
Server-side cross-validation of client-reported data:- User-Agent vs HTTP headers consistency
- TLS fingerprint (JA4) vs claimed browser
- Network characteristics vs device claims
How categories combine
The scoring pipeline weights each category and combines them:- Short-circuit — definitive signals (e.g.,
navigator.webdriver === true) immediately produce abotverdict - Weighted combination — non-definitive signals are combined with category weights
- Corroboration — behavioral signals alone cannot produce a
botverdict without deterministic corroboration - Normalization — final score mapped to an integer
risk_scorein the range0–100via a sigmoid function
What’s next
- Verdicts & scoring — how scores map to verdicts
- How it works — the full detection pipeline