> ## Documentation Index
> Fetch the complete documentation index at: https://usefoil.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Detection categories

> Learn how Foil scores sessions across environment, fingerprint, behavioral, timing, and anti-tamper detection categories to produce a verdict.

Foil evaluates every session across multiple detection categories. Each category contributes independently to the final verdict, and the scoring pipeline combines them with weighted confidence.

## Categories

### Environment

Detects automation frameworks and headless browser indicators. Checks for:

* WebDriver API presence (`navigator.webdriver`)
* Automation globals (`__playwright`, `__selenium`, `cdc_*`)
* Headless browser markers (zero plugins, missing APIs)
* Stealth plugin artifacts

Environment signals are **deterministic** — when present, they produce high-confidence bot verdicts.

### Fingerprint

Analyzes the device's hardware and software configuration for consistency:

* WebGL renderer and extensions
* Canvas and audio fingerprinting
* Screen geometry anomalies
* Anti-detect browser noise patterns

Fingerprint signals detect spoofed or manipulated device profiles.

### Event trust

Distinguishes synthetic events from genuine user input. Like environment and fingerprint, this is a **deterministic** category:

* `isTrusted === false` on pointer, keyboard, or touch events
* Events dispatched with no corresponding hardware movement (e.g. a click with no preceding `mousemove`)
* Injected or replayed event sequences

Event-trust violations are strong, low-noise indicators of automation.

### Behavioral

Observes how the user interacts with the page. This spans three scoring categories — **mouse**, **keyboard**, and **touch**:

* Mouse movement patterns (linearity, speed, Fitts' Law compliance)
* Keyboard timing (inter-keystroke intervals, rollover patterns)
* Touch dynamics (for mobile devices)
* Form interaction timing

Behavioral signals require user interaction. Sessions evaluated before interaction may produce `inconclusive` verdicts.

### Timing

Measures temporal patterns:

* Time to first interaction
* Form completion speed
* Suspiciously regular intervals (100ms, 250ms, 500ms)

### Anti-tamper

Server-side cross-validation of client-reported data:

* User-Agent vs HTTP headers consistency
* TLS fingerprint (JA4) vs claimed browser
* Network characteristics vs device claims

Anti-tamper signals are **server-side only** and cannot be spoofed from the browser.

## How categories combine

The scoring pipeline weights each category and combines them:

1. **Short-circuit** — definitive signals (e.g., `navigator.webdriver === true`) immediately produce a `bot` verdict
2. **Weighted combination** — non-definitive signals are combined with category weights
3. **Corroboration** — behavioral signals alone cannot produce a `bot` verdict without deterministic corroboration
4. **Normalization** — final score mapped to an integer `risk_score` in the range `0`–`100` via a sigmoid function

## What's next

* [Verdicts & scoring](/verdicts-and-scoring) — how scores map to verdicts
* [How it works](/how-it-works) — the full detection pipeline
