How Arkose Labs' FunCaptcha works: why it ships interactive games instead of text, the encrypted bda fingerprint that decides difficulty, the gt2/gfct/verify token flow, and the economic model behind the challenge design.
Traces the Arkose Bot Manager session from the client-side enforcement token to the server-side Verify API, the risk fields it returns, and how challenge difficulty scales with the telemetry behind each session.
How F5 Shape Defense works: the obfuscated JavaScript agent and its rotating virtual machine, the client signals it collects, the Defense Engine that routes telemetry, and the AI cloud behind it, tracing the heritage back to Shape Security in 2011.
Traces how Shape Security's bot-detection stack became F5 Distributed Cloud Bot Defense: the client-side JavaScript and mobile SDK, the connector model, the telemetry path to the inference engines, and where the system sits in 2026.
What a virtual waiting room actually does, what an HTTP client has to handle to walk through it the way a browser would, and the five layers any client needs to model correctly.
How reCAPTCHA v3 turns a page visit into a 0.0 to 1.0 risk score: the grecaptcha.execute flow, the action tags, the signals Google admits to, the reason codes, and why the score is really a reputation lookup.
Traces how reCAPTCHA v2 actually works: the anchor checkbox, the bframe image-grid challenge, the api2 anchor/reload/userverify endpoints, and the g-recaptcha-response token from issuance to its two-minute expiry.
What reCAPTCHA Enterprise adds over the free v3 tier: reason codes, Account Defender, MFA, eleven score levels, password-leak detection over private set intersection, the assessment API, and the per-assessment pricing model.
Traces hCaptcha end to end: the sitekey and api.js widget, the getcaptcha challenge fetch, the hsw proof-of-work stamp, the h-captcha-response passcode redeemed at siteverify, and the Privacy Pass token path.
A head-to-head technical comparison of hCaptcha and reCAPTCHA: how each scores traffic, where their score scales invert, the image-challenge design, the privacy split, and the 2020-era migrations that put hCaptcha on millions of sites.
Traces how bot-mitigation is packaged and sold: per-request and per-domain pricing, enterprise floors, the consolidated vendor market, the merger history that shaped it, and the buy-versus-build math behind a detection contract.
Traces the honeypot technique family used to catch automation cheaply: hidden form fields, off-screen decoy links, and submission-timing checks, plus why each one fails against a browser-driving bot and where the false positives hide.
A reference on the JS-runtime fingerprinting surface: error stack formats, Function.prototype.toString, feature and timing probes, property enumeration order, and the engine quirks that betray a patched or automated browser.
What a ClientHello actually contains, why JA3 worked for six years and then stopped, and what JA4 fixes, with a Python reference you can run against your own packet captures.
A reference on the architectural split in bot detection: which signals a server can read from the network alone, which need JavaScript running in the client, the tradeoffs of each, and why modern stacks run both at once.
Traces proof-of-work as an anti-bot primitive: the asymmetric-cost idea from Hashcash, how Kasada, hCaptcha, Anubis, and mCaptcha apply it, the economics of the tax, and where native solvers break it.
How device fingerprinting works in anti-bot stacks, traced through FingerprintJS open-source and Pro: the signal set, the entropy budget that makes a visitor ID unique, why client-side hashes drift, and how it differs from bot detection.
Traces how anti-bot systems classify an IP at the network layer: ASN reputation, datacenter-versus-residential-versus-mobile labelling, IP-quality scoring, known-proxy feeds, and why even a clean home IP still leaks.
Twenty-eight years of trying to tell humans from machines, traced through the original patents, papers, and announcements. Distorted text, reCAPTCHA, the checkbox, invisible scoring, signed agents.
A vendor-neutral reference on virtual waiting rooms: the admission model behind the token bucket, FIFO versus random ordering, the cookie that holds your place, and the split between inbound and active users.
Traces Queue-it's edge and server-side connector model from the inside: how the queue token is signed and parsed, how the QueueITAccepted cookie is minted and re-validated, and how safety-net mode and triggers decide who waits.
Traces how Cloudflare Waiting Room queues traffic from the edge: the encrypted __cfwaitingroom cookie, the total-active-users and new-users-per-minute limits, the estimated-wait math, and the Durable Object hierarchy that counts users across 300-plus data centers.
Traces how Akamai runs visitor queueing at the CDN edge, from the percentage-based Visitor Prioritization cloudlet to EdgeWorkers connectors that validate queue tokens locally, and how that compares to a dedicated queue vendor.
How Ticketmaster's layered defense fits together: pre-registration identity gating, the randomized waiting room, rotating-barcode SafeTix, and the scalper arms race, read through the 2022 Taylor Swift collapse.