Traces what DataDome evaluates on the very first request, before any JavaScript runs: the TLS/JA4 fingerprint, the HTTP/2 frame profile, the header set, and IP and ASN reputation, and how those signals stack into one decision.
Traces how DataDome turns an HTTP request into an allow, challenge, or block verdict at the edge: the module-to-API split, the form fields it ships, the regional inference layer, and the latency budget that keeps it synchronous.
Traces the datadome cookie end to end: how it is issued after a challenge, what the 128-byte token encodes, when it rotates, how long it lives, and how the edge validates it on every request through the Protection API.
How Akamai Bot Manager turns edge signals and JavaScript telemetry into a 0-to-100 bot score, the response segments that map score ranges to actions, and the headers it forwards to your origin.
Traces the bm_sz cookie, the pixel challenge that mints ak_bmsc, and the sec-cpt proof-of-work interstitial that sits alongside _abck, and why a client that only validates _abck still gets challenged or dropped.
Traces Akamai Bot Manager from its February 2016 debut and the December 2016 Cyberfend acquisition through Bot Manager Premier, Account Protector, Content Protector, and the v3 sensor era as it stands in 2026.
Traces HUMAN's _px3 risk cookie end to end: the salt:iterations:ciphertext wire format, the AES-CBC and PBKDF2 layer, the HMAC bound to the user agent, the score and action fields, and how _pxhd and _pxvid sit alongside it.
Traces how HUMAN Security aggregates signals across its customer base, from its White Ops ad-fraud heritage to the Satori threat-intel disruptions, and what the collective-defense model can and cannot see.
How Cloudflare turns every request into a single 1-99 bot score: the heuristics, machine-learning, behavioral, and JS-detection engines behind it, the verified-bots allowlist, and how the number reaches a WAF rule.
A reference on Cloudflare's cf_clearance cookie: when a passed challenge issues it, what it is bound to, its zone scope and partitioned cross-site behaviour, its configurable lifetime, and why a stolen copy does not travel.
Traces Cloudflare's challenge taxonomy: the JS (non-interactive) challenge, the managed challenge, the deprecated interactive challenge, and the retired CAPTCHA, when each fires, what each measures, and how the clearance levels differ.
A reference on Kasada's automation-detection layer: how it spots Chrome DevTools Protocol instrumentation, Playwright and Puppeteer artifacts, and patched stealth runtimes that lie about themselves.
Traces the cookies Imperva (formerly Incapsula) keeps in the browser: the ___utmvc RC4 cookie, the reese84 sensor token, and the visid_incap and incap_ses session pair, and how the layers fit together. Notes documented versus inferred throughout.
Traces the Arkose Bot Manager session from the client-side enforcement token to the server-side Verify API, the risk fields it returns, and how challenge difficulty scales with the telemetry behind each session.
How F5 Shape Defense works: the obfuscated JavaScript agent and its rotating virtual machine, the client signals it collects, the Defense Engine that routes telemetry, and the AI cloud behind it, tracing the heritage back to Shape Security in 2011.
Traces how Shape Security's bot-detection stack became F5 Distributed Cloud Bot Defense: the client-side JavaScript and mobile SDK, the connector model, the telemetry path to the inference engines, and where the system sits in 2026.
How reCAPTCHA v3 turns a page visit into a 0.0 to 1.0 risk score: the grecaptcha.execute flow, the action tags, the signals Google admits to, the reason codes, and why the score is really a reputation lookup.
What reCAPTCHA Enterprise adds over the free v3 tier: reason codes, Account Defender, MFA, eleven score levels, password-leak detection over private set intersection, the assessment API, and the per-assessment pricing model.
Traces how bot-mitigation is packaged and sold: per-request and per-domain pricing, enterprise floors, the consolidated vendor market, the merger history that shaped it, and the buy-versus-build math behind a detection contract.
Traces the honeypot technique family used to catch automation cheaply: hidden form fields, off-screen decoy links, and submission-timing checks, plus why each one fails against a browser-driving bot and where the false positives hide.
A reference on the architectural split in bot detection: which signals a server can read from the network alone, which need JavaScript running in the client, the tradeoffs of each, and why modern stacks run both at once.
Traces proof-of-work as an anti-bot primitive: the asymmetric-cost idea from Hashcash, how Kasada, hCaptcha, Anubis, and mCaptcha apply it, the economics of the tax, and where native solvers break it.
Traces how anti-bot systems classify an IP at the network layer: ASN reputation, datacenter-versus-residential-versus-mobile labelling, IP-quality scoring, known-proxy feeds, and why even a clean home IP still leaks.
How Ticketmaster's layered defense fits together: pre-registration identity gating, the randomized waiting room, rotating-barcode SafeTix, and the scalper arms race, read through the 2022 Taylor Swift collapse.