Traces how Cloudflare Turnstile works end to end: the widget script, the challenge token it issues, the siteverify server check, the browser signals it gathers in place of a puzzle, and its cookie-free privacy posture.
Traces Cloudflare's challenge taxonomy: the JS (non-interactive) challenge, the managed challenge, the deprecated interactive challenge, and the retired CAPTCHA, when each fires, what each measures, and how the clearance levels differ.
How Arkose Labs' FunCaptcha works: why it ships interactive games instead of text, the encrypted bda fingerprint that decides difficulty, the gt2/gfct/verify token flow, and the economic model behind the challenge design.
Traces the Arkose Bot Manager session from the client-side enforcement token to the server-side Verify API, the risk fields it returns, and how challenge difficulty scales with the telemetry behind each session.
How reCAPTCHA v3 turns a page visit into a 0.0 to 1.0 risk score: the grecaptcha.execute flow, the action tags, the signals Google admits to, the reason codes, and why the score is really a reputation lookup.
Traces how reCAPTCHA v2 actually works: the anchor checkbox, the bframe image-grid challenge, the api2 anchor/reload/userverify endpoints, and the g-recaptcha-response token from issuance to its two-minute expiry.
What reCAPTCHA Enterprise adds over the free v3 tier: reason codes, Account Defender, MFA, eleven score levels, password-leak detection over private set intersection, the assessment API, and the per-assessment pricing model.
Traces hCaptcha end to end: the sitekey and api.js widget, the getcaptcha challenge fetch, the hsw proof-of-work stamp, the h-captcha-response passcode redeemed at siteverify, and the Privacy Pass token path.
A head-to-head technical comparison of hCaptcha and reCAPTCHA: how each scores traffic, where their score scales invert, the image-challenge design, the privacy split, and the 2020-era migrations that put hCaptcha on millions of sites.
Twenty-eight years of trying to tell humans from machines, traced through the original patents, papers, and announcements. Distorted text, reCAPTCHA, the checkbox, invisible scoring, signed agents.
Traces how CAPTCHA solving is operationalized: the human-farm relay, the shift to ML and audio-transcription solvers, the per-solve price curve from 2010 to 2026, and the latency-accuracy-binding tradeoffs that decide whether a token is worth anything.
Traces the 2024-2025 ClickFix and fake-CAPTCHA wave: how attackers dress malware delivery in Cloudflare and reCAPTCHA UX, push commands through the clipboard, and gate payloads so automated analysis sees nothing.
Traces FunCaptcha from Kevin Gosschalk's game-dev roots and the 2014-era rotate-the-image challenge to the Arkose Labs rebrand, the MatchKey suite, and the cost-of-attack model now defending Twitter, Microsoft and OpenAI.
How reCAPTCHA went from a crowdsourced OCR project at Carnegie Mellon in 2007 to Google's invisible risk-scoring engine, traced through the original Science paper, announcements, and version changes.
Two decades of the market that sells CAPTCHA solutions: the human-solver farms, the wage economics that gutted text CAPTCHAs, the OCR and audio breaks, and the multimodal-model solvers of 2026.