Bot Mitigation: An Ever-Evolving Battle
In the digital landscape, bot mitigation is a continuous, adversarial game. Attackers adapt, defenders react, and the cycle perpetuates. At Cloudflare, we strive to stay ahead by blending visibility across our expansive global network with signals from the client-side environment. At the network level, analyzing more than 1 trillion requests daily helps us understand reputation, patterns, and anomalies across over 20% of the web. On the client side, our approach has evolved, notably with Cloudflare Turnstile, transitioning from a CAPTCHA replacement to a managed, risk-based challenge that adjusts the level of friction required to verify user authenticity.
Currently, Turnstile is executed nearly 3 billion times daily on some of the Internet’s most sensitive endpoints, assisting in user verification at critical moments such as login, registration, and checkout. While this enhances protection for the most crucial areas of customer applications, it leaves a visibility gap in understanding how humans and bots interact across the entire user journey.
Introducing Precursor: Bridging the Visibility Gap
This visibility gap is being addressed with the launch of Precursor. Precursor is a client-side, session-based verification system designed with privacy in mind. It uses dynamically injected JavaScript to continuously collect behavioral signals as visitors interact with your app. These signals are processed and integrated into Cloudflare’s bot protection in real-time, allowing us to continuously distinguish human traffic from automated or agent traffic.
Extending client-side detections offered by a Challenge to your entire web application, Precursor is an optional add-on to Turnstile — both are features of our Enterprise Bot Management. This user journey-based detection is powerful because modern automation is increasingly capable of appearing legitimate over short periods. Bots can execute JavaScript, use real browser environments, and transmit individual CAPTCHAs without arousing suspicion. However, replicating consistent human behavior over time remains challenging.
Understanding Human Behavior: The Key to Bot Detection
Precursor is designed to capture this layer of interaction, turning behavior itself into a reliable signal to detect fraud and abuse. By evaluating behavior over an entire session, Precursor adds significantly more signal to each decision. This improves detection accuracy, making it easier to distinguish real users from automation without resorting to aggressive challenges. For legitimate users, Precursor means fewer unnecessary interruptions. For bot developers, this increases the cost of automating operations by requiring them to simulate an entire session. It’s much harder to build, more expensive to maintain, and much less reliable to operate on a large scale.
When a robot developer tries to make a mouse movement look human, they usually add Gaussian noise or uniform random delays. But human movement is not only “noisy”, it is also constrained by physics:
Wrist Pivot: A human mouse’s movement is often an arc, limited by wrist reach and forearm rotation.
Cognitive load: There is a measurable delay between when a human sees a checkbox and when they click on it.
Hand tremor: Even the most stable human hand oscillates at a physiological tremor frequency.
Robots, on the other hand, often behave in ways that give them away. They move according to linear interpolations or mathematically ideal Bézier curves. They click with a precision that humans could never duplicate. And even when they manage to simulate human error, there is a rhythm to human movements that can only be seen by examining an entire session.
Mouse movement is just one example of the signals Precursor evaluates, but it clearly illustrates the difference. Below is an example of a mouse automation library interacting with a site. You can see how the mouse moves in perfectly straight lines, always returns to its origin, and reacts with the same speed.
Now compare that to a human navigating the same site: you see irregular trajectories, small corrections and overruns, and variations in speed, timing, and direction.
Individually, these interactions may seem plausible. But over the course of a session, these patterns diverge in ways that are difficult to simulate. Precursor is designed to capture and evaluate these behavioral signatures as they develop over the course of a visitor’s interaction with an application.
The Four Layers of Precursor
To evaluate behavior over time, Precursor continuously collects customer interaction data and creates a session-level view of activity for that site.
Injection and Collection Layer
When Precursor is enabled on your application, Cloudflare automatically injects lightweight script into your site’s HTML responses as they pass through our network, with no additional configuration, network connection, or third-party integration required. The injected precursor bundle is compact, obscured, and dynamically assembled for each response. The assembly is designed not to interfere with any additional page logic of the hosted web application.
The script combines lightweight event listeners to capture interaction signals such as pointer movement, keyboard activity, focus changes, and visibility. These events are serialized into a compact format and buffered. At regular intervals, the buffered data is returned to the evaluation layer for analysis.
Evaluation Layer
On the Edge Server, incoming Precursor payloads are deserialized into behavioral inputs. A dispatcher manages a list of evaluators on the input data. Each evaluator reads the Precursor streams of interest and can emit signals into the shared detection register.
Evaluators are designed to cross-reference data. For example, they confirm that pointer activity correlates with page visibility duration, or that keyboard events only fire when a text field is selected. This information flow is then consolidated into individual signals used to weight detections.
Session Integration
Precursor data is session-limited, meaning it accumulates throughout a session. Session scope is important because it means a bot cannot reset its behavioral signature by refreshing the page or starting over with a new challenge. The system also feeds session metadata into downstream detection layers for additional shadow mode heuristics and session analysis, predicted versus actual completion, and session delinquency heuristics. These edge observations are recorded for the purposes of improving detection and to adjust the bot score of a session.
Privacy by Design
Precursor was designed to collect signals to distinguish human models from automated and abusive models. Event listeners capture the minimum amount of information necessary to provide a useful signal for detecting automation and abuse. For example, keyboard activity is captured as timing and rhythm, not as actual keys pressed. Additionally, behavioral signals are evaluated as aggregated patterns rather than individual actions and are consumed internally by Cloudflare’s bot detection systems; they are not exposed to customer dashboards or linked to user accounts, login identities, or persistent profiles.
Together, this allows Precursor to maintain an ever-changing assessment of behavior, maximizing accuracy while minimizing friction on the right users.
Enhanced Security Analytics: A New Perspective
To support this new detection layer, we are introducing session-based views in Security Analytics. These dashboards shift the perspective from individual requests to complete visitor journeys. You can now answer questions like:
What does a typical session look like on my site?
Where do sessions deviate from expected behavior?
Which sessions show signs of automation over time?
Use Security Analytics to explore session-based views for your bot management traffic. These analytics now capture information that per-query analytics can’t capture, particularly the behavior that occurs between queries. Precursor directly feeds into existing systems like bot scoring, challenge decisions, and security rules, so you benefit from this additional context immediately.
Precursor provides the foundation for extending bot detection across the entire application. We continue to expand the range and depth of behavioral signals for security, how session-level information influences our bot management protections, and new ways to view and act on session data. As bots evolve, detection must go beyond isolated checkpoints and become part of the full flow of user activity.
Getting Started with Precursor
Precursor is currently rolling out and can be activated directly from your Cloudflare dashboard. Precursor will be free to use until our GA release later this year. Getting started is simple: enable Precursor for your zone and choose the level of rigor with which you want to check sessions. You can run it in low-friction mode to observe background behavior, or require a fully verified session by applying challenges if a session doesn’t already exist.
Once enabled, Precursor immediately begins improving your existing bot defenses, with no changes required to your application. If you already use Bot Management or Turnstile, Precursor extends these protections beyond challenges and into the rest of the session. Enable Precursor to extend detection to the entire user session, including between-time activity that you are already protecting.
For more details, visit the official announcement here.
“`

