3 min Security

Cloudflare introduces bot detection that analyzes the entire browser session

Cloudflare introduces bot detection that analyzes the entire browser session

Cloudflare has made Precursor generally available. This is a new bot detection technique that not only checks visitors upon entry but also analyzes their behavior throughout an entire browser session. According to the company, this approach is necessary now that automated internet traffic has surpassed traffic from human users for the first time.

Traditional security measures, such as CAPTCHAs and other challenge mechanisms, typically assess a single, isolated moment, for example, during login. Precursor, on the other hand, continuously collects signals throughout a session to determine whether the behavior matches that of a human user. This shifts bot detection from a snapshot to an ongoing behavioral analysis.

According to Cloudflare, this is necessary because modern bots have become increasingly adept at bypassing one-time security checks. The company says that convincingly mimicking an entire user session, including the small irregularities that characterize human behavior, is significantly more difficult.

“Traditional security checks assess only a single moment, while modern bots are now smart enough to work their way around them,” says Cloudflare CTO Dane Knecht. “By looking at behavior throughout an entire visit, we make it much harder for attackers to impersonate human users.”

Testing human behavior

In an explanation of the technology, Cloudflare states that Precursor does not so much attempt to determine whether a visitor is a human or a bot, but rather whether the behavior during a session is credibly human. To do this, the software analyzes a combination of browser signals that collectively form a behavioral profile.

According to Cloudflare, it is precisely the imperfection of human behavior that makes the difference. People hesitate, correct themselves, and exhibit slight variations while using a website. Bots can introduce randomness to appear human, but the company says that mimicking natural behavior over the long term remains a much greater challenge.

Cloudflare emphasizes that the solution does not record keystrokes or other personal input. The analysis is based on aggregated behavioral patterns and timing information.

Complement to existing security

According to Cloudflare, Precursor is not a replacement for existing security measures such as Turnstile, but rather an additional layer. Because the technology continues to track a visitor throughout the entire session, the risk assessment can be continuously adjusted. A bot cannot easily circumvent this analysis by refreshing a page or initiating a new request.

The technology runs on Cloudflare’s edge infrastructure and, according to the company, can be enabled without any changes to the website’s code.

Cloudflare frames the launch in the context of the rapid growth of AI agents and other automated systems. According to the company, approximately 57 percent of all web requests now come from automated traffic. Cloudflare says this trend calls for security methods that look beyond individual requests and can assess behavior throughout an entire user session.