How we see what bots hide.
Four independent signal layers. Cross-layer validation. Deterministic scoring. From first packet to verdict in under 500 microseconds — without running a single line of JavaScript on your visitor's browser.
Four independent signal layers.
TLS handshake
- JA4/JA3 fingerprint
- Cipher-suite order
- TLS extensions
- ALPN, signature algorithms
TCP/IP stack
- Initial TTL
- TCP window size
- Maximum segment size
- TCP options order
Temporal behavior
- Inter-packet timing
- RTT distribution
- Connection reuse patterns
- Burstiness signatures
HTTP/2 behavior
- Header order
- H2 SETTINGS frame
- Pseudo-header ordering
- Priority frames
From packet to verdict.
Connection arrives
Before the page even loads, we see what OS the client is running on. TTL, TCP window and segment size give away the family.
TTL · Window · MSS → OS family
TLS handshake
Every browser has a unique encryption handwriting — the set and order of ciphers, extensions, supported groups. Impossible to fake from user space.
JA3 / JA4 · cipher suites · extensions
HTTP/2 analysis
Header order and HTTP/2 settings frame expose the real client library — even when the User-Agent claims otherwise.
H2 SETTINGS · header order · UA cross-check
Deterministic scoring
Four data layers merge into a single 0–100 score via a 7-step deterministic pipeline. Mathematically proven, no ML guessing.
7-step scoring · kill switch · <500μs
Verdict
Human → pass. Suspicious → challenge or clean. Bot → drop. Every decision is explainable and logged.
Real · Clean · Drop
Protect your traffic with formally verified detection.