How to Identify the Anti-Bot Vendor From a Single Response

Paste into ChatGPT, Claude, or any LLM

On this page

The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost everything that comes next — which TLS profile to use, whether trust accumulates across requests, whether mid-session IP rotation is safe, and whether DIY bypass is even viable. This cheatsheet maps the six dominant vendors to the cookie names, response headers, JavaScript file paths, and block signatures you can read off a single HTTP response.

Vendors covered	Akamai, Cloudflare, DataDome, PerimeterX, Kasada, F5 Shape
Detection time	A single HTTP response is usually enough — sometimes the TLS handshake alone
Fastest signal	Response Set-Cookie names (one regex)
Most ambiguous	Cloudflare — present on ~20% of all sites, often with no Bot Management enabled
When this matters	Before picking your tool — DIY, curl_cffi, patched browser, or managed API

The cheatsheet

Read this table top-to-bottom. The first row that matches the response wins — vendors do not stack on the same hostname and path.

Vendor	Cookies	Headers	JS / block signature
Akamai Bot Manager	`_abck`, `bm_sz`, `ak_bmsc`	`Server: AkamaiGHost`	Inlined ~512 KB `sensor.js`; block body Pardon Our Interruption on 412
Cloudflare Bot Management / Turnstile	`cf_clearance`, `__cf_bm`	`Server: cloudflare`, `cf-ray`, `cf-mitigated: challenge`	`/cdn-cgi/challenge-platform/` assets; Turnstile widget at `challenges.cloudflare.com`; Error 1015 on rate limit
DataDome	`datadome`, `dd_cookie_test_*`	`x-datadome-cid`, `x-dd-b`	JS at `/js/datadome.js`; WASM `boring_challenge`; CAPTCHA at `geo.captcha-delivery.com`
PerimeterX (HUMAN)	`_px3`, `_pxhd`, `_pxde`, `_pxvid`	`x-px-*` family	JS at `/init.js` served from `client.px-cdn.net`; Human Challenge press-and-hold widget
Kasada	`x-kpsdk-ct`, `x-kpsdk-cd`	`x-kpsdk-*` response headers	Polymorphic `ips.js` (renamed per deployment); silent 403 / 429 with no challenge UI
F5 Shape Security	`reese84`, `TS*`	Custom `TS*` set-cookies	Custom JS VM bytecode; `$rsc=` URL params; minute-cadence token rotation

Identification workflow on a single response

The cheapest reliable detector is a regex over Set-Cookie headers, with the Server header as a tiebreaker for Cloudflare. In order:

Cookies first. Match the cookie names above against the response Set-Cookie headers. Akamai, DataDome, PerimeterX, Kasada, and F5 Shape all set distinctive names on the first response.
Server header second. Server: cloudflare + cf-ray confirms Cloudflare is in front, but Cloudflare without Bot Management enabled looks identical to Cloudflare with it. Look for cf-mitigated or a Turnstile script tag to tell the difference.
HTML body third. If you got an HTML response, search for the script src: sensor.js (Akamai), /cdn-cgi/challenge-platform/ (Cloudflare), captcha-delivery.com (DataDome), px-cdn.net (PerimeterX), challenges.cloudflare.com (Turnstile).
Block body fourth. Once blocked, the body itself is diagnostic — Pardon Our Interruption is Akamai, Just a moment… is Cloudflare, the captcha-delivery.com iframe is DataDome.

What to do once you have identified the vendor

The vendor determines the next move more than the target itself does:

Akamai — try the mobile API first; if forced to the web, use one ISP residential IP for the whole session and curl_cffi with impersonate="chrome131", or a Go TLS reimplementation for hard deployments.
Cloudflare — curl_cffi handles unprotected Cloudflare; Bot Management plus Turnstile needs a real browser or managed API.
DataDome — per-request scoring means IP quality matters more than session continuity. Mobile or residential IP + curl_cffi is the common bypass; check for __NEXT_DATA__ in the HTML before going browser-mode.
PerimeterX — reputation is shared across all customer sites, so a burned fingerprint is burned globally. Camoufox + clean residential is the typical play.
Kasada — Function.prototype.toString() inspection means runtime JS patches lose; PatchRight (source-level Python patches) is the working tool.
F5 Shape — the custom JS VM and minute-cadence token rotation make DIY uneconomical. Use a managed API.

Code example

python

# Minimal vendor detector — point it at any URL and read off the result
import re
from curl_cffi import requests

VENDOR_COOKIES = {
    "akamai":      re.compile(r"\b(_abck|bm_sz|ak_bmsc)="),
    "cloudflare":  re.compile(r"\b(cf_clearance|__cf_bm)="),
    "datadome":    re.compile(r"\bdatadome="),
    "perimeterx":  re.compile(r"\b_px[a-z]*="),
    "kasada":      re.compile(r"\bx-kpsdk-"),
    "f5_shape":    re.compile(r"\b(reese84|TS[0-9a-f]+)="),
}

def detect_vendor(url: str) -> str:
    r = requests.get(url, impersonate="chrome131", allow_redirects=True)
    blob = "\n".join(r.headers.get_list("set-cookie")) if hasattr(r.headers, "get_list") else str(r.headers)
    for vendor, pat in VENDOR_COOKIES.items():
        if pat.search(blob):
            return vendor
    if r.headers.get("server", "").lower() == "cloudflare":
        return "cloudflare_no_bm"   # Cloudflare CDN, Bot Management not enabled
    return "none_detected"

print(detect_vendor("https://example.com/"))

Related terms

What Is Akamai Bot Manager?

Akamai Bot Manager is an enterprise bot-protection product used by roughly 30% of the Fortune 500 — airlines, banks, retailers, ticketing. I…

What Is DataDome?

DataDome is a bot-protection vendor used on roughly 1,200 enterprise sites, scoring more than 5 trillion signals per day. Unlike Cloudflare …

What Is Cloudflare Turnstile?

Cloudflare Turnstile is a CAPTCHA-replacement service that verifies a visitor is a human without showing a traditional puzzle. It runs a ser…

What Is PerimeterX (HUMAN)?

PerimeterX, now operating as part of HUMAN Security, is a bot-protection vendor whose biggest asset is its network. It protects 29,650+ site…

What Is Kasada?

Kasada is a gatekeeper-proxy bot defense used by major retailers, ticketing platforms, and sneaker drops. Unlike Cloudflare or DataDome, it …

What Is F5 Shape Security?

F5 Shape Security is the most sophisticated anti-bot product on the market — F5 paid $1 billion to acquire Shape in 2020 and the price refle…

What Is the Web Scraping Decision Flow?

The web scraping decision flow is a six-step priority order experienced practitioners follow on any new target. Walk steps in order. Stop at…

What Is TLS Fingerprinting (JA3/JA4)?

TLS fingerprinting is a technique that identifies an HTTP client from its TLS handshake — before the server reads a single request byte. The…

What Is Anubis (Anti-AI-Scraper Firewall)?

Anubis is an open-source MIT-licensed reverse proxy that issues a SHA-256 proof-of-work challenge before serving HTTP requests, built specif…

What Is a Session Cookie?

A session cookie is an HTTP cookie that has no Max-Age or Expires attribute, so the browser stores it only in memory and deletes it when the…

What Is Cloudflare Bot Management?

Cloudflare Bot Management is the enterprise-tier ML scoring system Cloudflare runs on every request to a protected zone. Unlike Turnstile — …

What Is Imperva Incapsula?

Imperva Incapsula is the enterprise WAF and bot-protection product from Imperva (acquired by Thales in 2023). It is heavily deployed across …

What Is AWS WAF Bot Control?

AWS WAF Bot Control is the managed rule group inside AWS WAF that classifies and blocks bot traffic. It ships in two tiers — Common (signatu…

What Is Forter?

Forter is an identity-and-trust platform used at e-commerce checkout, not a traditional anti-bot product. It scores transactions for fraud r…

What Is Riskified?

Riskified is a chargeback-guarantee platform for e-commerce checkout. Merchants pay Riskified a per-transaction fee and Riskified takes on t…

Web Scraping Tools 2026 — A Comparison

The web-scraping toolbox in 2026 is large but well-stratified. Each tool occupies one of seven roles — HTTP/TLS impersonation, browser autom…

What Is JA4 Fingerprinting?

JA4 is a TLS client fingerprint that replaced JA3 after Chrome began randomising the order of its TLS extensions. JA3 hashed the extension l…

What Is Residential Proxy Detection?

Residential proxy detection is the set of techniques anti-bot systems use to flag traffic that is being routed through a residential proxy p…

What Is Fingerprint Entropy?

Fingerprint entropy measures how much identifying information a browser attribute carries, expressed in bits. A signal that splits the popul…

Concept map

How Anti-Bot Vendor Detection Cheatsheet connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

Can two anti-bot vendors stack on the same hostname?

Almost never on the same path. A site may use Cloudflare as its CDN while running DataDome on its API subdomain, but a single response will only carry one vendor’s cookies. If a regex matches multiple rows of the cheatsheet, the request was probably redirected — re-check the final response after following redirects.

Why does Cloudflare need a tiebreaker step?

Roughly 20% of the public internet sits behind Cloudflare’s CDN, but only a fraction has Bot Management enabled. The cf_clearance cookie and cf-mitigated header only appear once a challenge has fired. A plain cf-ray header with no challenge assets in the HTML means the CDN is there but the bot product is not.

Is the cookie name enough, or do I need to inspect the body too?

Cookie names alone are enough for routing decisions (which TLS profile, which proxy type). Body inspection becomes necessary only when you want to distinguish bot-management-on from bot-management-off (Cloudflare), or when the response is already a block page and you need to know which type of challenge to solve.

How often do these signatures change?

The cookie names above have been stable for years across all six vendors — they are interfaces that the vendors’ own customer-side code depends on, so they cannot be rotated cheaply. The JavaScript file names and block-page text rotate occasionally (Kasada’s ips.js is the most aggressive — renamed per deployment) but the cookie surface is durable.

Last updated: 2026-05-27