How to Identify the Anti-Bot Vendor From a Single Response

Paste into ChatGPT, Claude, or any LLM

On this page

A useful first step when working with any protected site you are authorized to access is identifying which anti-bot vendor sits in front of it. The vendor is the security product the site operator has deployed, and recognizing it explains a great deal about how the site behaves — which TLS profile a browser presents (TLS is the encryption layer behind https, and the "profile" is the fingerprint a client presents during the handshake), how trust accumulates across requests, and how each product structures its session state. This cheatsheet maps the six most common vendors to the cookie names, response headers, JavaScript file paths, and block signatures you can read off a single HTTP response. It is a reference for understanding what you are looking at, not an instruction set for circumventing any system.

Vendors covered	Akamai, Cloudflare, DataDome, PerimeterX, Kasada, F5 Shape
Detection time	A single HTTP response is usually enough — sometimes the TLS handshake alone
Fastest signal	Response Set-Cookie names (one regex)
Most ambiguous	Cloudflare — present on ~20% of all sites, often with no Bot Management enabled
When this matters	Understanding a site's architecture before integrating with it

The cheatsheet

Read this table top-to-bottom. The first row that matches the response wins — vendors do not stack on the same hostname and path, so once a row matches you have your answer.

Vendor	Cookies	Headers	JS / block signature
Akamai Bot Manager	`_abck`, `bm_sz`, `ak_bmsc`	`Server: AkamaiGHost`	Inlined ~512 KB `sensor.js`; block body Pardon Our Interruption on 412
Cloudflare Bot Management / Turnstile	`cf_clearance`, `__cf_bm`	`Server: cloudflare`, `cf-ray`, `cf-mitigated: challenge`	`/cdn-cgi/challenge-platform/` assets; Turnstile widget at `challenges.cloudflare.com`; Error 1015 on rate limit
DataDome	`datadome`, `dd_cookie_test_*`	`x-datadome-cid`, `x-dd-b`	JS at `/js/datadome.js`; WASM `boring_challenge`; CAPTCHA at `geo.captcha-delivery.com`
PerimeterX (HUMAN)	`_px3`, `_pxhd`, `_pxde`, `_pxvid`	`x-px-*` family	JS at `/init.js` served from `client.px-cdn.net`; Human Challenge press-and-hold widget
Kasada	`x-kpsdk-ct`, `x-kpsdk-cd`	`x-kpsdk-*` response headers	Polymorphic `ips.js` (renamed per deployment); silent 403 / 429 with no challenge UI
F5 Shape Security	`reese84`, `TS*`	Custom `TS*` set-cookies	Custom JS VM bytecode; `$rsc=` URL params; minute-cadence token rotation

Identification workflow on a single response

The cheapest reliable detector is a regex over the Set-Cookie headers (the headers where the server hands you cookies), with the Server header as a tiebreaker for Cloudflare. Work through these in order:

Cookies first. Match the cookie names above against the response Set-Cookie headers. Akamai, DataDome, PerimeterX, Kasada, and F5 Shape all set distinctive names on the very first response, so this alone usually identifies the vendor.
Server header second. Server: cloudflare plus cf-ray confirms Cloudflare is in front, but a Cloudflare site with Bot Management turned off looks identical to one with it on. Look for cf-mitigated or a Turnstile script tag to tell the two apart.
HTML body third. If you got an HTML response, search the script src attributes: sensor.js (Akamai), /cdn-cgi/challenge-platform/ (Cloudflare), captcha-delivery.com (DataDome), px-cdn.net (PerimeterX), challenges.cloudflare.com (Turnstile).
Block body fourth. Once you are blocked, the page itself is diagnostic — Pardon Our Interruption is Akamai, Just a moment… is Cloudflare, and the captcha-delivery.com iframe is DataDome.

How the vendors differ architecturally

Identifying the vendor explains how a site is built more than the site's own design does. Each product has a distinct architecture worth understanding when you integrate with a service you are permitted to access:

Akamai — frequently deployed on the web front-end while a brand's mobile API uses a simpler architecture; the web tier leans heavily on TLS-handshake and behavioural signals.
Cloudflare — a CDN with optional Bot Management and Turnstile layers; the same hostname can range from no bot product at all to full ML scoring, which is why the tiebreaker step matters.
DataDome — scores every request independently rather than building trust across a session, so IP reputation weighs heavily in its model. Some sites also embed data in __NEXT_DATA__ in the initial HTML.
PerimeterX (HUMAN) — reputation is shared across all of its customer sites, so a single fingerprint signal is evaluated network-wide rather than per-site.
Kasada — inspects client code with Function.prototype.toString(), which is why runtime JS patching is detectable and source-level approaches behave differently.
F5 Shape — a custom JS VM with minute-by-minute token rotation, the most engineering-intensive product to integrate against, which is why managed APIs are common for it.

Code example

python

# Minimal vendor detector — point it at any URL and read off the result
import re
from curl_cffi import requests

VENDOR_COOKIES = {
    "akamai":      re.compile(r"\b(_abck|bm_sz|ak_bmsc)="),
    "cloudflare":  re.compile(r"\b(cf_clearance|__cf_bm)="),
    "datadome":    re.compile(r"\bdatadome="),
    "perimeterx":  re.compile(r"\b_px[a-z]*="),
    "kasada":      re.compile(r"\bx-kpsdk-"),
    "f5_shape":    re.compile(r"\b(reese84|TS[0-9a-f]+)="),
}

def detect_vendor(url: str) -> str:
    r = requests.get(url, impersonate="chrome131", allow_redirects=True)
    blob = "\n".join(r.headers.get_list("set-cookie")) if hasattr(r.headers, "get_list") else str(r.headers)
    for vendor, pat in VENDOR_COOKIES.items():
        if pat.search(blob):
            return vendor
    if r.headers.get("server", "").lower() == "cloudflare":
        return "cloudflare_no_bm"   # Cloudflare CDN, Bot Management not enabled
    return "none_detected"

print(detect_vendor("https://example.com/"))

Related terms

What Is Akamai Bot Manager?

Akamai Bot Manager is an enterprise tool that websites use to tell real visitors apart from bots, and it guards roughly 30% of the Fortune 5…

What Is DataDome?

DataDome is a bot-protection vendor used on roughly 1,200 enterprise sites, scoring more than 5 trillion signals per day. Its job is to tell…

What Is Cloudflare Turnstile?

Cloudflare Turnstile is a service that checks whether a visitor is a real human, but without showing the kind of puzzle a normal CAPTCHA doe…

What Is PerimeterX (HUMAN)?

PerimeterX, now operating as part of HUMAN Security, is a bot-protection vendor whose biggest asset is its network. Bot protection means sof…

What Is Kasada?

Kasada is a bot-defense system that big retailers, ticketing sites, and sneaker drops put in front of their servers to manage automated traf…

What Is F5 Shape Security?

F5 Shape Security is the most sophisticated anti-bot product on the market — F5 paid $1 billion to acquire Shape in 2020 and the price refle…

What Is the Web Scraping Decision Flow?

The web scraping decision flow is a six-step checklist, ordered cheapest-first, that experienced engineers run through on every new target t…

What Is TLS Fingerprinting (JA3/JA4)?

TLS fingerprinting is a way to recognize what software made a connection just by looking at how it sets up encryption — before the server re…

What Is Anubis (Anti-AI-Scraper Firewall)?

Anubis is a free, open-source MIT-licensed "gatekeeper" that sits in front of a website (a reverse proxy - software that intercepts requests…

What Is a Session Cookie?

A session cookie is an HTTP cookie with no Max-Age or Expires attribute, so the browser keeps it only in memory and throws it away when the …

What Is Cloudflare Bot Management?

Cloudflare Bot Management is the enterprise-tier ML scoring system Cloudflare runs on every request to a protected zone. In plain terms: it …

What Is Imperva Incapsula?

Imperva Incapsula is the enterprise WAF and bot-protection product from Imperva (acquired by Thales in 2023). A WAF (web application firewal…

What Is AWS WAF Bot Control?

AWS WAF Bot Control is a ready-made set of rules inside AWS WAF (Amazon's web application firewall — the security layer that filters t…

What Is Forter?

Forter is a fraud-and-trust platform that runs at e-commerce checkout — it is not a traditional anti-bot product. Instead of blocking scrape…

What Is Riskified?

Riskified is a chargeback-guarantee platform for e-commerce checkout. A chargeback is the money a merchant loses when a customer disputes a …

Web Scraping Tools 2026 — A Comparison

"Web scraping tools" is the whole family of software you use to pull data off websites — and in 2026 that family is big but neatly sorted in…

What Is JA4 Fingerprinting?

JA4 is a way to identify a browser by the fingerprint of its TLS handshake — TLS being the encryption layer behind https. It replaced the ol…

What Is Residential Proxy Detection?

Residential proxy detection is how anti-bot systems spot traffic that is being routed through a residential proxy pool — a network of IP add…

What Is Fingerprint Entropy?

Fingerprint entropy is a way to measure how much a browser attribute gives away about who you are, counted in bits. Think of entropy as "how…

What Is WebGPU Fingerprinting?

WebGPU fingerprinting reads identifying data from the modern navigator.gpu API. WebGPU is the newest browser standard for talking to your GP…

What Is Client Hints Fingerprinting?

User-Agent Client Hints (UA-CH) are a set of structured HTTP headers plus a matching JavaScript API that report the same browser and operati…

What Is a Timezone / IP Mismatch?

A timezone/IP mismatch is when the location a browser claims and the location of its IP address disagree. Anti-bot systems (the software sit…

What Is navigator.webdriver?

navigator.webdriver is a standardized boolean that returns true when the browser is being controlled by automation. Think of it as a built-i…

What Is JA3 Fingerprinting?

JA3 is a method for fingerprinting a TLS client by hashing the fields of its Client Hello. TLS is the encryption layer behind https, and the…

What Is HTTP/3 / QUIC Fingerprinting?

HTTP/3 / QUIC fingerprinting identifies a client from the QUIC transport layer that HTTP/3 runs on. QUIC is the modern transport beneath HTT…

What Is Hardware Fingerprinting?

Hardware fingerprinting reads device capability signals - CPU cores, RAM, and screen metrics - that JavaScript exposes directly. These are v…

What Is CDP Detection?

CDP detection is the family of techniques anti-bot scripts use to tell that a browser is being driven through the Chrome DevTools Protocol (…

What Is Incognito Detection?

Incognito detection is the set of techniques that reveal whether a browser is in private / incognito mode. Private mode is the browser featu…

What Is Media Devices Fingerprinting?

Media devices fingerprinting reads the list of cameras, microphones, and speakers a browser reports via navigator.mediaDevices.enumerateDevi…

What Is Speech Synthesis Fingerprinting?

Speech synthesis fingerprinting reads the list of text-to-speech voices exposed by window.speechSynthesis.getVoices(). "Text-to-speech" mean…

What Is Stack Depth Fingerprinting?

Stack depth fingerprinting measures the maximum JavaScript recursion depth a browser allows before throwing a RangeError: Maximum call stack…

What Is CSS Media Query Fingerprinting?

CSS media query fingerprinting reads operating-system and device preferences through window.matchMedia(). A media query is a yes/no question…

What Is Screen Resolution Fingerprinting?

Screen resolution fingerprinting reads the display measurements a browser reports - screen.width/height, availWidth/availHeight, colorDepth,…

How Do You Devirtualize an Obfuscated JavaScript VM?

Devirtualization is the process of recovering a readable program from JavaScript that has been compiled into a tiny interpreter — a virtual …

Concept map

How Anti-Bot Vendor Detection Cheatsheet connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

Can two anti-bot vendors stack on the same hostname?

Almost never on the same path. A site might run Cloudflare as its CDN while running DataDome on its API subdomain, but any single response will only carry one vendor's cookies. If a regex matches multiple rows of the cheatsheet, the request was probably redirected — follow the redirects and re-check the final response.

Why does Cloudflare need a tiebreaker step?

Roughly 20% of the public internet sits behind Cloudflare's CDN, but only a fraction has Bot Management enabled. The cf_clearance cookie and cf-mitigated header only appear once a challenge has fired. A plain cf-ray header with no challenge assets in the HTML means the CDN is present but the bot product is not.

Is the cookie name enough, or do I need to inspect the body too?

Cookie names alone are enough for routing decisions — which TLS profile and which proxy type to use. You only need to inspect the body when you want to tell bot-management-on from bot-management-off (Cloudflare), or when the response is already a block page and you need to know which kind of challenge to solve.

How often do these signatures change?

The cookie names above have been stable for years across all six vendors — they are interfaces that the vendors' own customer-side code depends on, so they cannot be rotated cheaply. The JavaScript file names and block-page text change occasionally (Kasada's ips.js is the most aggressive, renamed per deployment), but the cookie surface is durable.

Last updated: 2026-05-31