Anti-Bot

What Is Akamai Bot Manager?

What Is Akamai Bot Manager? — conceptual illustration
On this page

Akamai Bot Manager is an enterprise bot-protection product used by roughly 30% of the Fortune 500 — airlines, banks, retailers, ticketing. It combines edge-level JA4+ TLS scoring with an in-browser fingerprinting script (sensor.js, ~512 KB obfuscated) that collects 500+ signals across multiple requests. Trust accumulates over the session: the _abck cookie starts at ~-1~ (untrusted) and flips to ~0~ only after sensor.js completes its checks.

Quick facts

Customers~30% of Fortune 500 — airlines, banks, retail, ticketing
Detection cookies_abck (state ~-1~ → ~0~), bm_sz
Sensor script size~512 KB, re-obfuscated per rotation
Distinct probe60 chrome-extension:// fetches — zero passing = instant block
Scoring modelMulti-request, trust accumulates across the session

How Akamai scores a session

Akamai scores at two layers. JA4+ at the EdgeWorker fires before HTML is served — the TLS handshake alone can produce a block. If the request passes that layer, the page loads with an inlined or near-inlined sensor.js script that runs the deeper checks: canvas hash, WebGL renderer, AudioContext, navigator properties, Battery API, and a probe that fetches 60 known chrome-extension:// URLs. Real Chrome users have at least a few extensions installed (uBlock Origin, 1Password, LastPass); a headless browser fails all 60 simultaneously, which is statistically impossible for a real user.

The script POSTs collected signals to /_bm/data. Only after a successful POST does _abck flip from ~-1~ to ~0~. Protected XHR endpoints check the cookie state — a request with ~-1~ gets 412 Pardon Our Interruption regardless of everything else.

What does and does not work

Does not work: headless Chrome (no GPU, WebGL context is null), SwiftShader (device ID 0x0000C0DE is blocklisted), playwright-stealth (Function.toString() exposes JS patches), Page.addScriptToEvaluateOnNewDocument injection (CDP timing artifacts visible), datacenter proxies of any kind, rotating residential mid-session (resets trust accumulation).

Does work: finding the mobile or GraphQL backend first (often unprotected — confirmed on a major retailer with a direct GraphQL endpoint), curl_cffi with impersonate="chrome131" for medium-strength deployments, Go-level TLS reimplementation (e.g. akamai-v3-sensor called from a Scrapy spider via a sidecar HTTP service) for hard deployments, CloakBrowser with real extensions loaded for the 60-probe check.

Session hygiene that matters

Akamai's multi-request scoring punishes inconsistency more than other vendors:

  • Use a single ISP static residential IP for the entire session — never rotate mid-flight.
  • Warm up: visit homepage, dwell 2–3 seconds, scroll, then navigate to the data URL.
  • Match Accept-Language to the proxy country.
  • Reuse cookies across requests — trust builds from _abck continuity.

Code example

python
# For medium-strength Akamai deployments, this often works
from curl_cffi import requests

s = requests.Session(impersonate="chrome131")

# Warm up on the homepage so _abck has a chance to accumulate trust
s.get("https://target.com/",
      proxies={"https": "http://user:pass@isp-residential:port"})

# Then hit the protected endpoint with the same session
r = s.get("https://target.com/api/listings",
          proxies={"https": "http://user:pass@isp-residential:port"})
print(r.status_code, len(r.text))

Related terms

What Is TLS Fingerprinting (JA3/JA4)?
TLS fingerprinting is a technique that identifies an HTTP client from its TLS handshake — before the server reads a single request byte. The…
What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…
What Is curl_cffi?
curl_cffi is a Python HTTP client that produces TLS fingerprints identical to real Chrome, Firefox, or Safari. It wraps curl-impersonate — a…
What Is an ISP Proxy?
An ISP proxy (also called a "static residential" proxy) is a static IP hosted in a datacenter but announced under a consumer ISP's autonomou…
Anti-Bot Vendor Detection Cheatsheet
The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost e…
What Is a Session Cookie?
A session cookie is an HTTP cookie that has no Max-Age or Expires attribute, so the browser stores it only in memory and deletes it when the…
What Is Stateful Web Scraping?
Stateful web scraping preserves cookies, session tokens, browser fingerprint, and proxy IP across multiple requests so the target site sees …
What Is the Scrapy + Go TLS Sidecar Architecture?
The Scrapy + Go TLS sidecar architecture is the most common production pattern for scraping Akamai- and Cloudflare-protected sites at scale.…
What Is Behavioural Bot Detection?
Behavioural bot detection is the layer of anti-bot scoring that asks "how does this client act?" rather than "what is it?". It tracks mouse-…

Concept map

How Akamai Bot Manager connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

What does the _abck cookie mean?

It is Akamai’s session-trust marker. The state field reads ~-1~ on first contact (untrusted) and flips to ~0~ after sensor.js executes and POSTs valid signals. Protected XHR endpoints check the cookie state and return 412 if it is still ~-1~.

What is the 60-extension probe?

sensor.js fires 60 fetch() requests to known chrome-extension://[id]/manifest.json URLs (uBlock Origin, LastPass, Bitwarden, etc.). Real Chrome users have at least a few extensions and some requests succeed. A headless browser has none and all 60 fail simultaneously — a statistically impossible outcome for a real user.

Why does Akamai care more about multi-request consistency than other vendors?

Trust accumulates across the session. Each successful interaction adds to the score; each anomaly subtracts. Rotating IPs mid-session resets this accumulation. Other vendors (notably DataDome) score per-request, so mid-session changes are less punished.

Is rotating residential ever okay against Akamai?

Only between sessions, never within one. Pick one IP per session and stick to it for the entire interaction. ISP static residential is ideal because the IP does not move.

Last updated: 2026-05-26