What Is Behavioural Bot Detection?

Paste into ChatGPT, Claude, or any LLM

On this page

Behavioural bot detection is the layer of anti-bot scoring that asks "how does this client act?" rather than "what is it?". It tracks mouse-movement curves, scroll velocity, typing rhythm, click timing, dwell time, and the micro-jitter that real human input produces but machine input does not. DataDome publishes that it analyses 35+ such signals per session in real time. This layer is what catches scrapers that pass every TLS, IP, and fingerprint test — because the failure is in behaviour, not identity.

Vendor leading the category	DataDome — 35+ signals per session
Primary signals	Mouse Bezier curves, scroll velocity, typing cadence, click timing, dwell
What it catches	Linear mouse interpolation, constant sleeps, no-warm-up navigation
Mitigation	Botasaurus Humancursor, Camoufox humanize=True, warm-up navigation
Practical limit	Even good humanization fails at very high single-IP volume

What gets measured

Mouse movement. Human movements follow Bezier curves with Gaussian-jittered velocity. They decelerate as they approach a target (Fitts's Law), overshoot slightly, then correct. Scrapers that click directly with page.mouse.move(x, y) produce linear trajectories that are statistically impossible for a human hand.

Timing patterns. Time between page load and first interaction. Scroll acceleration curves. Inter-keystroke variance. Navigation dwell time. ML models trained on millions of sessions detect at sub-millisecond precision (now even finer thanks to WASM shared-buffer timers).

Session shape. Do you load images and fonts? Do you visit the homepage first or land directly on a deep URL? Real users hesitate; bots do not. Real users load CSS and tracking pixels; HTTP scrapers usually do not.

Biometric micro-signals. Hand tremor in mouse paths. Click pressure on touch devices. The cadence with which a human alternates between mouse and keyboard. These are increasingly part of premium behavioural models.

Why it catches "perfect" scrapers

A scraper can have a Chrome 148 JA4, a residential ISP IP, a real canvas hash, perfect timezone alignment, and still fail behavioural scoring. The four identity layers say "this is a real Chrome user". The behaviour layer says "this real Chrome user moves the mouse like nobody who has ever used a computer".

The asymmetry is what makes behavioural so hard to bypass. You can patch identity at compile time (Camoufox C++ patches) or at request time (curl_cffi TLS). You cannot patch behaviour without modelling it. And modelling human input distributions accurately is much harder than it looks — every public stealth library that tried got beaten within months by ML models retrained on the new patterns.

What actually works

Three layered defences:

Humanized mouse and scroll. Botasaurus + Humancursor (Bezier with Gaussian jitter, Fitts's Law deceleration). Camoufox humanize=True. These produce trajectories within the human distribution rather than outside it.
Warm-up navigation. Before hitting your target page, visit the homepage. Wait 2–3 seconds. Scroll. Click an internal link. Then navigate. This single change improves behavioural scores significantly on DataDome and Akamai because their multi-request models reward consistent, human-like session shape.
Randomized delays, not constant ones. random.uniform(1.8, 4.3) beats time.sleep(2) every time. Better still: model your delays after real session traces from the same target.

The honest limit: behavioural detection is probabilistic, and at very high request rates per IP, even a perfect humanization stack starts to fail because the session-level pattern stops looking human. The endgame is diversifying real-device traffic across many residential or mobile IPs — exactly what a residential proxy pool and the next generation of distributed-browser networks provide.

Code example

python

# Pair humanized mouse with warm-up navigation and randomized delays
from botasaurus.browser import browser
import random, time

@browser(proxy="http://user:pass@residential:port", humanize=True)
def scrape(driver, target_url):
    # Warm-up: visit homepage, dwell, scroll, click an internal link
    driver.get("https://target.com/")
    time.sleep(random.uniform(1.8, 4.3))
    driver.scroll_human(amount=500)
    driver.click_human("a[href*='/category']")
    time.sleep(random.uniform(2.1, 5.7))

    # Now navigate to the real target
    driver.get(target_url)
    time.sleep(random.uniform(1.5, 3.2))
    return driver.page_html

result = scrape("https://target.com/product/123")

Related terms

What Is DataDome?

DataDome is a bot-protection vendor used on roughly 1,200 enterprise sites, scoring more than 5 trillion signals per day. Unlike Cloudflare …

What Is Botasaurus?

Botasaurus is an MIT-licensed Python scraping framework with three top-level decorators — @browser, @request, @task — and built-in Bezier-cu…

What Is Camoufox?

Camoufox is a stealth-focused fork of Firefox with anti-fingerprinting patches applied at the C++ build level. Unlike playwright-stealth, wh…

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…

How to Build an Anti-Bot Challenge

An anti-bot challenge is a client-side test — proof-of-work, fingerprint collection, or a behavioural probe — that a server issues to separa…

What Is Residential Proxy Detection?

Residential proxy detection is the set of techniques anti-bot systems use to flag traffic that is being routed through a residential proxy p…

How Do Websites Detect Web Scrapers?

Websites detect scrapers by collecting hundreds of signals across the network, transport, browser, and behavioral layers, then scoring the c…

Concept map

How Behavioural Bot Detection connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

How does DataDome detect machine-like mouse movement?

It tracks mouse trajectory at sub-millisecond resolution and compares it to learned human distributions. Human paths follow Bezier curves with Gaussian-jittered velocity and slight overshoot at the target. Scrapers that interpolate linearly between coordinates produce paths that fall outside the human distribution. DataDome's ML model classifies them in milliseconds.

Will random sleep solve behavioural detection?

Partly — but only for timing, not movement. random.uniform(1.8, 4.3) handles inter-action delays better than time.sleep(2), but it does not fix linear mouse paths or robotic scrolling. Behavioural scoring is multi-dimensional; you need to humanize movement, scroll, and timing together.

Why does warm-up navigation help?

Multi-request behavioural models score session shape, not just individual actions. Visiting the homepage, dwelling 2–3 seconds, scrolling, clicking a category link, and then reaching the data URL matches how a real shopper browses. Landing directly on a deep product URL with no preceding session does not — and that becomes a signal regardless of how perfect your individual actions look.

Can I beat behavioural at very high volume?

Not from one IP. At sustained high request rates per IP, the session-level pattern stops looking human no matter how good your humanization. The mitigation is fanning out across a large residential or mobile proxy pool, keeping per-IP rates within what one real human could plausibly produce. That is the architectural answer; humanization alone is not enough at scale.

Last updated: 2026-05-26