What Is Behavioural Bot Detection?

Paste into ChatGPT, Claude, or any LLM

On this page

Behavioural bot detection is the part of anti-bot scoring that asks "how does this client act?" instead of "what is this client?". Instead of checking your identity, it watches what you do: how your mouse curves across the screen, how fast you scroll, your typing rhythm, click timing, how long you linger, and the tiny natural jitter that a human hand produces but a script does not. Leading behavioural-detection vendors analyse 35+ such signals per session in real time. This layer is what catches scrapers that pass every TLS (the encryption layer behind https), IP, and fingerprint check — because the giveaway is in behaviour, not identity.

Signals analysed	35+ behavioural signals per session
Primary signals	Mouse Bezier curves, scroll velocity, typing cadence, click timing, dwell
What it catches	Linear mouse interpolation, constant sleeps, no-warm-up navigation
Related tooling	Botasaurus Humancursor, Camoufox humanize=True, warm-up navigation
Practical note	Scoring is probabilistic and considers the whole session, not single actions

What gets measured

Mouse movement. A human hand moves in smooth, slightly wobbly arcs (Bezier curves with random velocity). It slows down as it nears the target — this is Fitts's Law, the rule that the closer you get to something small, the more carefully you aim — usually overshoots a little, then corrects. A scraper that jumps straight to a point with page.mouse.move(x, y) draws a perfectly straight line, which is statistically impossible for a real hand.

Timing patterns. How long between the page loading and your first action? How does your scrolling speed up and slow down? How evenly spaced are your keystrokes? How long do you stay on a page? Machine-learning models (software trained on examples to spot patterns) trained on millions of sessions detect this at sub-millisecond precision — now even finer thanks to WASM shared-buffer timers.

Session shape. Do you load the images and fonts a browser normally would? Do you visit the homepage first, or jump straight to a deep URL? Real users hesitate and load CSS and tracking pixels; bots and plain HTTP scrapers usually do not.

Biometric micro-signals. The faint tremor in a human's mouse path. Click pressure on touch devices. The rhythm of switching between mouse and keyboard. These are increasingly part of premium behavioural models.

Why it catches "perfect" scrapers

A scraper can have a Chrome 148 JA4 fingerprint, a home-broadband (residential) IP, a genuine canvas hash, a perfectly matched timezone — and still fail behavioural scoring. The four identity layers all say "this is a real Chrome user." The behaviour layer replies: "this real Chrome user moves the mouse like nobody who has ever touched a computer."

That gap is what makes behaviour so hard to fake. Identity signals can be configured ahead of time (Camoufox C++ patches) or at request time (curl_cffi TLS). Behaviour is different: it cannot be configured statically because it has to be generated as the session runs, and accurately modelling how humans move and type is much harder than it looks. Tooling that approximated human input has historically been re-characterised within months by ML models retrained on the newer patterns.

Inputs that behavioural models weigh

When working with sites you own or are authorized to automate, the inputs behavioural models weigh most heavily are well documented:

Input generation. Tools such as Botasaurus with Humancursor (Bezier curves with random jitter and Fitts's Law deceleration), or Camoufox's humanize=True, generate pointer and scroll input that falls inside the statistical range of ordinary human input rather than the perfectly straight lines a naive script produces.
Navigation path. Models score the shape of a whole session — landing on a homepage, dwelling, scrolling, and following internal links produces a different signal than jumping straight to a deep URL. This is one reason behavioural scoring looks across multiple requests.
Timing distribution. A constant pause such as time.sleep(2) is itself a machine-like signal; varied timing like random.uniform(1.8, 4.3) sits closer to natural session timings.

The key takeaway: behavioural detection is probabilistic (a likelihood score, not a yes/no) and evaluates the session as a whole. At very high request rates from one IP, the session-level pattern stops resembling a single human regardless of input quality. Distributing authorized, device-like traffic across many home or mobile IPs — what a residential proxy pool provides — keeps each IP's rate within what a single real person could plausibly produce.

Code example

python

# Pair humanized mouse with warm-up navigation and randomized delays
from botasaurus.browser import browser
import random, time

@browser(proxy="http://user:pass@residential:port", humanize=True)
def scrape(driver, target_url):
    # Warm-up: visit homepage, dwell, scroll, click an internal link
    driver.get("https://target.com/")
    time.sleep(random.uniform(1.8, 4.3))
    driver.scroll_human(amount=500)
    driver.click_human("a[href*='/category']")
    time.sleep(random.uniform(2.1, 5.7))

    # Now navigate to the real target
    driver.get(target_url)
    time.sleep(random.uniform(1.5, 3.2))
    return driver.page_html

result = scrape("https://target.com/product/123")

Related terms

What Is DataDome?

DataDome is a bot-protection vendor used on roughly 1,200 enterprise sites, scoring more than 5 trillion signals per day. Its job is to tell…

What Is Botasaurus?

Botasaurus is a free, open-source (MIT-licensed) Python framework for building web scrapers. You wrap your scraping functions with one of th…

What Is Camoufox?

Camoufox is a fork of Firefox with anti-fingerprinting patches applied at the C++ build level. That phrase matters: most anti-fingerprinting…

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…

How to Build an Anti-Bot Challenge

An anti-bot challenge is a small test a server makes your browser run — like proof-of-work (forcing the browser to burn some CPU on a puzzle…

What Is Residential Proxy Detection?

Residential proxy detection is how anti-bot systems spot traffic that is being routed through a residential proxy pool — a network of IP add…

How Do Websites Detect Web Scrapers?

Websites spot scrapers by gathering hundreds of small clues about each visitor, then scoring how human the whole picture looks. No single cl…

Concept map

How Behavioural Bot Detection connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

How do anti-bot systems detect machine-like mouse movement?

It records your mouse path at sub-millisecond resolution and compares it to patterns it has learned from real humans. Human paths follow smooth Bezier curves with naturally varying speed and a slight overshoot at the target. A scraper that draws a straight line between two coordinates produces a path no human would make, and a behavioural machine-learning model flags it within milliseconds.

Will random sleep solve behavioural detection?

Partly — but only for timing, not movement. Using random.uniform(1.8, 4.3) for the pause between actions is better than a fixed time.sleep(2), but it does nothing about straight-line mouse paths or robotic scrolling. Behavioural scoring looks at many dimensions at once, so you have to humanize movement, scroll, and timing together.

Why does warm-up navigation help?

Behavioural models score the shape of the whole session, not just single actions. Visiting the homepage, pausing 2–3 seconds, scrolling, clicking a category link, and only then reaching the data page matches how a real shopper browses. Landing straight on a deep product URL with no prior browsing does not — and that absence becomes a red flag, no matter how perfect each individual action looks.

How does request volume affect behavioural scoring?

At sustained high request rates from a single IP, the session-level pattern stops resembling one human regardless of input quality. For authorized high-volume work the architectural answer is spreading load across a large residential or mobile proxy pool so each IP's request rate stays within what a single real person could plausibly produce. Input quality alone does not change the picture at scale.

Last updated: 2026-05-31