How Akamai Bot Manager detects bots and scrapers (2026)

Akamai is a reverse-proxy WAF that runs at the CDN edge. Every request is scored against IP reputation, _abck sensor data, TLS handshake characteristics, and behavioural telemetry. Akamai's ASN database is unusually thorough — the company has been routing internet traffic for over two decades, so its IP intelligence is rich.

Low-trust requests surface as one of:

• A silent 403 with an invalidated _abck cookie. Akamai marks the cookie with ~-1~ or ~0~ to signal the session is burned.
• A Pardon Our Interruption interstitial.
• A redirect to a CAPTCHA endpoint.

1. IP address reputation

• Datacenter IPs (AWS, GCP, Azure, DigitalOcean, OVH…) — pre-scored low. Even "clean" datacenter ranges tend to be flagged because Akamai's ASN data is broad.
• Residential IPs — assigned by ISPs to home connections, higher baseline trust.
• Mobile IPs — cell tower and CGNAT pools, highest baseline trust.

2. The Akamai sensor and the _abck cookie

This is the layer Akamai is best known for. Every protected page ships an obfuscated sensor script — usually loaded from a path like /akam/13/... or /_bm/_data — that collects canvas/WebGL fingerprints, audio context, installed fonts, screen metrics, timezone, language, plugin list, navigator.webdriver, the shape of window.chrome, mouse-movement entropy, and key-press cadence.

The sensor POSTs an encrypted payload back to the edge, which sets or refreshes the _abck cookie. The cookie has a specific internal structure (~timestamp~status~hash~) and a valid one is required for subsequent requests. A malformed or aged _abck is the single most common reason automated clients receive a 403. Akamai also specifically tests for navigator.webdriver, the headless Chrome UA marker, and inconsistencies in the permissions API.

3. HTTP and TLS fingerprinting

Akamai is widely credited with pioneering HTTP/2 fingerprinting in the WAF space.

• Most scraping libraries still default to HTTP/1.1. Real Chrome and Firefox haven't in years.
• libcurl and Go's net/http produce JA3 signatures that don't match any real browser.
• HTTP/2 fingerprinting tracks pseudo-header order, SETTINGS frame values, and window-update sizes.

4. Behavioural and pattern analysis

Akamai correlates behaviour across sessions — once an IP/fingerprint combo accumulates a low score, even a fresh _abck cookie won't recover it. Signals include:

• Missing real-browser headers (Sec-Fetch-*, Accept-Language, sec-ch-ua).
• _abck or bm_sz cookies from the previous response sent from a different IP.
• Honeypot link hits.
• Bursty timing.
• Identical sensor payloads reused across pages.

The _abck cookie is the focal point: nearly every Akamai workflow comes down to minting a valid one and keeping it valid. Three general tooling categories:

• HTTP clients with browser-impersonating TLS — curl_cffi, curl-impersonate, tls-client. Match the handshake but cannot run the sensor or mint a real _abck.
• Stealth-patched browsers — Camoufox, patchright, Playwright with stealth plugins. Run the sensor in a real browser context.
• Managed scraping APIs — services like Scrappey that combine proxies, patched browsers and session persistence behind one endpoint.

For reference, a minimal managed-API example:

import requests

response = requests.post(
    'https://publisher.scrappey.com/api/v1',
    json={
        'cmd': 'request.get',
        'url': 'https://example.com/listings',
        'session': 'akamai-session-1'
    },
    headers={'Authorization': 'Bearer YOUR_API_KEY'}
)
print(response.json()['solution']['response'])

Reusing the session value across requests keeps the _abck/bm_sz cookies and the trust score warm — burning a fresh session per request forces the sensor to re-validate from scratch each time, which is exactly what scripted clients look like.

E-commerce, ticketing, jobs, logistics and social: Stockx.com, Indeed.com, eBay.com, TikTok.com, SimilarWeb.com, Maersk.com, Totaljobs.com. Many of these rotate between Akamai, Cloudflare, DataDome and PerimeterX depending on conditions.

Akamai produces a continuous trust score from IP reputation, the _abck JS sensor, TLS/HTTP/2 fingerprints, and behavioural correlation across sessions. The _abck cookie is the single most diagnostic signal — its internal ~status~ field directly indicates whether the session is trusted, burned, or in a challenge state. Akamai ships sensor updates on a rolling basis, so the on-the-wire details change frequently while the four-layer structure stays the same.