The five detection layers
Websites check for bots in five separate layers, and each tool only covers some of them. Layer 1 — Protocol: giveaways from the way automation talks to the browser, like the timing of the Runtime.enable command in CDP (Chrome DevTools Protocol, the channel a tool uses to remote-control Chrome). Patchright, XDriver, and CloakBrowser hide this; Camoufox avoids it entirely by using Juggler, Firefox's own control channel. Layer 2 — Fingerprinting: tiny differences in how your machine draws graphics or plays audio — canvas, WebGL, audio, screen. Only the C++ tools (Camoufox, CloakBrowser) set these values from inside the browser engine; tools that inject JavaScript leave traces. Layer 3 — Behavioural: how human your mouse movement and timing look — Botasaurus and CloakBrowser lead here. Layer 4 — Network: the TLS handshake fingerprint (TLS is the encryption behind https; its handshake forms a signature called JA3/JA4). Only Scrapling's curl_cffi tier and Obscura's stealth build reproduce a browser-like handshake here, and WebRTC/DNS consistency still needs handling. Layer 5 — Layout/rendering: whether the page actually renders like a real browser, e.g. getBoundingClientRect values and genuine canvas output — only real-browser tools pass this, which is why Obscura, having no real layout engine, fails here.
How the eight tools compare
| Tool | Engine | Stealth approach | Best for |
|---|---|---|---|
| Camoufox | Firefox | C++ fingerprint + Juggler | Fingerprint rotation |
| CloakBrowser | Chromium | 33 C++ patches + humanize | Chromium C++ stealth |
| Patchright | Chromium | CDP patch (no Runtime.enable) | Playwright stealth |
| XDriver | Chromium | In-place driver patch | Quick Playwright stealth |
| SeleniumBase | Chrome | UC/CDP + PyAutoGUI | CAPTCHA solving |
| Botasaurus | Chrome | Bézier mouse + CDP events | Human behaviour |
| Scrapling | Mixed | Orchestrates the above + TLS | Full pipeline |
| Obscura | Rust/V8 | JS shim + optional TLS | Lightweight bulk |
Realistic success rates from the analysis, by how strong the target's defences are: basic protection (Cloudflare Free) hits 90%+ with the tool alone; medium protection (CF Pro, PerimeterX) lands at 60–80%; enterprise protection (Akamai, DataDome) manages only 20–40% — though that climbs to 70–85% once you add residential proxies (proxies that route through real home internet connections). Custom machine-learning defences stay under 20% even with good tooling.
The hard truth — and where a managed API fits
No tool is truly undetectable, and detection is a constant arms race. The point the analysis keeps coming back to: your IP address's reputation matters more than how clever your stealth is — even a perfect fingerprint fails when it comes from a datacenter IP, and the TLS handshake signature is nearly impossible to fully fake from inside a real browser. Behaviour adds up too: scraping at the same rhythm eventually gets flagged no matter how lifelike your mouse movements are.
That is why teams running at high volume tend to push the hard parts onto a server instead. A managed API like Scrappey takes care of fingerprinting, residential proxies, and TLS impersonation behind a single request — you give up the control of running your own browser setup in exchange for not having to keep maintaining it as detection changes. For learning, testing, and keeping everything self-hosted, the open tools above are the right pick; for production at scale against hard targets, a managed layer takes the ongoing maintenance off your plate.
