The capability matrix
The fastest way to choose is to compare what each tool actually hardens. The C++ builds set values inside the engine (so injected JavaScript cannot detect the patch); the Playwright patches focus on the automation protocol; the HTTP-tier tools impersonate the TLS handshake instead of rendering a real page. Memory footprint splits the field sharply - real browsers sit near 200 MB while the HTTP/engine tools are an order of magnitude lighter.
| Tool | Type | webdriver flag | Runtime.enable | FP rotation | Human mouse | TLS impersonation | Memory |
|---|---|---|---|---|---|---|---|
| Camoufox | Firefox build | C++ native | Juggler (no CDP) | high | med | no | ~200 MB |
| Patchright | Playwright patch | yes | yes | low | low | no | ~200 MB |
| SeleniumBase | Selenium + UC | yes | yes | low | med | no | ~200 MB |
| Botasaurus | Selenium wrapper | yes | no | low | high | no | ~200 MB |
| XDriver | Playwright CDP patch | yes | yes | no | low | no | ~200 MB |
| CloakBrowser | Chromium build | C++ native | yes | med | high | no | ~200 MB |
| Scrapling | All-in-one framework | via Patchright/Camoufox | via Patchright | no | no | yes (curl_cffi HTTP) | ~10 MB HTTP |
| Obscura | Rust V8 engine | JS shim | n/a (custom engine) | small pool | no | optional | ~30 MB |
"FP rotation" is fingerprint rotation; "TLS impersonation" reproduces a browser-like JA3/JA4 handshake. Real browsers (top six) all render genuine layout and canvas/WebGL; Obscura has no layout engine, so layout-probe checks (getBoundingClientRect) return zeros.
Match the tool to the detection layer
Detection happens in five stacked layers, and tools differ by which they cover. Layer 1, protocol - automation tells like CDP's Runtime.enable timing (hardened by Patchright, XDriver, CloakBrowser; sidestepped entirely by Camoufox via Firefox's Juggler). Layer 2, fingerprinting - canvas/WebGL/audio/screen values, set natively only by the C++ builds. Layer 3, behavioural - mouse and timing patterns (Botasaurus and CloakBrowser lead). Layer 4, network - TLS fingerprint, WebRTC/DNS leakage, and IP reputation. Layer 5, layout/rendering - real-browser-only checks that headless engines without a layout engine fail. The practical mapping:
| Your situation | Pick | Why |
|---|---|---|
| Truly native fingerprint spoofing + rotation | Camoufox | C++-level values JS cannot detect; statistically accurate profiles |
| Maximum Chromium stealth, free | Patchright | Protocol-level CDP hardening (no Runtime.enable tell) |
| Chromium C++ stealth + Playwright API | CloakBrowser | 33 source-level patches + one-flag humanize |
| Human-like mouse behaviour | Botasaurus | Best Bezier-curve mouse implementation |
| Verification-workflow handling | SeleniumBase | Built-in Turnstile/reCAPTCHA handling in UC mode |
| Drop-in for existing Playwright code | XDriver / CloakBrowser | No code changes; replace the import |
| All-in-one fetch + parse + crawl | Scrapling | TLS-impersonated HTTP tier + adaptive selectors + spider |
| Lightweight high-concurrency | Obscura | ~30 MB / ~85 ms page load, single Rust binary, no Chrome |
Realistic success rates
The honest numbers from the analysis, grouped by how strong the target's protection is. Notice how much the proxy column moves the result - clean residential IPs roughly double the success rate against the hardest tier, which is the analysis's central point: IP reputation usually matters more than the tool.
| Protection level | Tool alone | + residential proxies |
|---|---|---|
| Basic (simple checks) | 90%+ | 99%+ |
| Medium | 60-80% | 90%+ |
| Enterprise | 20-40% | 70-85% |
| Custom ML-based | under 20% | 50-70% |
For the hardest tiers the recommended pattern is to combine layers - for example native fingerprint rotation (Camoufox) with protocol stealth (Patchright), always behind residential proxies. Validate any setup against public detector pages (Sannysoft, BrowserScan, CreepJS, Pixelscan) before trusting it in production.
The hard truth - and where a managed API fits
The analysis is blunt about the ceiling: no tool is truly undetectable, and detection is an arms race. Three realities dominate - a flagged or datacenter IP sinks even a perfect fingerprint; the TLS handshake signature is nearly impossible to fully fake from inside a real browser; and a steady scraping rhythm accumulates into a behavioural signal no mouse-curve can hide. That is why the maintenance cost of a self-hosted stealth stack grows over time as detection evolves. Open tools remain the right pick for learning, testing, and full self-hosted control. For production at scale against hard targets, many teams instead push the hard parts onto a server: a managed web-data API such as Scrappey handles fingerprinting, residential routing, verification-workflow handling, and TLS matching behind one request, trading the control of running your own browser for not having to maintain it as detection changes. The full per-tool source-code breakdowns live in the comparison repository.