[ tools ]
select instrument
a bench of forensic instruments for browser fingerprinting and bot detection. the stealth benchmark up top is the combined view, every band a detector sees scored together; the rest drill into one band each. most project a dataset the harness collects across browsers, proxies and detectors; a couple probe your own browser live. pick one to enter the console.
▸ start here · the combined view
▸ defense · what detectors do
- bot-detector inteldaily static analysis of the loaders shipped by datadome, cloudflare, fingerprintjs, recaptcha and the rest. every surface they probe, every sink they ship to.▸ liveenter →
- cookie monsterthe detection scripts and what they expect back. per provider: the cookies and tokens it plants, the signals its loader reads, the telemetry endpoint, and which browser on which proxy actually earned clearance.▸ liveenter →
- challenge intela catalog of the captcha and challenge systems. per vendor: the mechanic, the score model and its polarity (recaptcha 1.0=human vs hcaptcha 1.0=threat), and the escalation ladder from 200 to a hard drop.▸ liveenter →
- fingerprint knowledge baseevery javascript surface a bot detector can read. category, severity, tell status, evasion notes. searchable, mdn-linked, and back-referenced to the vendors that probe each one.▸ liveenter →
- velocity & device-reputationthe money / account lens. velocity windows, impossible-travel, device-as-reputation, and the bot-vs-fraud-farm distinction: why human fraud farms beat bot detection, and why device-reputation catches what fingerprinting cannot.▸ liveenter →
▸ offense · what evades them
- browser detailsthe roster of related browsers: every automation and anti-detect tool the harness drives, plus the real-browser baselines they imitate. what each one fixes, what it still leaks, and how it scored.▸ liveenter →
- the arsenalthe offense toolkit, cataloged. ~75 libraries the harness and the wider scraping world drive: http clients, browser automation, frameworks, ai scrapers, managed apis, parsers, captcha solvers and re tools. per tool: what it presents on the wire, what catches it, and how it joins the browser and proxy catalogs.▸ liveenter →
- agent trackerhow detection adapts to vlm agents that operate a real browser instead of evading it. the l1-l4 resilience matrix, a timeline of operator/atlas/comet, and web bot auth for signed declared agents.▸ liveenter →
- evasion techniquesthe evasion-first lens, the mirror of bot-detector intel. per fingerprinting surface: every way it is spoofed, which tools implement that spoof, and the detector or coherence-check that catches it anyway. read the residual tell on each one.▸ liveenter →
- network detailseverything on the wire between a browser and a detector. the tls/ja4/http-2/ip fingerprint each tool presents, a per-request waterfall, the cross-band coherence verdict, and the network-signal reference.▸ liveenter →
- proxy & network identitythe network-identity axis: datacenter vs isp vs residential vs mobile, what each class leaks (asn, rdns, ip reputation, webrtc), and the providers that sell them. joined to how each proxy class scored across the benchmark.▸ liveenter →
- cost-of-attack / bot economywhat a scraping job actually costs. a calculator over proxy $/gb, captcha $/1k, the browser (anti-detect sub, cloud browser, self-host) and infra: the operator cost per 1k and per 1m requests beside the defender cost, and who really pays. dated 2026 estimates.▸ liveenter →
▸ beyond & self · off-browser, persistence, live probes
- supercookiesthe durable trackers that re-identified you after you cleared cookies. evercookie, etag/cache, hsts pins, the 2021 favicon-cache exploit, cname cloaking and dom-storage ids, each scored live-in-2026 / mitigated / dead, plus a same-origin demo you run yourself.▸ liveenter →
- mobile attestationthe off-browser axis. google play integrity (and legacy safetynet), apple app attest / devicecheck, apple private access tokens, and the web-to-app collusion and sdk-proxy vectors that attack them. reference only: the web cannot probe mobile.▸ liveenter →
- biometric test pagethe behavioral half, hosted out in the scanner. it captures your mouse, keystroke and motion kinematics live, scores human-vs-bot the way vendors do, and never sends a byte. nothing leaves the browser.▸ liveopen ↗
more land here as i build them · open to ideas → /contact