Cloudflare Launches Precursor to Spot AI Bots by Their Behavior

Cloudflare launched Precursor, a bot-detection system that watches how visitors move, click and type across a whole session to tell humans from increasingly capable AI agents.

By Marcus Lee Edited by Maria Konash Published: Updated:
Cloudflare Launches Precursor to Spot AI Bots by Their Behavior
Cloudflare launched Precursor, a system that detects bots by analyzing how visitors move, click and type across a full session. Image: Cloudflare

Cloudflare launched Precursor, a bot-detection system that identifies automated visitors by watching how they behave across an entire browsing session rather than testing them once at the door. The approach responds to a shift in the threat: modern bots and AI agents can now run JavaScript, operate real browsers and pass individual CAPTCHAs, so a one-time checkpoint no longer proves a visitor is human.

Precursor instead injects a lightweight script into a site’s pages, streams behavioral signals like mouse movement, scrolling, typing rhythm and page visibility to Cloudflare’s edge servers, and continuously scores whether the pattern looks human. It is generally available now, free until a wider release later this year, and complements Cloudflare’s existing Turnstile challenge, which runs nearly 3 billion times a day on sensitive endpoints like logins and checkouts.

The core insight is that faking a single moment is easy but faking sustained human behavior is hard. Cloudflare argues that human input is shaped by physics and cognition in ways bots struggle to reproduce: mouse paths arc with the pivot of a wrist, there is a measurable delay between seeing a button and clicking it, and even a steady hand carries a slight physiological tremor.

Bots tend to betray themselves with mathematically clean curves, superhuman click precision or a machine-like rhythm, and even when they add random noise to mimic human error, the pattern across a full session diverges from a real person’s. Precursor’s evaluators also cross-check for tells that are hard to fake, such as pointer movement while a page is hidden or typing events firing with no text field focused.

A key design choice closes a common evasion route. Because the score is tied to the whole session rather than each request, a bot cannot wipe its behavioral signature simply by reloading the page or starting a fresh challenge; the scoring keeps compounding. Cloudflare, which says it sees more than a trillion requests a day across roughly a fifth of the web and estimates automated traffic now makes up about 57% of all web requests, is pitching Precursor as a way to catch abuse in the long stretches of a user journey that sit between the protected login and checkout moments.

The Privacy Question

Continuous behavioral monitoring inevitably raises surveillance concerns, and Cloudflare has tried to pre-empt them. The company says keyboard activity is captured only as timing and rhythm, never the actual characters typed, and that signals are evaluated as aggregate patterns rather than tied to user accounts, login identities or persistent profiles, and are not exposed in customer dashboards.

Those are meaningful limits, but they rest on Cloudflare’s assurances rather than external audit, and behavioral biometrics like typing cadence and mouse dynamics can in principle be distinctive enough to fingerprint individuals. For privacy-conscious users, the discomfort is that a defense against bots works by watching everyone closely, and the line between abuse detection and behavioral profiling is one of policy and trust as much as technology.

An Escalating Arms Race

Precursor is the latest move in a fast-accelerating contest between platforms and automation, one Cloudflare itself frames as adversarial and unending. As agentic AI proliferates, bots that behave convincingly like people are becoming cheaper to build, and detection is being forced to move from isolated checkpoints into the full flow of activity.

The development also sits alongside Cloudflare’s other agent-era products, including default AI-scraper blocking, its Pay Per Crawl marketplace and a new payment gateway for agents, revealing a two-sided strategy: help legitimate agents transact while raising the cost of malicious ones. The likely result is an escalation, as bot developers work to simulate whole human sessions and defenders add ever more behavioral signals. It also sharpens a thornier question for the web’s future, namely how to distinguish an abusive bot from a legitimate AI agent acting on a real person’s behalf, a line that will only get harder to draw.

Cybersecurity & Privacy, News