Real-time bot & fraud detection

Detect bots, fake browsers and device fraud — before they touch your form.

Real-time risk scoring that catches what FingerprintJS, DataDome and Cloudflare miss. Custom stealth signals tuned for serious B2B merchants.

23 stealth signalsSub-50ms scoringZero PII stored

live-session.stt

LIVE

Time

00:00:00

Session

01HFG7Y2KQR4M3VXZ8N6E5BWPA

Signals5 of 23

CDP Proxy Trap
Runtime.evaluate hook absent
Clean
WebGPU coherence
GPU vendor matches WebGL
Clean
Mouse entropy
Bezier paths, human variance
Clean
WASM engine
v8 timing fingerprint OK
Clean
Direct nav
No referrer + 0 prior pageviews
Detected

Risk scoreAPPROVE

12/100

LowMediumHigh

Trusted by merchants protecting £2M+ in monthly revenue

NORTHWIND

ACME

CIPHERIO

VAULTSHIP

Three pillars

Detect what blends in. Score what matters. Act before they convert.

01 / 03

Detect

Catch anti-detect browsers, headless Chrome, virtual machines and CDP-driven automation. Signals tuned against the toolchains attackers actually use in 2026.

02 / 03

Score

Every submission gets a 0–100 risk score in under 50ms. Server-side rules engine — deterministic, auditable, no black-box ML drift.

03 / 03

Act

Approve, review or reject — wired into your funnel. Send to your CRM, queue for manual review, or block at the edge. Webhooks included.

How it works

From script tag to verdict in three steps.

Step 01html

Drop the collector

One <script> tag on your form page. Zero config. Auto-collects 23 stealth signals plus mouse and keystroke entropy.

<script src="https://stt.sh/c.js"
  data-key="pk_live_…"
  data-form="#signup"></script>

Step 02shell

Score on submit

Server action receives signals + form data, runs the rules engine, returns score and decision in under 50ms.

curl https://api.stt.sh/v1/score \
  -H "Authorization: Bearer sk_live_…" \
  -H "Content-Type: application/json" \
  -d '{
    "sessionId": "01HFG7Y2…",
    "signals":   { /* collected */ }
  }'

Step 03json

Branch on the verdict

APPROVE moves on. REVIEW queues for manual. REJECT shows a soft fail. Plug the verdict into your CRM, Slack, or webhook.

{
  "score": 87,
  "decision": "REJECT",
  "factors": [
    { "rule": "cdp_proxy_trap_hit",    "weight": 35 },
    { "rule": "ua_vs_ch_mismatch",     "weight": 22 },
    { "rule": "mouse_entropy_too_low", "weight": 18 },
    { "rule": "form_filled_under_3s",  "weight": 12 }
  ]
}

Stealth signals

Five categories of evidence the spoofers haven't solved.

Behavioral

Mouse entropy

Real humans move in shaky bezier curves and overshoot targets. Bots use straight lines, perfect velocity profiles, or skip movement entirely. We measure path entropy, velocity variance and the straight-line ratio — and weight them against form completion time.

Runtime

CDP trap

Chrome DevTools Protocol leaves a tiny tell: a Proxy on Function.prototype.toString detects when the page is being driven by Runtime.evaluate. The bypasses (puppeteer-stealth, undetected-chromedriver) all fail this check the way attackers actually deploy them.

$ stt.detectCDP()
→ proxy trap armed
→ Function.toString.call(Function.toString)
→ trap fired: Runtime.evaluate
{ cdpDetected: true }

Hardware

WebGPU coherence

WebGL says NVIDIA. WebGPU says Intel. That's a virtualized GPU stack — a VM, a remote browser farm or a mismatched anti-detect profile. We cross-check the two adapters and flag inconsistencies the spoofers haven't patched yet.

WebGL adapter

NVIDIA RTX 4070

vendor: NVIDIA

WebGPU adapter

Intel UHD 630

vendor: Intel

✗ webgpu_coherent_with_webgl: false

Engine

WASM engine fingerprint

JavaScript engines compile WebAssembly with measurably different timings. v8, SpiderMonkey and JavaScriptCore each have signature setter latencies. If your user-agent says Chrome but the engine looks like SpiderMonkey, you're talking to a forged headless build.

Setter timing → engine guess

0.42ms

spidermonkey

0.91ms

javascriptcore

1.18ms

✓ engine: v8 (matches reported UA: Chrome 132)

Inconsistencies

Cross-check inconsistencies

User-agent vs. client hints. Timezone vs. IP geolocation. Language header vs. navigator.languages. Each is fakeable in isolation. All five being internally consistent under a forged identity is the asymmetric problem we make attackers solve every time.

User-Agent↔Client Hints
✓ match
Timezone↔IP geolocation
✓ match
Accept-Language↔navigator.languages
✗ mismatch
Platform↔WebGL renderer
✓ match
Screen DPR↔viewport ratio
✓ match

Live demo

Submit the form, watch us score you in real time.

We collect 23 stealth signals from your browser — mouse entropy, CDP traps, WebGPU coherence, WASM engine timing, cross-checks between user-agent and client hints. The scoring engine returns a 0–100 risk number plus a decision: approve, review, or reject.

Adversarial by design. Tuned against AdsPower, Multilogin, Puppeteer-stealth.
Sub-50ms scoring. Server-side rule engine, no third-party hop.
No PII stored. We hash signals; you keep the lead data.

score.api / submit

POST

FAQ

Questions worth answering.

FingerprintJS focuses on stable visitor identity. We focus on adversarial signals — anti-detect browsers, headless flags, runtime tampering, GPU coherence, behavioural entropy. We're complementary: FingerprintJS tells you it's the same visitor, we tell you whether that visitor is real.

Ready when you are

Stop bots before they hit your DB.

Try the live demo aboveor talk to us about an integration.

Talk to founder