Cloudflare launches Precursor to spot bots in sessions
Tue, 14th Jul 2026 (Today)
Cloudflare has launched Precursor, a browser-based bot detection system for its bot management service. The product is now generally available.
The launch comes as automated bots account for about 57% of web traffic, according to Cloudflare, overtaking human activity on the internet for the first time.
Precursor tracks behaviour across an entire browsing session rather than relying on a single check at login or checkout. The approach is intended to identify automated traffic that can mimic human actions closely enough to evade conventional defences such as CAPTCHAs.
The system runs inside a web browser and collects signals including mouse movement, scrolling rhythm, typing cadence, clipboard activity and page visibility duration. It analyses that data in real time to test whether interactions follow patterns expected from a human user.
For example, it can assess whether pointer activity matches what is visible on the page, or whether typing occurs when a text field is actually selected. The aim is to spot synthetic or computer-generated actions that may appear plausible in isolation but become less convincing over a longer session.
Bot shift
Cloudflare positioned the release as a response to changes in how malicious traffic behaves online. As AI agents become more sophisticated, bot operators are finding it easier to imitate one-off human actions and pass basic checks long used to protect websites.
That trend has consequences beyond nuisance traffic. Automated threats can increase infrastructure costs, distort inventory availability and expose data, while older request-based defences struggle to keep pace with bots that can reset their apparent identity by refreshing a page or restarting a session.
Precursor is meant to address that problem by maintaining a running assessment of a visitor across a full session. That gives Cloudflare's systems more context over time and makes it harder for an automated agent to discard a poor bot score simply by beginning a new request.
Setup and privacy
The product can be activated without code changes through a script injected through Cloudflare's network. The script starts collecting interaction metrics immediately, which may appeal to organisations seeking another layer of bot screening without changing web applications directly.
Cloudflare also emphasised privacy in how the product handles user activity. The system records aggregate behavioural patterns rather than actual inputs, meaning keyboard monitoring is limited to timing, rhythm and cadence rather than the content of what a user types.
That distinction matters because behavioural analysis tools can raise concerns about how much user information is captured during fraud prevention. By focusing on metadata about interactions rather than the interactions themselves, Cloudflare is seeking to reduce the sensitivity of the data it stores while still extracting enough information to distinguish between people and scripted automation.
The product is built on Cloudflare's network and extends the company's existing bot management and challenge services. It already protects users at key points such as logins and checkout flows, and is now trying to fill what it described as a gap between those moments.
"Traditional security checks look at a single moment in time, but modern bots have gotten smart enough to fake their way through the front door," said Dane Knecht, chief technology officer at Cloudflare.
"Instead of just checking an ID at the gate, we are looking at behavior over the entire visit. This makes life seamless for real users, while making it incredibly difficult and expensive for bad actors to fake human behavior. Cloudflare already protects users billions of times a day at critical moments like login and checkout, but until now, the space between those moments was a black box. With Precursor, we're now eliminating that blind spot."
Cloudflare's broader message is that bot mitigation is moving away from isolated challenge-response tests and toward continuous analysis of user journeys. With automated traffic now exceeding human traffic on the web by its count, the company is betting that session-level behavioural monitoring will become a more common way to separate legitimate users from increasingly convincing bots.