2 Sources
[1]
Cloudflare Precursor watches whole visits to catch bots
Bots now generate roughly 57% of all web requests, more than humans do. Cloudflare Precursor, launched on Monday, tries to catch the sophisticated ones by watching a visitor's whole session rather than checking a single box. It is part of a wider rebuild of the web for an age of AI agents. For the first time, bots generate more than half of all web traffic. Cloudflare Precursor, the company's new tool, stops checking IDs at the door and starts watching how visitors behave once they are inside. The internet just passed a strange milestone. Bots now generate more web requests than people do. By Cloudflare's count, automated traffic makes up roughly 57 percent of everything hitting the web. That shift is the backdrop to a product the company launched on Monday. It is called Cloudflare Precursor, and it changes how the web tells humans and machines apart. Watching the whole visit, not the doorway Traditional defences work like a bouncer checking one ID at the gate. A CAPTCHA asks you to prove you are human once, then waves you through. Modern bots are good enough to fake that single moment. Precursor takes a different tack. It runs inside the browser and watches an entire session. That means mouse movement, scrolling rhythm, typing cadence, clipboard use, and how long a page stays visible. Faking one click is easy. Faking a whole human visit is a real engineering problem. "Traditional security checks look at a single moment in time, but modern bots have gotten smart enough to fake their way through the front door", said Dane Knecht, Cloudflare's chief technology officer. The space between login and checkout, he said, was a black box. Precursor is meant to close it. Cloudflare says the tool is privacy-led. It logs behavioural patterns rather than content, recording typing as rhythm and cadence, never the actual keystrokes. It turns on with one click and needs no code changes. Sorting the machines by what they want Precursor is one half of a bigger rethink. The other is about the good bots. Not all automation is hostile. Cloudflare now sorts AI traffic into three buckets. Search bots index a page to answer questions later. Agent bots act in real time for a person. Training bots absorb your content into a model. From 15 September, new sites on Cloudflare will block Training and Agent bots by default on pages that carry ads, while letting Search through. The logic is money. Search sends readers back; the others often do not. It is the next turn of a fight in which Cloudflare has already told AI crawlers to pay publishers or get blocked. The company is also adding a way for sites to set how bots may reuse their content: store nothing, index and link back, or summarise and reproduce. A new database called BotBase names every known crawler. It all builds on Cloudflare's earlier push for a privacy-first anti-bot standard with the big browsers. Trust you can carry, and lose The trickiest part is that the bot at your door often is not run by the company that built it. Cloudflare wants operators to declare themselves, using an existing web header, so a site can allow "OpenAI" and have that choice hold even through layers of middlemen. Losing that trusted status across the more than 20 percent of web domains behind Cloudflare, the company argues, is a deterrent with teeth. It is a softer cousin of ideas like Estonia's plan to give every AI agent an ID number. The stakes rise as agents start to shop and pay for us. It also echoes the push to let publishers opt out of AI without vanishing from search. The plumbing is changing too The rewiring runs deeper than one vendor. On the same day, the Internet Engineering Task Force published a new HTTP method called QUERY, the Register reported. It gives complex searches their own verb, safe and cacheable, instead of forcing them to masquerade as data-changing requests. Cloudflare and Akamai engineers co-wrote the standard. That is the theme running through all of it. The web's basic machinery was built for human clicks. It is now being quietly rebuilt for a place where most of the visitors are machines.
[2]
Cloudflare launches Precursor to catch bots by watching entire sessions
Cloudflare launches Precursor to catch bots by watching entire sessions Cloudflare Inc. today opened general availability for Precursor, a bot detection system that tracks how a visitor behaves across an entire browsing session instead of testing them once on arrival. Precursor runs inside the browser. It streams interaction signals back to Cloudflare's edge, where servers score them in real time for evidence of automation. The target is the CAPTCHA. A challenge page tests the visitor once, at the door. Everything the visitor does after that is assumed good. Cloudflare puts bot traffic at roughly 57% of web requests. By its count, automation now outweighs people on the internet. Cloudflare's argument is that a point-in-time check is easy to fake. A bot can fake a single action. Faking an entire session, with the timing irregularities of a real person, costs real engineering effort. "Instead of just checking an ID at the gate, we are looking at behavior over the entire visit," said Chief Technology Officer Dane Knecht. Customers turn Precursor on with a single click and no code changes. Cloudflare injects a small script into pages already passing through its network and the script logs mouse movement, scrolling rhythm, typing cadence, clipboard activity and how long a page stays visible in the browser tab. What happens next is a coherence check. Cloudflare's analysis engine unpacks the telemetry and looks for internal contradictions, such as pointer activity recorded while the page was hidden or typing events fired at a moment when no text field held focus. Suspicious sessions accumulate context rather than resetting, feeding a running Bot Score that follows the visitor through a site or single-page application. That closes off a standard evasion. Under per-request challenges, an automated agent can wipe its behavioral signature by reloading the page. Precursor keeps scoring. Cloudflare said the script records aggregate patterns and not the inputs themselves. Keyboard activity is stored as timing rhythm and cadence. The characters typed are never captured, according to the company. The launch extends a long run of bot and crawler products out of Cloudflare. The company began blocking artificial intelligence scrapers by default for new customers last year, built the Pay Per Crawl marketplace so publishers can charge AI firms for access and shipped AI Crawl Control for per-crawler allow and block decisions. Bot management is also a wholesale business. WP Engine Inc. built the bot controls in its Global Edge Security service on top of Cloudflare's network. Knecht said Cloudflare already protects users billions of times a day at login and checkout and described the stretch between those moments as "a black box" the company is now filling in. Precursor is generally available now. Cloudflare did not disclose pricing.
Share
Copy Link
Cloudflare launched Precursor, a bot detection system that monitors visitor behavior across entire browsing sessions instead of single-point checks. With bots now generating 57% of all web requests, the tool watches mouse movements, typing cadence, and scrolling rhythm to distinguish humans from sophisticated automation that can fake traditional CAPTCHAs.
The internet crossed a significant threshold as bots now generate roughly 57% of all web requests, surpassing human traffic for the first time
1
. This shift in bot traffic patterns prompted Cloudflare to launch Precursor on Monday, a bot detection system that fundamentally changes how the web distinguishes between human visitors and automated agents2
.
Source: SiliconANGLE
Cloudflare Precursor abandons the traditional approach of testing visitors once at entry. Traditional defenses work like a bouncer checking ID at the gate—CAPTCHAs ask you to prove you're human once, then wave you through. Modern bots have become sophisticated enough to fake that single moment
1
. The new system runs inside the browser and monitors user behavior across an entire session, tracking mouse movements, scrolling rhythm, typing cadence, clipboard activity, and how long a page stays visible [2](https://siliconangle.com/2026/07/13/cloudflare-l aunches-precursor-catch-bots-watching-entire-sessions/). "Traditional security checks look at a single moment in time, but modern bots have gotten smart enough to fake their way through the front door," said Dane Knecht, Cloudflare's chief technology officer1
.Precursor streams interaction signals back to Cloudflare's edge, where servers score them in real time for evidence of automation. The system performs a coherence check, unpacking telemetry to look for internal contradictions such as pointer activity recorded while the page was hidden or typing events fired when no text field held focus
2
. Suspicious sessions accumulate context rather than resetting, feeding a running Bot Score that follows the visitor through a site. This closes off a standard evasion tactic where automated agents wipe their behavioral signature by reloading the page2
.Related Stories
Cloudflare emphasizes that Precursor is privacy-led, logging behavioral patterns rather than content. Keyboard activity is stored as timing rhythm and cadence—the characters typed are never captured
1
[2](https://siliconangle.com/2026/07/13/cloudflare-launches-precursor-catch-bots-watching-e ntire-sessions/). Customers can activate the tool with a single click and no code changes, as Cloudflare injects a small script into pages already passing through its network2
.Precursor represents one component of Cloudflare's larger strategy to rebuild web infrastructure for an age where machines outnumber people. The company now sorts AI traffic into three categories: Search bots that index pages, Agent bots that act in real time for users, and Training bots that absorb content into models. From September 15, new sites on Cloudflare will block Training and Agent bots by default on ad-supported pages while allowing Search bots through
1
. Cloudflare is also introducing BotBase, a database naming every known crawler, and AI Crawl Control for granular bot management decisions1
2
. The Internet Engineering Task Force published a new HTTP method called QUERY on the same day, co-written by Cloudflare and Akamai engineers, giving complex searches their own verb instead of forcing them to masquerade as data-changing requests1
. With more than 20% of web domains behind Cloudflare, losing trusted status across this network serves as a meaningful deterrent for bad actors as AI agents begin to shop and transact on behalf of users.Summarized by
Navi
[1]
01 Jul 2026•Technology

23 Sept 2024

23 Jun 2026•Technology

1
Policy and Regulation

2
Technology

3
Technology
