Why behavior beats device and network in bot detection (benchmarks inside) (research.roundtable.ai)

Researchers at Roundtable benchmarked five leading invisible bot-detection systems—Roundtable Proof of Human, Google reCAPTCHA v3, hCaptcha (99.9% passive mode), FingerprintJS Pro, and Cloudflare Turnstile—against a suite of realistic web tasks to see how well they catch modern bots and AI agents. Using five web tasks (sign-up, survey, review, article unlock, and a cognitive experiment), three bot types (traditional scripts, browser automation, and LLM-driven AI agents), and 10 trials per task/bot/system (150 sessions per system, 750 total), they found wide performance variation: overall detection rates ranged roughly from 33% to 87%, with Roundtable highest (~86%) and device-fingerprint-focused systems (FingerprintJS Pro, Cloudflare) lowest. Systems that combine behavioral signals (typing patterns, mouse movements, timing, click precision) with device/network signals outperformed device-only approaches. Technically, the benchmark emphasizes invisible detection that preserves UX, showing behavioral anomalies—perfect click precision, unnaturally consistent reaction times—remain strong telltales against AI agents running real browsers. Caveats include lack of measured human false-positive rates, no active adversarial red‑teaming, and reproducibility challenges because the dataset depends on live browser interactions; hCaptcha’s passive challenge mode was treated as a bot flag (an upper-bound estimate). The study implies bot detection must prioritize behavioral analytics and continuous adaptation as LLM-driven agents grow cheaper and more capable.