Cloudflare Precursor monitors entire sessions to identify bots.
For the first time, bots account for over half of all internet traffic. Cloudflare has introduced a new tool called Cloudflare Precursor, which moves beyond merely checking IDs at entry points and instead observes how users behave once they've accessed the site.
The internet has recently reached an unusual milestone: bots now create more web requests than human users. According to Cloudflare, automated traffic constitutes approximately 57 percent of all web activity.
This shift provides context for a product the company unveiled on Monday. Cloudflare Precursor alters the method of differentiating between humans and machines on the web.
Observing the entire visit, not just the entry point
Traditional security measures operate like a bouncer verifying an ID at the door. A CAPTCHA prompts users to confirm they are human just once before letting them in. However, modern bots have advanced to the point where they can deceive these momentary checks.
Precursor adopts a different approach. It functions within the browser to monitor an entire session, tracking aspects like mouse movement, scrolling patterns, typing rhythm, clipboard usage, and the duration a page remains visible. While it's easy to fake a single click, impersonating a complete human visit presents a significant engineering challenge.
“Conventional security measures focus on a singular moment, but contemporary bots have become sophisticated enough to get past the initial gate,” stated Dane Knecht, Cloudflare’s chief technology officer. He noted that the time between logging in and completing a transaction was a "black box," and Precursor aims to illuminate it.
Cloudflare asserts that this tool prioritizes user privacy. It logs behavioral patterns instead of content, capturing typing as rhythm and cadence without recording specific keystrokes. It activates with just one click and requires no modifications to existing code.
Classifying machines based on their intentions
Precursor is part of a broader reassessment. The other aspect involves differentiating beneficial bots from harmful ones.
Not all automated traffic is malicious. Cloudflare now categorizes AI traffic into three groups: search bots that index pages for future queries, agent bots that act in real-time for users, and training bots that learn from the content to build models.
Starting September 15, new sites using Cloudflare will automatically block training and agent bots on ad-supported pages while allowing search bots. The rationale behind this is financial; search bots attract readers, whereas the others often do not. This is part of an ongoing effort where Cloudflare has previously told AI crawlers they need to compensate publishers or face being blocked.
The company will also provide a mechanism for sites to determine how bots can use their content: either not storing anything, indexing and linking back, or summarizing and reproducing material. A new database, BotBase, will identify all known crawlers. This initiative builds on Cloudflare's earlier commitment to establish a privacy-first anti-bot standard alongside major browsers.
Maintaining and losing trust
The most challenging aspect is that the bot at your doorstep is often not operated by the entity that created it. Cloudflare aims for operators to identify themselves using an existing web header, allowing a site to recognize “OpenAI,” maintaining that distinction even through intermediaries.
The potential loss of that trusted status across over 20 percent of domains supported by Cloudflare is viewed as a significant deterrent. This concept is a gentler variant of ideas like Estonia’s initiative to assign ID numbers to every AI agent. The stakes are increasing as these agents begin to shop and conduct transactions on behalf of users. It also aligns with efforts to permit publishers to opt-out of AI without disappearing from search results.
The infrastructure is evolving as well
This transformation goes beyond just one vendor. On the same day, the Internet Engineering Task Force introduced a new HTTP method called QUERY, as reported by the Register. This method provides complex searches with their own verb, which is safe and cacheable, rather than requiring them to disguise themselves as data-altering requests.
Cloudflare and Akamai engineers collaborated on this standard. This recurring theme indicates that the foundational structure of the web was originally designed for human interactions but is now being subtly reengineered to accommodate an environment where the majority of visitors are machines.
Other articles
Cloudflare Precursor monitors entire sessions to identify bots.
Bots currently account for 57% of internet traffic. Cloudflare Precursor monitors entire sessions rather than a single point in time to distinguish between humans and machines.
