Cloudflare's new 'Precursor' technology distinguishes between AI agents and humans, detecting AI that behaves like a human based on its behavior on websites.

On July 13, 2026, Cloudflare announced 'Precursor,' a new verification system that analyzes user actions throughout a website session to distinguish between human access and automated actions by bots or AI agents.
Introducing Precursor: detecting agentic behavior with continuous client-side signals
CAPTCHA is a well-known mechanism for distinguishing between humans and bots, but as bots have become more sophisticated, they can now manipulate real browsers and bypass authentication. However, while bots can mimic human actions during authentication, they may exhibit unnatural behavioral patterns throughout the entire session.
Does 'CAPTCHA' still have meaning in the age of AI? - GIGAZINE

Cloudflare's new technology, 'Precursor,' analyzes a series of operations, including those after authentication, to detect automated operations that are difficult to spot in a short time. When a human moves a mouse, they may slightly overshoot the target location and return, trace curves that follow the movement of the wrist, and change speed subtly. On the other hand, bot operations often involve linear trajectories, constant speed, and excessively precise clicks. While individual operations may appear natural, the difference between human and automated operations becomes more apparent when examined as a series of operations.

To perform continuous analysis, Cloudflare automatically inserts lightweight JavaScript into the HTML of websites with Precursor enabled. The inserted script collects data such as mouse pointer movements, keyboard input timing, focus on input fields, and page display time, and periodically sends this data to Cloudflare's servers. As a privacy consideration, keyboard input only records the timing and rhythm of the input, not the characters themselves, and the collected behavioral data is not associated with users' accounts, login information, or persistent profiles.
The submitted information is not judged individually, but rather evaluated in combination of multiple operations. For example, it checks whether keyboard operations occur only when the input field has focus, and whether pointer operations are consistent with the page's display state. The evaluation results are reflected in Cloudflare's bot score, decisions on whether to display additional authentication, and security rules.
Analysis results are accumulated on a session basis, not a page basis, so even if a bot reloads a page, it cannot easily reset the behavioral characteristics recorded up to that point.

Furthermore, Precursor can be used in conjunction with Cloudflare's existing authentication feature, 'Cloudflare Turnstile.' While Turnstile verifies users at specific points in time, Precursor expands its analysis to a series of actions within a site. This allows for a more flexible approach, such as using less disruptive settings for the entire site while requiring stricter verification only on payment pages. On the other hand, Precursor is the successor to the existing 'JavaScript Detections,' and users are instructed to disable JavaScript Detections when enabling Precursor.
As of the time of writing, Precursor is being rolled out to users of the paid add-on 'Bot Management for Enterprise' for the Enterprise plan, and can be enabled from the Cloudflare management screen. It offers 'Minimize Friction,' which attempts to establish a session state in the background while minimizing interruptions to the user, and 'Maximize Security,' which displays a lightweight authentication screen when no valid session is available.
Precursor will be available for free until its general release is scheduled for the second half of 2026.
Related Posts:
in Web Service, Posted by log1d_ts







