Detection Engine
stylo bot mark stylobot
a mostlylucid product

Multi-Wave Detection With Explicit Escalation

StyloBot does not market a single magic detector. It combines cheap protocol checks, behavioral evidence, cross-request correlation, and optional deeper analysis into one runtime decision.

The open-source stack is enough to evaluate real production traffic. Enterprise layers add more control, persistence, and operational reach.

Self-hosted
runs in your VPC, your data stays there
Full decision trace
signals, deltas, action, policy
49 detectors
layered protocol + behavior signals
Privacy-aware
HMACed IDs + stripped UAs

How the engine sees you, right now

Live · Your Detection Bot
22:22:52 · 1ms
Network Locale Headers Tool Transport Session Quality
Closest to
Googlebot
100% bot probability
VeryHigh Block
Identified as ClaudeBot
  • · Known AI training bot: ClaudeBot (Anthropic)
  • · Known bot pattern: ClaudeBot
  • · Heuristic model (early): 78 % bot likelihood (19 features)

Top Bots

Name Bot % Conf Threat Hits 1h Seen
US US Bot 130 60m: 130 bot · 0 human 3h 26m
US GPT's Grumpy Giggles 59 60m: 60 bot · 0 human 12h 41m
CN Bytespider 28 60m: 0 bot · 0 human 15h 27m
US ClaudeBot 16 60m: 14 bot · 0 human now
US googlebot 25 60m: 0 bot · 0 human 2h 29m
1–5 of 43
1
Wave 1

Protocol and Signature Checks

<1ms

User-Agent and Known Tool Matching

Catch obvious automation, scanners, and commodity scraping tools before the runtime spends time on subtler questions.

Pattern Match
Recon Tools
<1ms

Header and Browser Fingerprint Validation

Compare what the client claims to be with the headers and browser behaviour it presents. Spoofing usually leaks somewhere.

Header Logic
Client Shape
<1ms

Infrastructure Signals

Datacenter IP ranges, stale versions, and hostile-source indicators help separate likely automation from ordinary consumer traffic.

Datacenter
Version Age
Wave 2

Behavior and Consistency

1-5ms

Request Sequence Analysis

Examine cadence, transitions, and per-session flow. Real users browse with friction and variation; bots tend to reveal a program.

Cadence
Transitions
1-5ms

Cross-Signal Inconsistency

Catch impossible combinations such as mismatched OS, browser, protocol, or client capability claims. Bots often forge one layer and forget the rest.

Correlation
Sanity Check
Client-Side

Browser Execution Proof

Optional client-side checks help distinguish a real browser from a headless impersonator when the application can support that signal.

JavaScript
Headless Gaps
Wave 3

Aggregation and Escalation

<1ms

Heuristic Aggregation

The main runtime combines detector output into bot probability, confidence, and risk band. This is the decision core that keeps the hot path fast and explainable.

  • Detector contributions stay visible.
  • Confidence is separate from probability.
  • Reputation can promote repeat offenders into the fast path.
Escalation Only

Deep Analysis for Borderline Cases

Optional LLM-backed analysis exists for requests that justify slower reasoning. It is an escalation path, not the identity of the product and not something every request should pay for.

  • Use for ambiguous spoofing and novel patterns.
  • Keep the main request path bounded.
  • Prefer local or controlled model deployment where possible.
Wave 4

Cross-Request and Cluster Intelligence

Background

Bot Cluster Detection

Group confirmed bad signatures to expose product families, shared infrastructure, and coordinated campaigns. This sharpens later decisions on related traffic.

Similarity Graphs
Campaign View
Real-Time

Country and Infrastructure Reputation

Reputation adds supporting context for borderline requests and decays over time so old conditions do not poison new traffic forever.

Time Decay
Context Signal
Background

Community Affinity

When a request shares traits with known hostile clusters, the runtime can raise scrutiny without treating that single overlap as a final verdict.

Shared Traits
Confidence Lift
Enterprise

Advanced Enterprise Layers

Deeper Fingerprinting and Shared Persistence

Enterprise builds extend the runtime with stronger persistence, richer fingerprint layers, and operational tooling for teams managing multiple gateways.

Controlled Model Integrations

When deeper model analysis is useful, enterprise deployments can plug in approved providers without turning the product into a generic model-marketing page.

External Intel

Optional Threat Intelligence

~100ms

Project Honeypot

External IP reputation can add another signal for known hostile sources. Treat it as one input in the graph, not a substitute for local evidence.

IP Reputation
External Feed

Recent additions

  • Friendly-bot throttle-status policy: legitimate crawlers (Googlebot, Bingbot) routed through a rate-limit lane instead of blocked.
  • Deceptive-bot (!) marker: bots claiming to be browsers but failing protocol checks get an explicit deception flag in the dashboard.
  • Drift-gated naming: bot display names only update when behaviour drifts, preventing flicker in the dashboard.
  • Ambiguity-persistence: repeat boundary-probing requests are tracked as a signal in their own right.
  • Slow-path coordinator: expensive identity verification is admission-controlled so it cannot DoS the fast path.

What these detectors catch

Googlebot
verified-bot

Google's web crawler. Honest user-agent, datacenter origin, no Sec-Fetch headers, predictable timing. We route it through the friendly-bot throttle-status policy -- never blocked.

googlebot
Headless Chrome
headless

Puppeteer, Playwright, and chrome --headless sessions. Looks like Chrome at the UA level but diverges from a real browser's protocol fingerprint. Watch-level by default.

headless-chrome
curl
tool

Command-line HTTP clients (curl, wget, http). Honest Accept: */* and tiny header set. Useful in scripts, expected in many CI pipelines -- info-level until the request shape suggests scanning.

curl-tool

Pipeline Order

Cheap checks first. Context second. Escalation last.

1

Fast checks cut obvious traffic

Known tools, malformed clients, and hostile infrastructure get caught early.

2

Behavioral and sequence analysis refine the call

Session cadence and cross-signal consistency determine whether suspicion hardens or falls away.

3

Aggregation outputs risk, confidence, and action

The system produces a traceable decision: signals, detector deltas, aggregation, and policy action.

4

Escalation handles the hard residue

Only the tricky traffic earns slower, deeper analysis.

5

Confirmed patterns become cheaper to stop next time

Reputation and cluster context make repeat offenders faster to classify.

Product Family

Common Runtime, Different Surface Area

StyloBot and StyloWall share the same runtime mindset: evidence-first traffic decisions, local control, and low-latency enforcement.

StyloBot

Focused on HTTP and application-layer bot traffic. Use it to protect login, checkout, API, and content routes where browser behavior matters.

Request Early Access

StyloWall

Extends the same operator mindset toward broader network services and protocol surfaces beyond the web stack.

Inspect the Runtime, Then Decide How Hard to Enforce

The detector stack is useful because it makes the decision path visible.

Request Early Access View Enterprise