Cloudflare Precursor watches your mouse and keyboard to decide if you are human

Cloudflare wants websites to stop asking visitors to prove they are human with irritating CAPTCHA puzzles. Its replacement, however, involves watching how people move, type, scroll, and interact with a page throughout an entire session.

The company has launched Precursor, a behavioral bot detection system for Cloudflare Enterprise Bot Management customers. Instead of checking one login, click, or checkout attempt, Precursor continuously evaluates activity inside the browser to determine whether a visitor appears human.

Cloudflare says the system looks at signals such as mouse movement, scrolling rhythm, typing cadence, clipboard activity, page visibility, and whether keyboard events happened while a text field was selected.

It does not capture the actual keys being pressed, according to the company. It studies the timing and rhythm instead.

That may sound preferable to clicking every square containing a traffic light, but it also means Cloudflare is gathering a much broader picture of how visitors behave on a website.

Traditional bot protection tends to focus on specific moments. A visitor may face a challenge while logging in, creating an account, or completing a purchase. Once that challenge is passed, the rest of the browsing session may receive less attention.

Precursor is designed to fill that gap.

Modern bots can run JavaScript, operate inside real browsers, and sometimes pass ordinary CAPTCHAs. Cloudflare believes it is much harder for automated software to imitate convincing human behavior over several minutes.

Humans do not move a mouse with mathematical precision. We hesitate, overshoot buttons, change direction, correct ourselves, and move at inconsistent speeds.

Bots often behave differently. Their movements may be too straight, too smooth, too repetitive, or too precise. Developers can add random delays and artificial mistakes, but Cloudflare says those imitations become easier to spot when activity is examined across an entire session.

“Traditional security checks look at a single moment in time, but modern bots have gotten smart enough to fake their way through the front door,” said Cloudflare CTO Dane Knecht. “Instead of just checking an ID at the gate, we are looking at behavior over the entire visit.”

Website operators can enable Precursor from the Cloudflare dashboard. Cloudflare then injects a compact JavaScript bundle into HTML responses as they pass through its network.

The company says customers do not need to modify their application code or add a separate third-party service.

Once active, the script attaches event listeners that collect interaction signals and temporarily store them in memory. The information is then sent to Cloudflare for analysis.

Its systems can look for suspicious combinations, such as pointer activity happening while the page was not visible or keyboard events firing when no text field had focus.

Those findings can affect Cloudflare’s bot score, challenge decisions, and security rules.

Because Precursor tracks the session rather than an individual request, refreshing the page should not give a bot an immediate clean slate. Suspicious behavior can continue to follow the session as the visitor moves through the site.

This is different from Cloudflare’s PACT proposal, which I covered previously. PACT is built around anonymous browser tokens that could prove a visitor has already been verified without repeatedly exposing identity or browsing behavior.

Precursor takes a much more active approach. Instead of accepting a privacy-preserving token, it keeps evaluating whether a visitor continues to behave like a human.

The two technologies could eventually complement each other, but they solve different parts of the same problem. PACT is about carrying anonymous trust between websites. Precursor is about continuously studying behavior after the visitor arrives.

Cloudflare is emphasizing privacy in its description of Precursor. The company says it collects the minimum information needed to identify automated activity and does not record actual keystrokes.

It also says behavioral information is analyzed as aggregate patterns and is not connected to login identities, customer accounts, or persistent user profiles.

Those protections are important, but the privacy concern is still difficult to ignore.

Software that continuously measures mouse movements, typing cadence, clipboard activity, focus changes, and page visibility may feel invasive, even when it does not capture the content being typed.

Website owners should be clear with visitors about this kind of monitoring, particularly if Precursor becomes common across large parts of the web.

Cloudflare claims automated systems now generate roughly 57 percent of internet requests. That traffic includes AI agents, scrapers, inventory bots, fraud tools, and automated account attacks.

The company is also adding session-based views to Security Analytics. Customers can examine full visitor journeys rather than looking only at isolated requests.

That could help businesses identify automation that looks legitimate in short bursts but becomes suspicious over time.

For users, the tradeoff is more complicated. Precursor may reduce the number of visible CAPTCHA challenges, but the test has not disappeared. It has simply moved into the background, where it can watch the entire visit.

Support independent tech journalism

NERDS.xyz is independently owned and operated. If you enjoy my coverage of Linux, AI, hardware, cybersecurity, and tech culture, consider supporting the site on Ko-fi.

Support NERDS.xyz
Avatar of Brian Fagioli
Written by

Brian Fagioli

Technology journalist and founder of NERDS.xyz

Brian Fagioli is a technology journalist and founder of NERDS.xyz. A former BetaNews writer, he has spent over a decade covering Linux, hardware, software, cybersecurity, and AI with a no nonsense approach for real nerds.

Leave a Comment