arxiv: 2605.01247 · v1 · submitted 2026-05-02 · 💻 cs.CR

Recognition: unknown

FP-Agent: Fingerprinting AI Browsing Agents

Ethan Wang, Yash Vekaria, Zubair Shafiq

Authors on Pith no claims yet

Pith reviewed 2026-05-09 14:31 UTC · model grok-4.3

classification 💻 cs.CR

keywords AI browsing agentsbehavioral fingerprintingbrowser fingerprintingbot detectionweb securitymulti-class classificationhoney site measurement

0 comments

The pith

Behavioral fingerprints distinguish AI browsing agents from humans and from each other.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper measures seven AI browsing agents and human users as they complete everyday tasks on an instrumented test site. It finds that standard browser fingerprints offer little separation because multiple agents share similar browser configurations. In contrast, differences in typing speed, scrolling patterns, and mouse movements allow a trained classifier to identify each agent and separate them from people. This distinction matters for websites that need to manage automated traffic without blocking legitimate users. The work also shows that a popular commercial bot detector misses most of the agents while the new classifier catches all of them.

Core claim

Behavioral fingerprints based on typing, scrolling, and mouse behavior provide strong discriminative power that separates specific AI browsing agents both from human users and from one another, while browser fingerprints alone supply limited power because they are frequently shared across agents.

What carries the argument

FP-Agent, a multi-class classifier trained on a combination of browser fingerprint features and behavioral features collected while agents and humans perform flight booking, shopping, and forum tasks on an instrumented honey site.

If this is right

Websites gain a practical method to detect and manage AI agent traffic that current commercial detectors miss.
Behavioral monitoring can separate individual agents from one another even when their browser setups overlap.
Detection systems must incorporate interaction patterns rather than relying solely on static browser attributes.
Control over emerging AI-driven web traffic becomes feasible once behavioral signals are routinely collected.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Sites could add lightweight behavioral checks to their existing defenses without changing how humans experience the page.
As agents are updated, their behavioral signatures may shift, so detection models will need periodic retraining on new traces.
The same measurement approach could be applied to other automated systems that use real browsers to test whether behavioral separation generalizes beyond the seven agents studied.

Load-bearing premise

The observed behavior of each agent on the three chosen tasks at the single test site accurately represents how those agents would act across other real websites and tasks.

What would settle it

Running the same agents through the classifier on a fresh set of unrelated websites and tasks and checking whether accuracy drops sharply.

Figures

Figures reproduced from arXiv: 2605.01247 by Ethan Wang, Yash Vekaria, Zubair Shafiq.

**Figure 1.** Figure 1: An overview of our FP-Agent framework. browsing agent. To complement the proprietary systems, we also include two well-known open-source browsing agents, Browser Use [16] and Skyvern [97], allowing us to compare commercial and open-source browsing agent implementations. For reproducibility, we fix the versions of Skyvern and Browser Use to 0.2.23 and 0.9.2 respectively view at source ↗

**Figure 2.** Figure 2: Time series of events representing each brows view at source ↗

**Figure 3.** Figure 3: Scroll distance vs duration for each class. Each point represents a scroll burst. The dotted lines are at the view at source ↗

**Figure 4.** Figure 4: Strip plot of number of change and input events by task for each browsing agent and humans. view at source ↗

**Figure 5.** Figure 5: 𝐹1 score over time elapsed into the task browsing session for each feature set. event view at source ↗

**Figure 6.** Figure 6: Flight-booking task (left) and shopping task (right). view at source ↗

**Figure 7.** Figure 7: Forums task. 21 view at source ↗

**Figure 8.** Figure 8: FP-Agent’s confusion matrices on each feature set across all classes. The behavioral- and combinedfingerprint classifiers perform almost perfectly, whereas the duality of perfect classification for classes not sharing fingerprints and imperfect classification for classes sharing fingerprints suggests the browser-fingerprint classifier is overfitting, providing additional evidence that browser fingerprints… view at source ↗

read the original abstract

AI browsing agents are an emerging class of AI-powered bots capable of autonomously navigating websites. Unlike traditional web bots, AI browsing agents typically operate using real browsers and perform everyday tasks, making them difficult to detect. Yet little is known about whether existing AI browsing agents can be distinguished from humans and one another based on their browser or behavioral fingerprints. In this paper, we present the first controlled measurement study of seven AI browsing agents and human users. Using an instrumented honey website, we collect browser and behavioral fingerprint features while AI browsing agents and humans perform three tasks: flight booking, online shopping, and forum interaction. We then train FP-Agent, a multi-class classifier, to evaluate the discriminative power of these features. We find that browser fingerprints provide limited discriminative power when shared by multiple AI browsing agents. Behavioral fingerprints, however, are distinctive: differences in typing, scrolling, and mouse behavior separate AI browsing agents from humans and one another. In a case study evaluating Cloudflare's bot detection, FP-Agent detects all seven AI browsing agents, whereas Cloudflare detects only one. Our findings show that behavioral fingerprints are a critical component to reliably detect and control this emerging form of web traffic.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is the first controlled measurement of browser and behavioral fingerprints across seven AI agents versus humans, with behavioral features separating them on the authors' honey site while browser ones do not.

read the letter

The paper runs a straightforward empirical study: they built an instrumented honey website, had seven AI browsing agents and human users complete flight booking, shopping, and forum tasks, collected browser and behavioral features, and trained a multi-class classifier called FP-Agent. The main result is that browser fingerprints overlap heavily across agents, but differences in typing, scrolling, and mouse behavior let the classifier tell agents apart from each other and from humans. In their Cloudflare case study, FP-Agent flags all seven agents while Cloudflare only catches one. That is new data on a timely problem, and the controlled setup with multiple agents is a clear step forward from prior bot-detection work that mostly treated all automation the same. The methodology is transparent enough that others could replicate the data collection if the site and tasks are described in detail. The practical comparison to an existing service is also useful. The soft spot is generalization. All traces come from one custom site and three fixed tasks, so the feature distributions could change if agents get different prompts, hit different DOM layouts, or operate on real e-commerce sites. The abstract does not report exact accuracies, confusion matrices, or cross-validation details, which makes it hard to judge how robust the separation is. If the full paper has ablation studies or statistical tests on the behavioral features, that would tighten the claim that these fingerprints are critical for reliable detection. This work is aimed at researchers and practitioners in web security and bot mitigation who need to handle AI-driven agents. A reader already thinking about behavioral signals would get concrete examples and a baseline classifier to build on. It deserves peer review because the measurement is novel and the experiments are a reasonable first cut, even though more validation on varied sites and prompts would make the conclusions stronger.

Referee Report

2 major / 1 minor

Summary. The paper presents the first controlled measurement study of seven AI browsing agents versus human users. Using an instrumented honey website, the authors collect browser and behavioral fingerprint features while agents and humans perform three tasks (flight booking, online shopping, forum interaction). They train a multi-class classifier (FP-Agent) and report that behavioral features (typing, scrolling, mouse patterns) are distinctive, enabling reliable separation of agents from humans and among agents, while browser fingerprints are less discriminative when shared. In a case study, FP-Agent detects all seven agents whereas Cloudflare detects only one.

Significance. If the empirical results hold under broader conditions, the work provides concrete evidence that behavioral fingerprints offer a practical signal for detecting and controlling AI browsing agents, an emerging class of web traffic that evades traditional bot detectors. This could inform improvements to web security systems and highlight limitations in current commercial solutions like Cloudflare.

major comments (2)

[Data Collection and Experimental Setup] The central claim that behavioral fingerprints are 'a critical component to reliably detect' AI agents rests on data collected from a single honey website during three fixed tasks. The manuscript provides no cross-site validation, cross-prompt testing, or evaluation on diverse DOM structures and real-world instructions, raising the risk that the reported feature distributions and classifier performance will not generalize (see the skeptic note on representativeness and the abstract's description of the data collection).
[Results and Case Study] The abstract and results describe 'clear separation' and superior detection without reporting specific quantitative metrics (accuracy, F1, confusion matrices), statistical details, or validation methods for the multi-class classifier. This omission makes it difficult to assess whether the data fully supports the discriminative-power claims or the case-study comparison to Cloudflare.

minor comments (1)

[Abstract] The abstract would be strengthened by including at least one key quantitative result (e.g., overall accuracy or per-class F1) to summarize the classifier performance.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address each major comment below and indicate the revisions we will make to strengthen the paper.

read point-by-point responses

Referee: [Data Collection and Experimental Setup] The central claim that behavioral fingerprints are 'a critical component to reliably detect' AI agents rests on data collected from a single honey website during three fixed tasks. The manuscript provides no cross-site validation, cross-prompt testing, or evaluation on diverse DOM structures and real-world instructions, raising the risk that the reported feature distributions and classifier performance will not generalize (see the skeptic note on representativeness and the abstract's description of the data collection).

Authors: We acknowledge that the study uses a single instrumented honey website and three fixed tasks, which limits direct claims about generalizability across arbitrary sites and instructions. This controlled setup was chosen deliberately to enable head-to-head comparison of seven agents and humans under identical conditions, isolating behavioral signals without site-specific confounds. As the first such measurement study, we view the results as an initial demonstration rather than a comprehensive claim of universality. In the revised manuscript we will add an explicit limitations subsection that discusses representativeness, the fixed task set, and the absence of cross-site or cross-prompt validation. We will also expand the methods section with additional details on the specific prompts, DOM elements, and task flows used. Future work on broader validation will be noted as an open direction. revision: partial
Referee: [Results and Case Study] The abstract and results describe 'clear separation' and superior detection without reporting specific quantitative metrics (accuracy, F1, confusion matrices), statistical details, or validation methods for the multi-class classifier. This omission makes it difficult to assess whether the data fully supports the discriminative-power claims or the case-study comparison to Cloudflare.

Authors: We agree that the abstract and results summary would benefit from explicit quantitative metrics. The full manuscript reports the multi-class classifier performance (including accuracy, per-class F1 scores, and confusion matrices) obtained via cross-validation, together with the per-agent outcomes in the Cloudflare case study. To improve transparency, we will revise the abstract to include the key performance figures and will add a short paragraph in the results section that states the validation procedure (k-fold cross-validation) and any statistical details. The case-study comparison will be expanded with the exact detection counts and conditions under which Cloudflare and FP-Agent were evaluated. revision: yes

Circularity Check

0 steps flagged

Empirical measurement study with no derivation chain or self-referential predictions

full rationale

The paper conducts a controlled data collection experiment on an instrumented honey website, gathering browser and behavioral features while seven AI agents and humans perform three fixed tasks. It then trains and evaluates a multi-class classifier (FP-Agent) on those traces and reports detection rates versus Cloudflare. No equations, first-principles derivations, fitted parameters renamed as predictions, or self-citation chains appear in the described methodology or claims. All reported discriminative power and superiority claims are direct empirical outcomes from the collected dataset rather than logical reductions to prior inputs or definitions. The study is therefore self-contained against external benchmarks with no circular steps.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an empirical measurement study; the central claim rests on the representativeness of the selected agents, tasks, and honey website setup. No mathematical axioms, free parameters, or invented entities are described in the abstract.

pith-pipeline@v0.9.0 · 5503 in / 994 out tokens · 22267 ms · 2026-05-09T14:31:05.464420+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

115 extracted references · 4 canonical work pages · 1 internal anchor

[1]

Alejandro Acien, Aythami Morales, Julian Fierrez, and Ruben Vera- Rodriguez. 2022. BeCAPTCHA-Mouse: Synthetic mouse trajectories and improved bot detection.Pattern Recognition127 (2022), 108643

2022
[2]

Alejandro Acien, Aythami Morales, John V Monaco, Ruben Vera- Rodriguez, and Julian Fierrez. 2021. TypeNet: Deep learning key- stroke biometrics.IEEE Transactions on Biometrics, Behavior, and Identity Science4, 1 (2021), 57–70

2021
[3]

Akamai Technologies, Inc. 2025. Fraud and Abuse Report 2025: Chart- ing a Course Through AI’s Murky Waters. https://www.akamai.com/ resources/state-of-the-internet/ai-botnet-report-2025

2025
[4]

Akamai Technologies, Inc. 2026. SOTI Security Insight Series: Navi- gating the AI Bot Era. https://www.akamai.com/resources/state-of- the-internet/publishing-ai-botnet-report

2026
[5]

Will Allen and Simon Newton. 2025. Introducing pay per crawl: Enabling content owners to charge AI crawlers for access. https: //blog.cloudflare.com/introducing-pay-per-crawl/

2025
[6]

Babak Amin Azad, Oleksii Starov, Pierre Laperdrix, and Nick Niki- forakis. 2020. Web runner 2049: Evaluating third-party anti-bot services. InInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 135–159

2020
[7]

Anthropic. 2025. Claude can now search the web. https://claude. com/blog/web-search

2025
[8]

Anthropic. 2025. Does Anthropic crawl data from the web, and how can site owners block the crawler? https: //support.claude.com/en/articles/8896518-does-anthropic-crawl- data-from-the-web-and-how-can-site-owners-block-the-crawler. Accessed: April 23, 2026

work page arXiv 2025
[9]

Anthropic. 2026. Claude. https://chromewebstore.google.com/detail/ claude/fcoeoabgfenejglbffodgkkbkcdhcgfn

2026
[10]

Daniel Ayzenshteyn, Roy Weiss, and Yisroel Mirsky. 2025. Cloak, Honey, Trap: Proactive Defenses Against {LLM} Agents. In34th USENIX Security Symposium (USENIX Security 25). 8095–8114

2025
[11]

Annabelle Backman, Justin Richer, and Manu Sporny. 2024. HTTP Message Signatures. https://datatracker.ietf.org/doc/html/rfc9421/. Accessed: April 22, 2026

2024
[12]

David Belson. 2025. The 2025 Cloudflare Radar Year in Review: The rise of AI, post-quantum, and record-breaking DDoS attacks. https://blog.cloudflare.com/radar-2025-year-in-review/. Cloudflare Blog

2025
[13]

Alex Bocharov, Santiago Vargas, Adam Martinetti, Reid Tatoris, and Carlos Azevedo. 2024. Declare your AIndependence: block AI bots, scrapers and crawlers with a single click. https://blog.cloudflare.com/declaring-your-aindependence- block-ai-bots-scrapers-and-crawlers-with-a-single-click/

2024
[14]

Brave Software, Inc. 2025. Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet. https://brave.com/blog/comet-prompt- injection/

2025
[15]

Morton B Brown and Alan B Forsythe. 1974. Robust tests for the equality of variances.Journal of the American statistical association 69, 346 (1974), 364–367

1974
[16]

browser use. 2025. Browser Use. https://github.com/browser-use/ browser-use/tree/007e7a8dccf7903b8d75ec6262621610269f432b

2025
[17]

browser use. 2025. element.py. https://github.com/browser-use/ browser-use/blob/007e7a8dccf7903b8d75ec6262621610269f432b/ browser_use/actor/element.py#L353

2025
[18]

browser use. 2026. CDP Use. https://github.com/browser-use/cdp- use. Accessed: April 23, 2026

2026
[19]

Alberto Cabri, Grażyna Suchacka, Stefano Rovetta, and Francesco Masulli. 2018. Online web bot detection using a sequential classifi- cation approach. In2018 IEEE 20th International Conference on High 14 FP-Agent: Fingerprinting AI Browsing Agents Performance Computing and Communications; IEEE 16th International Conference on Smart City; IEEE 4th Internati...

2018
[20]

Davide Chicco, Andrea Sichenze, and Giuseppe Jurman. 2025. A simple guide to the use of Student’s t-test, Mann-Whitney U test, Chi-squared test, and Kruskal-Wallis test in biostatistics.BioData Mining18, 1 (2025), 56

2025
[21]

Zi Chu, Steven Gianvecchio, Aaron Koehl, Haining Wang, and Sushil Jajodia. 2013. Blog or block: Detecting blog bots through behavioral biometrics.Computer Networks: The International Journal of Computer and Telecommunications Networking57, 3 (2013), 634–646

2013
[22]

Cloudflare, Inc. 2025. Content Signals. https://contentsignals.org/. Accessed: Jan. 27, 2026

2025
[23]

Cloudflare, Inc. 2025. Verified bots. https://developers.cloudflare. com/bots/concepts/bot/verified-bots/]. Accessed: April 23, 2026

2025
[24]

Cloudflare, Inc. 2026. Bots. https://developers.cloudflare.com/bots/ concepts/bot/#ai-bots]. Accessed: April 29, 2026

2026
[25]

Cloudflare, Inc. 2026. Free. https://developers.cloudflare.com/bots/ plans/free/. Accessed: April 25, 2026

2026
[26]

Cloudflare, Inc. 2026. What are good bots? https://www.cloudflare. com/learning/bots/how-to-manage-good-bots/. Accessed: April 21, 2026

2026
[27]

Cloudflare, Inc. [n.d.]. Bot Information for Manus Bot. https://radar. cloudflare.com/bots/directory/manus-bot. Accessed: April 23, 2026

2026
[28]

Cloudflare, Inc. [n.d.]. Cloudflare Bot Management. https: //assets.ctfassets.net/slt3lc6tev37/1DzWC1w6QLq0pvyYplHRDZ/ 650902f4caedb5c22bd83bbb8cd7b1c4/Cloudflare_Bot_ Management_Datasheet.pdf. Accessed: April 22, 2026

2026
[29]

Cloudflare, Inc. [n.d.]. What is a low and slow attack? https://www. cloudflare.com/learning/ddos/ddos-low-and-slow-attack/. Accessed: Jan. 27, 2026

2026
[30]

Cloudflare Radar. 2026. Bots Directory. https://radar.cloudflare.com/ bots/directory?kind=all. Accessed: April 18, 2026

2026
[31]

Stefano Cresci, Roberto Di Pietro, Marinella Petrocchi, Angelo Spog- nardi, and Maurizio Tesconi. 2017. The paradigm-shift of social spambots: Evidence, theories, and tools for the arms race. InProceed- ings of the 26th international conference on world wide web companion. 963–972

2017
[32]

Jian Cui, Mingming Zha, XiaoFeng Wang, and Xiaojing Liao. 2025. The Odyssey of robots. txt Governance: Measuring Convention Impli- cations of Web Bots in Large Language Model Services. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. 21–35

2025
[33]

DataDome. 2026. Agent Trust. https://datadome.co/products/agent- trust-management/. Accessed: April 18, 2026

2026
[34]

Daniel DeAlcala, Aythami Morales, Ruben Tolosana, Alejandro Acien, Julian Fierrez, Santiago Hernandez, Miguel A Ferrer, and Moises Diaz
[35]

InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition

BeCAPTCHA-type: biometric keystroke data generation for improved bot detection. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 1051–1060
[36]

Xiang Deng, Yu Gu, Boyuan Zheng, Shijie Chen, Sam Stevens, Boshi Wang, Huan Sun, and Yu Su. 2023. Mind2web: Towards a generalist agent for the web.Advances in Neural Information Processing Systems 36 (2023), 28091–28114

2023
[37]

Python developers. 2026. Coroutines and tasks. https://docs.python. org/3/library/asyncio-task.html#asyncio.sleep. Accessed: April 23, 2026

2026
[38]

Barry Elad. 2025. Perplexity AI Statistics 2026: Speed, Accuracy, & Strategic Wins. https://sqmagazine.co.uk/perplexity-ai-statistics/. Accessed: April 21, 2026

2025
[39]

Fernanda Fiel Peres. 2026. Effect sizes for nonparametric tests.Bio- chemia medica36, 1 (2026), 5–16

2026
[40]

fingerprintjs. 2026. FingerprintJS. https://github.com/fingerprintjs/ fingerprintjs

2026
[41]

Steven Gianvecchio, Mengjun Xie, Zhengyu Wu, and Haining Wang
[42]

InUSENIX security symposium

Measurement and classification of humans and bots in internet chat.. InUSENIX security symposium. 155–170
[43]

Matthew Gray. 1996. Credits and Background. https://www.mit.edu/ ~mkgray/net/background.html. Accessed: April 21, 2026

1996
[44]

Haleluya Hadero and David Bauder. 2023. The New York Times sues OpenAI and Microsoft for using its stories to train chatbots. https://apnews.com/article/nyt-new-york-times-openai- microsoft-6ea53a8ad3efa06ee4643b697df0ba57

2023
[45]

Chris Harrelson. 2021. RenderingNG architecture. https://developer. chrome.com/docs/chromium/renderingng-architecture. Accessed: April 18, 2026

2021
[46]

Hongliang He, Wenlin Yao, Kaixin Ma, Wenhao Yu, Yong Dai, Hong- ming Zhang, Zhenzhong Lan, and Dong Yu. 2024. Webvoyager: Building an end-to-end web agent with large multimodal models. In Proceedings of the 62nd Annual Meeting of the Association for Compu- tational Linguistics (Volume 1: Long Papers). 6864–6890

2024
[47]

Cormac Herley. 2022. Automated detection of automated traffic. In 31st USENIX Security Symposium (USENIX Security 22). 1615–1632

2022
[48]

Human Benchmark. 2026. Reaction Time Test. https:// humanbenchmark.com/tests/reactiontime/. Accessed: April 14, 2026

2026
[49]

HUMAN Security, Inc. 2025. What is Invalid Traffic? https://www. humansecurity.com/learn/topics/what-is-invalid-traffic/. Accessed: April 21, 2026

2025
[50]

HUMAN Security, Inc. 2026. The 2026 State of AI Traffic & Cy- berthreat Benchmark Report. https://www.humansecurity.com/ learn/resources/2026-state-of-ai-traffic-cyberthreat-benchmarks/

2026
[51]

HUMAN Security, Inc. 2026. Agentic Trust. https://www. humansecurity.com/applications/agentic-ai/. Accessed: April 18, 2026

2026
[52]

HUMAN Security, Inc. [n.d.]. ChatGPT Agent. https://www. humansecurity.com/ai-agent/chatgpt-agent/. Accessed: April 23, 2026

2026
[53]

HUMAN Security, Inc. [n.d.]. ChatGPT Atlas. https://www. humansecurity.com/ai-agent/chatgpt-atlas/. Accessed: April 23, 2026

2026
[54]

HUMAN Security, Inc. [n.d.]. Perplexity Comet. https://www. humansecurity.com/ai-agent/perplexity-comet/. Accessed: April 23, 2026

2026
[55]

HUMAN Security, Inc. [n.d.]. What Is Bot Detection? https://www. humansecurity.com/learn/topics/what-is-bot-detection/. Accessed: Jan. 27, 2026

2026
[56]

Imperva Threat Research. 2025. 2025 Bad Bot Report. https: //www.imperva.com/resources/resource-library/reports/2025-bad- bot-report/

2025
[57]

Stanford University Human-Centered Artificial Intelligence. 2025. Artificial Intelligence Index Report 2025. https://hai.stanford.edu/ assets/files/hai_ai_index_report_2025.pdf

2025
[58]

Aviad Kaiserman, Gabriel Cirlig, João Marques, and Sam Abu Daula
[59]

https://www.humansecurity.com/learn/blog/ai-agent-signals- traffic-detection/

AI Agent Detection: A Guide to Identifying Autonomous Traf- fic. https://www.humansecurity.com/learn/blog/ai-agent-signals- traffic-detection/
[60]

KavyanshKhaitan2. 2025. Adding support for Wayland. https:// github.com/asweigart/pyautogui/pull/936. Accessed: April 22, 2026

2025
[61]

Taein Kim, Karstan Bock, Claire Luo, Amanda Liswood, Chloe Poroslay, and Emily Wenger. 2025. Scrapers selectively respect robots. txt directives: evidence from a large-scale empirical study. InProceed- ings of the 2025 ACM Internet Measurement Conference. 541–557. 15 Ethan Wang, Zubair Shafiq, and Yash Vekaria

2025
[62]

Brian Kondracki, Johnny So, and Nick Nikiforakis. 2022. Uninvited guests: Analyzing the identity and behavior of certificate trans- parency bots. In31st USENIX Security Symposium (USENIX Security 22). 53–70

2022
[63]

Martijn Koster, Gary Illyes, Henner Zeller, and Lizzi Sassman. 2022. Robots Exclusion Protocol. https://datatracker.ietf.org/doc/html/ rfc9309/. Accessed: April 22, 2026

2022
[64]

Jin-Hee Lee. 2025. The age of agents: cryptographically recognizing agent traffic. https://blog.cloudflare.com/signed-agents/

2025
[65]

Jin-Hee Lee, Oliver Payne, Bob AminAzad, Viktor Chynarov, Alek- sandar Pavlov Hrusanov, and Prajjwal Gupta. 2025. Building unique, per-customer defenses against advanced bot threats in the AI era. https://blog.cloudflare.com/per-customer-bot-defenses/

2025
[66]

Alexa Levine, Jeff Edwards, and Tomer Elias. 2025. Tracking Agentic Commerce Through Black Friday and Cyber Monday: What Our Traffic Data Shows. https://www.humansecurity.com/learn/blog/ agentic-commerce-traffic-black-friday-cyber-monday/

2025
[67]

Xigao Li, Babak Amin Azad, Amir Rahmati, and Nick Nikiforakis
[68]

In2021 IEEE symposium on security and privacy (sp)

Good bot, bad bot: Characterizing automated browsing activity. In2021 IEEE symposium on security and privacy (sp). IEEE, 1589–1605
[69]

Xinfeng Li, Tianze Qiu, Yingbin Jin, Lixu Wang, Hanqing Guo, Xi- aojun Jia, Xiaofeng Wang, and Wei Dong. 2026. WebCloak: Charac- terizing and Mitigating Threats from LLM-Driven Web Agents as Intelligent Scrapers. In2026 IEEE symposium on security and privacy (sp). IEEE

2026
[70]

Enze Liu, Elisa Luo, Shawn Shan, Geoffrey M Voelker, Ben Y Zhao, and Stefan Savage. 2025. Somesite i used to crawl: Awareness, agency and efficacy in protecting content creators from ai crawlers. InProceedings of the 2025 ACM Internet Measurement Conference. 78–99

2025
[71]

Javier Martínez Llamas, Koen Vranckaert, Davy Preuveneers, and Wouter Joosen. 2025. Balancing security and privacy: Web bot detec- tion, privacy challenges, and regulatory compliance under the GDPR and AI act.Open Research Europe5 (2025), 76

2025
[72]

Google LLC. 2026. Chrome DevTools Protocol. https:// chromedevtools.github.io/devtools-protocol/. Accessed: April 23, 2026

2026
[73]

Google LLC. 2026. Input.dispatchKeyEvent. https://chromedevtools. github.io/devtools-protocol/tot/Input/#method-dispatchKeyEvent. Accessed: April 23, 2026

2026
[74]

Celso Martinho and Will Allen. 2026. Introducing Markdown for Agents. https://blog.cloudflare.com/markdown-for-agents/

2026
[75]

Tula Masterman, Sandi Besen, Mason Sawtell, and Alex Chao. 2024. The landscape of emerging ai agent architectures for reasoning, plan- ning, and tool calling: A survey.arXiv preprint arXiv:2404.11584 (2024)

work page arXiv 2024
[76]

MDN contributors. 2025. HTMLElement: change event. https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/ change_event. Accessed: March 10, 2026

2025
[77]

MDN contributors. 2025. HTMLElement: input event. https: //developer.mozilla.org/en-US/docs/Web/API/Element/input_event. Accessed: April 1, 2026

2025
[78]

Meta. 2026. Manus. https://manus.im/

2026
[79]

Thibault Meunier and Sandor Major. 2026. HTTP Message Signatures for automated traffic Architecture. https://datatracker.ietf.org/doc/ html/draft-meunier-web-bot-auth-architecture. Accessed: April 18, 2026

2026
[80]

Microsoft. 2026. Playwright. https://github.com/microsoft/ playwright

2026

Showing first 80 references.