Detect-Bot Tests 16 Browsers — CloakBrowser Tops the Board
Detect-bot now tests 16 headless browsers and automation tools end-to-end. Every browser loads the same test page, runs through three detection phases, and gets scored. The results track which tools evade detection and which signal categories trip them up.
The test suite covers open-source automation tools and freely available browsers. It does not test commercial proxy services, residential IP rotation platforms, or paid scraping APIs — those run on different infrastructure and would need a separate evaluation framework.
Phase 1+2: Static Fingerprints
Phases 1 and 2 run entirely in JavaScript. The test page collects browser properties — navigator flags, WebGL parameters, canvas rendering output, timing precision, audio hardware latency, and environment markers — then scores them before any interaction occurs.
No browser scored above the human threshold (70+), but two came close.
| Browser | Engine | Score | Verdict | Phase 3 |
|---|---|---|---|---|
| botasaurus 4.0.97 | Chrome CDP | 55 | SUSPICIOUS | N/A |
| CloakBrowser 0.3.31 | Firefox C++ | 40 | SUSPICIOUS | 100 HUMAN |
| drissionpage 4.1.1.4 | Chrome CDP | 10 | SUSPICIOUS | 60 HUMAN |
| invisible-playwright 0.2.0 | Firefox C++ | 10 | SUSPICIOUS | 100 HUMAN |
| SeleniumBase UC 4.49.3 | Chrome CDP | 0 | BOT | 100 HUMAN |
| nodriver 0.50.3 | Chrome CDP | 0 | BOT | N/A |
| Patchright 1.60.0 | Chrome CDP | 0 | BOT | 55 SUSPICIOUS |
| Camoufox 0.4.11 | Firefox JS | 0 | BOT | 75 HUMAN |
| undetected-chromedriver 3.5.5 | Chrome C++ | -20 | BOT | 100 HUMAN |
| Playwright (full stealth) | Chrome CDP | -45 | BOT | 25 BOT |
| Playwright Firefox | Firefox CDP | -70 | BOT | 75 HUMAN |
| Puppeteer (vanilla) | Chrome CDP | -85 | BOT | 100 HUMAN |
| Brave Browser | Chromium | -85 | BOT | 25 BOT |
| Microsoft Edge | Chromium | -95 | BOT | 75 HUMAN |
| Playwright (stealth) | Chrome CDP | -150 | BOT | 75 HUMAN |
| Playwright (vanilla) | Chrome CDP | -165 | BOT | 75 HUMAN |
Two clear patterns emerge from the engine breakdown. The Chrome CDP browsers that don't patch anything (Playwright vanilla, stealth, Puppeteer) get destroyed immediately — navigator.webdriver, HeadlessChrome user agents, and missing window.chrome alone account for -110 points. Even real browsers like Brave and Edge score deep in bot territory because they're running headless with CDP flags exposed.
The Firefox-based tools (CloakBrowser, Camoufox, invisible-playwright) start with a structural advantage — no navigator.webdriver, no HeadlessChrome UA, no CDP detection surface. But they get hit by Firefox-specific checks: the build ID placeholder, missing sidebar, and empty navigator.oscpu.
The top scorer, botasaurus, patches aggressively — clean UA, no webdriver flag, normal plugin count, valid canvas render. Its only triggers are timezone mismatch (UTC with English locale, a datacenter giveaway) and audio output latency of zero (no real audio hardware). Every headless browser on the board fails the audio check.
Phase 3: Behavioral
Phase 3 watches what the browser does — mouse trajectory, timing patterns, and interaction cadence. Event density, burst detection, and timing variance separate real hardware from synthetic input.
Most Chrome CDP browsers score 75–100 in Phase 3 because their synthetic mouse paths contain enough segments and variance to look real at the kinematic level. Behavioral checks are harder to fake, but the current thresholds were tuned conservatively to avoid false positives on real users.
Only Playwright full stealth (25) and Brave (25) stayed flagged through Phase 3. CloakBrowser cleared it entirely at 100 HUMAN — the only browser to combine strong static evasion with clean behavioral patterns.
botasaurus and nodriver skip interaction entirely, so they get no Phase 3 score. That's a valid evasion strategy if you can make it through Phase 1+2 first.
What's Not Tested
This test suite evaluates the browser itself — the JavaScript environment, rendering pipeline, and interaction patterns. It does not test network-layer signals (IP reputation, ASN blocks, TLS fingerprinting) or commercial proxy services that route through residential IPs. Those are separate problems with separate evaluation criteria.
The detection engine runs the same checks against every browser with no per-browser tuning. Scores are what they are.