Run Precursor in observation mode first, measure fraud reduction and false positives, and update privacy disclosures before enforcing session verification.
Cloudflare has introduced Precursor, an optional Enterprise Bot Management feature that collects client-side behavioral signals across a visitor’s session. Instead of judging one request or challenge, it looks for patterns that develop as a person—or automated agent—moves through an application.
The approach targets a real weakness in one-time bot checks: modern automation can run JavaScript, use real browsers, and behave plausibly for a moment. Sustaining human-like timing and interaction across a complete journey is harder.
What the browser sends
Cloudflare injects a dynamically assembled JavaScript bundle into HTML responses. Event listeners capture signals such as pointer movement, keyboard activity, focus, and page visibility, buffer them, and send them for evaluation. Cloudflare says keyboard content is not collected; timing and rhythm are used instead.
Evaluators correlate signals—for example, whether keyboard activity occurred while a field was focused—and feed session-level results into bot scores, challenge decisions, and analytics.
The privacy question is part of the product decision
Cloudflare describes the collection as minimized, internally consumed, and not tied to customer dashboards, login identities, or persistent profiles. Even so, a site is adding continuous behavioral measurement in the browser. That should be reviewed against its privacy notice, consent approach, retention expectations, and vendor agreement before activation.
Security value and privacy impact are not opposites; both belong in the evaluation. A deployment that reduces fraud but surprises users creates a different operational risk.
How to pilot it
Cloudflare says Precursor is rolling out, can run in a low-friction background mode, and will be free until general availability later in 2026. Begin with observation on high-abuse flows, establish a baseline, and only then consider enforcement.
Measure challenged sessions, confirmed abuse, false positives, conversion changes, page performance, and support complaints. Keep a rollback path and avoid interpreting smooth mouse movement as identity proof; behavioral detection is a risk signal, not authentication.
PatchMemo independently selects and evaluates the topics it covers. We clearly label sponsorships and affiliate relationships.


