Modern anti-detect stacks do not remove entropy. They redistribute it.
Coherence beats novelty
Defenders often overvalue rare signals. In practice, the strongest production detections come from coherence checks across multiple layers:
- browser APIs
- rendering behavior
- network posture
- session timing
If a session claims to be a recent mobile Safari environment but behaves like a patched Chromium stack running from a datacenter ASN, the problem is not rarity. The problem is internal contradiction.
Where patched browsers still leak
Even polished anti-detect tooling tends to leak when challenge flows force the environment to:
- execute asynchronous browser work under time pressure
- reconcile client and server observations
- hold a consistent story across several requests
const isCoherentSession = (session) => session.client.platform === session.server.claimedPlatform && session.client.webglVendor === session.server.expectedRenderer && session.network.riskScore < 0.45;Practical takeaway
Production programs should preserve raw signals, label contradictions, and track how often each contradiction appears in confirmed abuse. That closes the loop between research and enforcement.