Enterprise bot defense & fraud prevention

HUMAN (PerimeterX)

HUMAN (formerly PerimeterX) is an enterprise bot defense and fraud prevention platform whose Bot Defender product protects web, mobile app, and API traffic. It integrates at the edge - via CDN workers, reverse-proxy middleware, or SDKs - and pairs that server-side enforcement with a client-side JavaScript sensor that collects telemetry from every visitor. It is widely deployed on large retail, e-commerce, and real estate properties, which is consistent with its presence on multiple high-traffic sites in our registry.

How it decides what to block

HUMAN scores every request with a combination of network-level and client-level signals: IP reputation and ASN classification (datacenter vs residential vs mobile carrier), TLS and HTTP-level fingerprints, and a JavaScript sensor that gathers device and browser characteristics plus behavioral telemetry such as mouse movement, touch, scroll, and typing cadence. Scores are carried in first-party cookies and tokens, so a session is continuously re-evaluated rather than checked once. Crucially, much of the decision happens before any challenge is shown - traffic from low-reputation IP ranges or with automation-typical fingerprints can be blocked outright, commonly with an HTTP 403 and a branded block page. Ambiguous traffic is escalated to the HUMAN Challenge, the well-known "Press & Hold" interaction, which measures how the interaction is performed rather than asking a puzzle question.

What IP class it takes

Because HUMAN weighs IP reputation heavily and pre-classifies ranges before a challenge ever renders, datacenter IPs are generally blocked wholesale and heavily pooled or previously abused residential ranges are increasingly pre-flagged. Real mobile-carrier IPs sit behind CGNAT shared with millions of legitimate phone users, making them the hardest class to blocklist wholesale, so legitimate large-scale collection against this class of protection generally requires carrier-grade mobile IPs with auditable provenance - such as physically owned carrier modems or an opt-in, compensated peer network. In every case, respect robots.txt, the site's Terms of Service, and applicable law, and collect only data you are permitted to collect.

Responsible use. This is a technical reference to how a protection technology works, not a guide to defeating it. Respect each site's robots.txt, Terms of Service and applicable law, and collect only data you are permitted to.

Frequently asked questions

Is HUMAN (PerimeterX) just a CAPTCHA?

No. The visible "Press & Hold" prompt is only the escalation layer. Most gating happens invisibly through IP reputation, TLS and browser fingerprinting, and behavioral scoring collected by its client-side sensor - a large share of automated traffic is classified and blocked before any challenge is displayed.

How can I tell a site is protected by HUMAN (PerimeterX)?

Typical indicators include first-party cookies and tokens with a px prefix, a loaded JavaScript sensor calling PerimeterX-associated endpoints, HTTP 403 responses with a PerimeterX-branded block page, and the distinctive Press & Hold verification screen.

Why does a real browser on a real device still get blocked?

Because the verdict is a composite score, not a browser check. A clean, fully human-operated browser can still fail if the IP range it connects from has poor reputation - for example a datacenter ASN or a heavily shared, previously flagged residential pool - since IP class is evaluated before and alongside everything else.