← Glossary / Bot Score

What is Bot Score?

Bot score is the probabilistic confidence metric assigned to an incoming HTTP request by an edge security platform, representing the likelihood that the client is automated. Ranging typically from 0 to 100, it is calculated in real-time by blending network-layer TLS signatures, behavioral heuristics, and JavaScript challenge telemetry. For scraping pipelines, managing this score is the entire game: cross the threshold, and your requests are silently dropped or tarpitted into oblivion.

ClassificationHeuristicsCloudflareDataDomeTelemetry
// 02 — definitions

The math behind
the block.

How edge networks distill hundreds of passive and active client signals into a single integer that decides your pipeline's fate.

Ask a DataFlirt engineer →

TL;DR

A bot score evaluates the humanness of a session. Cloudflare scores 1 to 99 (lower is bot), while DataDome and Akamai use different scales and inverted logic. The score dictates the mitigation: pass, challenge, or block. Production scraping isn't about bypassing blocks, it's about keeping your fleet's median score in the safe zone.

01Definition & structure
A bot score is a dynamic integer calculated by an edge security platform (like Cloudflare, DataDome, or Akamai) to quantify the likelihood that an HTTP request originated from an automated script. The score is a composite of multiple sub-scores:
  • network.reputation — ASN history, IP abuse databases, and geographic anomalies.
  • network.fingerprint — JA3/JA4 TLS signatures and HTTP/2 pseudo-header ordering.
  • browser.environment — JavaScript execution results, canvas hashes, and plugin enumeration.
  • behavioral.telemetry — Request velocity, session duration, and interaction patterns.
The final score determines the routing action: pass to origin, serve a challenge, or drop the connection.
02How it works in practice
Evaluation happens in stages. The initial request is scored purely on network signals (IP and TLS). If it passes, the edge serves the HTML along with an obfuscated JavaScript payload. This script executes in the client's browser, gathers environment telemetry, and posts it back to a sensor endpoint. The edge then updates the session's bot score. If the score drops below the threshold, subsequent requests in that session will be met with a 403 Forbidden or a CAPTCHA challenge.
03Thresholds and mitigations
Target administrators configure mitigation rules based on score brackets. For example, a site might allow scores 40-100 to pass freely, issue a managed challenge (like Turnstile) for scores 20-39, and hard-block scores 1-19. Because these thresholds are configurable per target, a scraper that works perfectly on one Cloudflare-protected site might be instantly blocked on another, simply because the second site has a more aggressive threshold set.
04How DataFlirt handles it
We treat bot scores as a telemetry problem, not a bypass problem. Our infrastructure is built to generate high-trust signals by default. We route traffic through premium ISP proxies, use custom network stacks that perfectly emulate Chrome's TLS handshake, and execute JS challenges in real browser environments. By monitoring the mitigation rates across our fleet, we can infer the health of our median bot score and proactively rotate session parameters before blocks occur.
05The silent tarpit
The most dangerous outcome of a low bot score isn't a 403 block — it's poisoned data. Sophisticated targets will configure their edge to return a 200 OK for low-scoring requests, but serve cached, randomized, or subtly altered data. This prevents the scraper from realizing it has been detected, corrupting the downstream dataset. Maintaining a high bot score is the only way to guarantee data integrity.
// 03 — the math

How is a bot
score calculated?

Vendors guard their exact weights, but the underlying machine learning models rely on a blend of historical IP reputation, session entropy, and real-time behavioral deviation. DataFlirt reverse-engineers these thresholds to budget fleet diversity.

Cloudflare Bot Management Score = Scf = f(IP_rep, JA4_hash, JS_telemetry)
Scores < 30 are typically challenged or blocked. 1 is definitively automated. Observed edge behavior
DataDome Risk Index = Rdd = Σ (Signal_Anomaly × Weight)
Inverted scale. Higher risk index triggers the interstitial CAPTCHA. DataDome architecture
DataFlirt Fleet Safety Margin = M = SmedianThresholdtarget
We maintain M > 15 across our active pipelines to absorb sudden vendor model updates. Internal SLO
// 04 — edge evaluation trace

Scoring a request
in 40 milliseconds.

A simulated trace of an anti-bot edge node evaluating an incoming request. The score drops as inconsistencies between the network layer and the browser environment are detected.

Edge WorkerHeuristicsML Classifier
edge.dataflirt.io — live
CAPTURED
// phase 1: network layer
ip.asn: "AS16509 (AWS)" -20 pts
tls.ja4: "t13d1516h2_8daaf6152771" +10 pts (matches Chrome 124)
http2.pseudo_order: ":method :authority :scheme :path" -15 pts (Go default)

// phase 2: browser telemetry (post-challenge)
navigator.webdriver: false +5 pts
canvas.fp: "unique_hash_992a" +10 pts
mouse.entropy: 0.02 -30 pts (mechanical trajectory)

// phase 3: classification
score.base: 100
score.adjustments: -40
score.final: 60

// mitigation routing
threshold.challenge: 65
action: ISSUE_MANAGED_CHALLENGE
// 05 — score penalties

What drops a bot
score the fastest.

The signals that carry the heaviest negative weights in modern edge classifiers. Triggering these guarantees a low score, regardless of how perfect the rest of your fingerprint is.

SAMPLE SIZE ·  ·  ·  ·    12.4M sessions
WINDOW ·  ·  ·  ·  ·  ·   30d trailing
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

Datacenter IP / Bad ASN

fatal penalty · AWS, DigitalOcean, or known proxy providers
02

Mismatched TLS/Browser

heavy penalty · JA4 says Python, User-Agent says Chrome
03

Missing JS Challenge Token

heavy penalty · Failing to execute the background script
04

Headless Browser Leaks

medium penalty · navigator.webdriver or missing plugins
05

Unrealistic Request Velocity

medium penalty · 100 req/s from a single residential IP
// 06 — our approach

Manage the score,

don't fight the CAPTCHA.

Solving CAPTCHAs is a failure state. It means your bot score already tanked. DataFlirt's infrastructure is designed to operate entirely in the green zone. By aligning our TLS handshakes, IP routing, and browser fingerprints with known-human baselines, we ensure the edge classifier never has a reason to issue a challenge in the first place. We monitor the median score of our fleet in real-time, rotating sessions before they degrade to the challenge threshold.

bot-score-eval.log

Live telemetry from a DataFlirt worker maintaining a high trust score.

session.id df-sess-8821a
ip.type residential
tls.coherence matched
js.challenge solved_async
vendor cloudflare_bm
estimated_score 85-95
action pass

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

Common questions about bot scores, edge classifiers, and how DataFlirt maintains pipeline stability.

Ask us directly →
What is a good bot score on Cloudflare? +
Cloudflare Bot Management scores range from 1 to 99. A score of 1 is definitely a bot, while 99 is definitely human. Generally, scores below 30 trigger managed challenges or blocks. A "good" score for a scraping pipeline is anything consistently above 40, which keeps you in the clear for standard API and HTML endpoints.
Does rotating IPs reset my bot score? +
Yes and no. A new IP resets the IP-reputation component of the score. However, if your new IP still broadcasts the same mismatched TLS fingerprint or headless browser leaks, the edge will immediately assign the new session a low score. IP rotation without fingerprint rotation is a waste of proxy bandwidth.
Can I see my own bot score? +
Usually not directly. Edge providers inject the score into HTTP headers (like cf-bot-score) that are only visible to the origin server, not the client. You have to infer your score based on the mitigation action you receive: a 200 OK means you passed, a 403 or CAPTCHA means you failed.
How does DataFlirt maintain high scores at scale? +
We don't use generic HTTP clients. Our fetch layer uses custom network stacks that perfectly mimic the TLS and HTTP/2 framing of real browsers. We pair this with high-quality residential IPs and real hardware rendering, ensuring the signals we broadcast match the profile of a legitimate user.
Is it legal to spoof signals to improve a bot score? +
Modifying your client's broadcast signals (like User-Agent or TLS ciphers) is generally considered lawful technical maneuvering, provided you are accessing public data and not bypassing authentication or breaching a system. Always review the target's Terms of Service and consult legal counsel for your specific jurisdiction.
Why did my score drop mid-session? +
Scores are dynamic. You might pass the initial network check, but if your subsequent behavior is highly mechanical — requesting exactly one page every 1.000 seconds, or failing to load CSS/JS assets that a real browser would fetch — the behavioral classifier will degrade your score and eventually issue a challenge.
$ dataflirt scope --new-project --target=bot-score READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Scraping

Cloudflare Bot Score Threshold

The specific cutoff points where Cloudflare decides to challenge or block your request.

Read →
Anti-Scraping

DataDome Score Threshold

How DataDome's risk index translates into hard blocks and interstitial challenges.

Read →
Anti-Bot Bypass

Risk Score

The generalized concept of evaluating client trust across different security vendors.

Read →
Anti-Bot Bypass

Behavioral Biometrics

The mouse movements and keystrokes that feed into real-time bot score adjustments.

Read →