Quick answer
Cloudflare's new Precursor system watches mouse physics, typing rhythm, and attention patterns across an entire session to catch automation that single checkpoints miss. It is clever work, and it treats all agentic traffic as one category to catch. Nothing in the launch distinguishes a scalper bot from a shopping agent buying on behalf of a real customer, and false positives are never mentioned. Detection and blocking are separate decisions. Before adopting a catch-and-block posture, measure which AI bots and agents actually reach your site, then set policy per category: serve the crawlers that cite you, welcome the agents that buy from you, block the rest.
On July 13, Cloudflare introduced Precursor, a client-side detection system that watches how every visitor moves, types, hesitates, and scrolls for the entire life of a session, then folds that behavioral record into its bot scores. It reads the wrist-pivot arc in a mouse path. It measures the pause between seeing a button and clicking it, and the tremor a human hand can't suppress. Automation gives itself away with pointer motion that follows "linear interpolations or mathematically ideal Bézier curves," and because the data is session-scoped, a bot can't wipe its record by refreshing the page and starting over.
As engineering, it's impressive. If your site bleeds money to credential stuffing, scalping, or carding, it's good news.
Read the announcement twice, though, and notice what isn't there. It never distinguishes hostile automation from an AI agent doing exactly what a real customer asked it to do. "Automated or agentic traffic" appears as a single category of thing to catch. False positives never come up. Shopping agents, research assistants, and the crawlers that decide whether your brand exists in ChatGPT's answers are absent from the story.
If you run a website in 2026, that omission is the story.
What Precursor actually does
Precursor collects behavioral signals continuously as a visitor interacts with a page: pointer movement, keyboard activity, focus changes, and page visibility. Cloudflare handled the privacy question carefully. Keyboard input is captured "as timing and rhythm, not as the actual keys pressed." The system doesn't read what you type; it profiles how you type it.
The detection logic rests on physics. A human hand pivots at the wrist and produces curved, slightly irregular pointer paths. A human brain needs a beat to process what it sees before clicking. Automation produces none of that noise, and faking noise convincingly, at scale, for a whole session, is genuinely hard.
Three details matter for site owners:
- It's session-scoped. Signals accumulate from the first pageview onward, so an automated visitor can't reset its signature with a refresh or a fresh challenge. Single-checkpoint tests were beatable. A whole-session profile is a different problem.
- It complements Turnstile rather than replacing it. Both live in Enterprise Bot Management. Turnstile checks visitors at a gate; Precursor watches everything between the gates.
- It's free until GA later this year. Enterprise customers can enable it today, and you should expect a wider push once it ships for real.
The question the launch post skips
Which automation?
AI traffic stopped being a rounding error a while ago. By Cloudflare's own reporting, automated traffic crossed half of all internet traffic in 2026, and the AI slice of it isn't one thing. Search crawlers like OAI-SearchBot and PerplexityBot decide whether you get cited in AI answers. Live fetchers like ChatGPT-User fire the moment a person pastes your link into a chat. Training crawlers like GPTBot ingest your content for future models. And a fast-growing class of browser-driving agents, from Perplexity's Comet to ChatGPT's agent mode, fills carts and compares prices on behalf of a person holding a credit card.
Behavioral detection lands hardest on that last class. A browsing agent drives a real page. It moves a pointer in clean arcs or not at all, fills forms at machine speed, and never hesitates before a click, because there's no cognition delay to hide. By Precursor's physics test it is precisely a bot. The customer behind it is precisely human.
Play the scenario forward. A shopper tells their assistant to find waterproof trail runners under $150 and buy the best-reviewed pair. The agent visits six retailers. Five load. The sixth, behind aggressive behavioral enforcement, serves a challenge it can't pass. That retailer never sees the lost sale in any report; the order just lands somewhere else. We've written before about how agent traffic fails silently, and behavioral blocking makes the silence deeper: the agent was indistinguishable from an attacker on purpose, so the block looks like a win.
GPTBot won't fail a mouse test, but it's in the same crosshairs
Worth being precise here, because the panic version of this take is wrong. GPTBot, ClaudeBot, and PerplexityBot are HTTP crawlers. They fetch pages without rendering them in a browser. No pointer, no typing rhythm, nothing for a mouse-physics detector to see. Precursor isn't aimed at them.
The posture around it is. Cloudflare already offers one-click AI-crawler blocking, blocks AI crawlers by default on new zones, and on September 15 its new AI bot rules take effect, splitting crawlers into Search, Agent, and Training categories with policy controls for each. Precursor adds another wall segment to the same fortification. The direction of travel is consistent: undeclared automation is presumed hostile until proven otherwise.
That's a reasonable default against fraud. It's an expensive default for visibility. Block the crawler that feeds an answer engine and you don't show up where a growing share of buyers ask their questions, and no error message will ever tell you it happened.
Detection and blocking are separate decisions
Most coverage treats AI bot detection vs blocking as one motion: find it, stop it. They're two decisions, and collapsing them costs money in both directions.
Detection is information. Which bots are here, what they read, how often they return, what they tried to do. Blocking is policy: what you choose to do about each of them.
Cloudflare's model is catch and block, where identity is the verdict. Against attacks, that's correct; nobody needs to deliberate about a carding bot. Against AI-era traffic it fits badly, because the value of a bot varies wildly by type. A training crawler might return nothing. A search crawler returns citations. A fetcher means a human is asking about your page right now. A commerce agent returns revenue. One verdict can't cover four economics.
The alternative is detect, then decide. Know exactly which bots and agents hit which pages, then set policy per category: serve these, block those, charge the rest. Cloudflare sells the wall, and it's a good wall. You still have to decide who walks through the gate, and you can't make that call about traffic you've never measured.
What to do before the defaults decide for you
The practical version, in order:
- Measure 30 days of bot traffic first. Before touching any blocking control, find out who's actually visiting. Track AI bots at the server or edge level; JavaScript analytics like GA never see most of them.
- Classify what you find. Sort every AI User-Agent into search, fetcher, training, or agent using a current reference list of AI crawlers. The categories have different economics, so they deserve different policies.
- Set policy per category, not globally. A blanket block is a decision about GPTBot, OAI-SearchBot, and a customer's shopping agent all at once. Work through the block-or-allow decision separately for each group.
- Give legitimate agents a structured path. Publish llms.txt so crawlers find your important content without hammering every URL, and expose WebMCP tools for actions like search and checkout, so good agents don't have to impersonate a human to do business with you. Declared interfaces are the long-term answer to behavioral suspicion.
- Re-check in September. When Cloudflare's category rules land on the 15th, audit what your zone settings actually block against what your traffic data says you want.
The arms race is the argument for visibility
Precursor will get stricter after GA, agents will get better at imitating hands, and the detection bar will rise again. That loop doesn't end. Every turn of it makes undifferentiated automation harder to run, which is fine for scalpers and bad for the legitimate agent economy trying to buy things from you politely.
Site owners don't control the arms race. You control one thing: whether you know what's hitting your own site before you adopt someone else's default posture toward it. The sites that get this right in 2026 aren't the ones with the highest walls. They're the ones that can name every bot at the gate and say which of them made money last month.
If you want to see what that looks like for your own traffic, walk through the live demo. Knowing is cheaper than guessing, and considerably cheaper than blocking a customer you never knew was there.
Related
Written by Crawlytics Team. Crawlytics tracks AI bots, generates llms.txt, and powers WebMCP commerce, all from one snippet on any stack. See how it works →