New capability combines browser telemetry with application context to protect signup, login, checkout, form, and AI workflows from automated abuse
Arcjet announced Advanced Bot Signals, a new capability that helps developers protect critical application flows from modern browser automation without interrupting legitimate users with CAPTCHAs. Automated abuse no longer looks like simple scripts and fake user agents. Attackers now use real browsers, headless automation frameworks, and AI-driven agents that can load pages, store cookies, submit forms, scrape content, and trigger expensive application actions. Advanced Bot Signals brings browser telemetry intoย Arcjet’s runtime security model, so developers can evaluate browser behavior together with application context before allowing sensitive actions such as signup, login, checkout, form submission, or high-cost AI requests.
Developers apply protections directly where sensitive actions happen. That puts enforcement where the application’s real context lives – user identity, account state, route sensitivity, business logic, and downstream cost – rather than relying entirely on network-level signals that cannot see what the action actually means.
“Browsers provide signals, but applications provide intent,” said David Mytton, CEO at Arcjet. “A signup form, checkout endpoint, or expensive AI action carries different risk than a marketing page. Advanced Bot Signals gives developers a way to combine browser telemetry with application context, so security decisions happen where the action is actually being taken.”
Advanced Bot Signals is also part of Arcjet’s broader protection model for AI-enabled applications. As agents and browser automation become capable of operating web interfaces like users, teams need controls that evaluate traffic before expensive or sensitive actions execute. Arcjet evaluates those decisions in code, alongside rate limits, email validation, prompt-injection checks, sensitive-data controls, and other runtime policies.
Also Read:ย CIO Influence Interview with Kyle Wickert, Field CTO at AlgoSec
What developers can do with Advanced Bot Signals
Advanced Bot Signals integrates directly into Arcjet’s application-layer security model. Developers define rules in the same codebase as the feature itself, so protection ships with the code and gets reviewed in the same pull request. There is no separate system to manage.
With Advanced Bot Signals, teams can:
- Detect browser automation that executes JavaScript and behaves like a real user
- Passively collect browser telemetry without interrupting users with CAPTCHAs
- Enforce protection only where risk exists: signup, login, checkout, invite, form, and high-cost AI routes
- Combine browser signals with application context, rate limits, email validation, and other Arcjet rules
- Start in dry-run mode, analyze real traffic, and promote protections safely
Advanced Bot Signals works alongside existing capabilities such as prompt injection protection for AI chat endpoints and tool calls, and Guards for runtime protection inside agentic application workflows. Together, these controls help developers protect both traditional web endpoints and AI-enabled workflows from automated abuse, data leakage, prompt manipulation, and unexpected infrastructure or model costs.
Advanced Bot Signals is available today through the Arcjet JS and Python SDKs. Existing customers can enable it immediately; new developers can get started with a free account.
Catch more CIO Insights:ย What Does โJob-Readyโ Really Mean in IT and Cybersecurity?
[To share your insights with us, please write toย psen@itechseries.com ]
