Most fraud detection and bot prevention systems work by building persistent profiles. They assign each visitor a fingerprint ID and track their behavior across sessions, domains, and time. The more data they accumulate, the better their models get.
SilentAuth's risk engine takes the opposite approach: we score each request in complete isolation, using only the signals available in that single HTTP interaction, and we never persist a fingerprint ID that could be used to track a user across sessions.
The Signals We Use
**TLS fingerprinting**: The TLS handshake — specifically the cipher suites, extension order, and GREASE values a client sends — produces a fingerprint that correlates strongly with the client software. A browser and a curl-based bot will have different TLS fingerprints. This is a network-level signal that requires no JavaScript and no cookies.
**IP reputation**: We maintain a continuously-updated database of IP reputation scores incorporating ASN data, data center IP ranges, known Tor exit nodes, VPN detection, and historical abuse reports. A residential IP has a different base risk score than a data center IP.
**Request pattern analysis**: HTTP headers, header ordering, and timing patterns reveal whether a request is coming from a real browser stack or a headless browser or a direct HTTP client. These patterns are extracted from the raw request and scored in-memory.
**JavaScript behavioral signals (Layer 2)**: When Layer 1 confidence is below threshold, we optionally load a lightweight JavaScript challenge that collects mouse movement entropy, typing cadence, and interaction timing. This data is processed immediately in-memory and never stored.
What We Explicitly Don't Do
We don't assign persistent fingerprint IDs. We don't set tracking cookies. We don't build cross-session behavioral profiles. We don't share any signal data with third parties.
Each request gets a risk score between 0 and 1 based on the signals in that request alone. The score is used to determine which verification layer to apply. After the request is resolved, the raw signals are discarded.
Why This Is Architecturally Sufficient
Privacy advocates sometimes assume that a privacy-preserving system must be less accurate than a tracking-based system. In practice, the opposite is often true for bot detection.
Bot traffic is distinctive at the network and behavioral layer within a single session. A credential stuffing script using a data center IP, sending requests with a non-browser TLS fingerprint at machine timing, will score high-risk on every single request — no cross-session profile needed.
Real users don't need to be tracked to be identified as human. The behavioral signals in a single 200ms interaction are sufficient to separate human from bot with high confidence.