New SDK Detects LLM Agents — Not Just Bots

• LLM agent detection is now essential as AI shopping assistants and automation tools mimic human browsing behavior convincingly.
• Nyasa’s LLM agent detection system classifies every session as Human, AuthorizedAgent, or UnauthorizedBot — a critical third category most tools ignore.
• Traditional CAPTCHA and device fingerprinting are effectively broken against modern AI agents and patched headless browsers.
• A cryptographic identity claim lets authorized AI agents bypass bot rules entirely, without solving a single CAPTCHA.

• LLM agent detection is now essential as AI shopping assistants and automation tools mimic human browsing behavior convincingly.
• Nyasa’s LLM agent detection system classifies every session as Human, AuthorizedAgent, or UnauthorizedBot — a critical third category most tools ignore.
• Traditional CAPTCHA and device fingerprinting are effectively broken against modern AI agents and patched headless browsers.
• A cryptographic identity claim lets authorized AI agents bypass bot rules entirely, without solving a single CAPTCHA.

The Bot Detection Model Is Broken — And LLM Agents Are Why

For years, LLM agent detection wasn’t a category that needed to exist. Bot detection was a binary problem: human or bot, let through or block. That model worked fine when bots were clumsy, when CAPTCHAs stopped script kiddies, and when “headless browser” was practically synonymous with malicious crawler. None of that is true anymore. A developer going by Devansh on Dev.to has built a browser SDK called Nyasa that tackles the problem head-on — and the architecture behind it reveals just how badly the industry’s assumptions have aged.

The core argument is straightforward: there are now three actors on the web, not two. You have humans. You have unauthorized bots. And you have AI agents acting legitimately on behalf of real users — shopping assistants, automated onboarding flows, fintech integrations. By every traditional signal, that third category looks identical to the second. Headless browser characteristics, scripted input patterns, no idle pauses. A standard bot detection system will block them all. And blocking a legitimate AI shopping assistant means turning away real business. Effective LLM agent detection is what separates those two outcomes.

Why Everything You’re Currently Using Is Failing

It’s worth being blunt about the state of existing defenses. CAPTCHA, the web’s oldest and most-deployed bot barrier, was designed to exploit the gap between human vision and early optical character recognition. That gap is gone. GPT-4’s vision capabilities can interpret distorted text in milliseconds. CAPTCHA farms — human workers solving challenges for around $0.50 each — have existed for years. The challenge model is dead as a reliable defense.

Device fingerprinting fared better for a while. Catching WebDriver flags and automation markers was genuinely effective when headless browsers were unsophisticated. Now, Playwright, Puppeteer, and virtually every major automation framework ship with community-maintained patches specifically designed to pass fingerprint checks. The cat-and-mouse game has decisively shifted toward the mice. Without purpose-built LLM agent detection, fingerprinting alone cannot reliably distinguish authorized AI sessions from malicious ones.

Behavioral analytics — typing cadence, mouse movement, scroll behavior — represented the next evolutionary step. The logic was solid: scripted bots can’t fake being human at the physical interaction layer. Except now they can. Modern LLM-driven agents type at 60 to 80 words per minute with realistic keystroke intervals, move the cursor in curved rather than linear paths, and pause before filling form fields. The behavioral layer is no longer a reliable moat, which is precisely why dedicated LLM agent detection tooling has become necessary.

LLM Agent Detection: How Nyasa’s Three-Verdict System Works

Nyasa’s architecture starts by rejecting the binary framing entirely. Instead of asking “is this a bot?”, the system asks “who is this session?” Every session resolves to exactly one of three verdicts: Human, AuthorizedAgent, or UnauthorizedBot. The AuthorizedAgent category is the genuinely new idea here, and it is the foundation on which meaningful LLM agent detection is built.

The system collects 24 signals split across three layers: 13 behavioral signals, 8 fingerprint signals, and 3 network signals. Six detection rules run against those signals. Five of them — isHeadless, isScripted, isLLMAgent, isUploadAutomation, and isMultimodalBot — fire independently. Any one of them firing pushes the verdict toward UnauthorizedBot. The sixth rule, isAuthorizedAgent, is the exception: if it fires, it short-circuits the entire evaluation and returns AuthorizedAgent regardless of what any other rule found.

That short-circuit matters enormously in practice. An AI shopping assistant built on top of a retailer’s platform shouldn’t be battling through bot detection every time it tries to check a price or complete a checkout. Under Nyasa’s model, it presents a signed cryptographic identity claim — stored in window.__nyasaAgentSignature or a meta tag — and the system recognizes and respects it. The handshake happens automatically. No CAPTCHA, no friction, no blocked legitimate traffic.

The Hardest Problem: Telling LLM Agents From Fast Humans

Of the six rules, isLLMAgent is the most technically interesting — and the most difficult to get right. This is where LLM agent detection reaches its sharpest edge: LLM-driven agents have learned to approximate human behavior well enough to fool most single-signal checks. Nyasa’s approach is to look for a constellation of seven signals that, individually, might be explained by human behavior, but together point clearly at an agent.

• Machine-speed keystroke bursts under 20ms. Human dwell times naturally cluster around 80 to 200ms. Sub-20ms bursts don’t occur in genuine human typing.
• Mouse stillness above 70%. Humans move the cursor constantly, even when they’re not actively clicking. LLM-driven sessions often leave the cursor parked.
• Near-zero keystroke variance. Natural typing has rhythm variation. Suspiciously consistent intervals suggest pre-computed input.
• Zero backspace rate. Humans make mistakes and correct them. An agent filling a form it computed upfront doesn’t backspace.
• Pixel-perfect click precision. Humans click near the center of interactive elements, but not exactly on the computed coordinate. Agents do.
• No field exploration. Humans click into fields, leave, return, re-read labels. LLM agents visit each field once, in sequence, and move on.
• No idle micro-pauses. Human sessions have sub-second pauses between thoughts. Agent sessions show continuous forward progress.

No single signal triggers the rule. A fast typist has low keystroke variance. A focused user might not backspace. isLLMAgent requires several of these signals to align simultaneously before it fires — which is exactly the right call. Over-triggering on legitimate humans would be as damaging as missing real agents. Getting this balance right is the central engineering challenge of LLM agent detection.

The Architecture Decisions That Make It Actually Reliable

One problem Nyasa’s developer identified early was that having each detection rule compute its own derived metrics from raw signals caused two distinct failures. First, duplicated math across rules. Second — and more damaging — rules diverging when they read the same underlying signal at slightly different moments during a live session. A “mouse stillness percentage” calculated twice from the same session could produce two different numbers depending on when exactly each rule sampled the data.

The solution is a feature extraction layer that runs once per session before any detection rule evaluates. It computes eight shared derived metrics — typing variance, click precision distribution, mouse activity ratio, and others — and every rule reads from those pre-computed values. The math runs once. Every rule agrees on the numbers. This consistency is especially important for LLM agent detection, where marginal signal differences can flip a verdict.

This matters most for isMultimodalBot, the rule designed to catch near-miss sessions — cases where a bot nearly triggers multiple rules without fully triggering any single one. Rather than re-running signal evaluation, isMultimodalBot reads the DetectionResults of its sibling rules directly. Near-miss composition, where automation leaves soft signals scattered across several rules, gets caught without any rule having to re-sample data that may have aged out of the session window.

What This Signals for the Broader Industry

Nyasa is one developer’s SDK, not a Fortune 500 product launch. But the architectural thinking it represents is going to become the industry standard whether incumbents like Cloudflare, Akamai, or DataDome adopt it voluntarily or get pushed there by market pressure. The economics are clear: AI agents acting on behalf of paying customers are valuable traffic. Systems that lack proper LLM agent detection will block revenue.

The cryptographic identity claim model is particularly worth watching. It’s essentially proposing that AI agents carry verifiable credentials — a kind of passport for automated sessions. As the ecosystem of AI-powered user tools grows, pressure will mount on websites to support that handshake or risk becoming incompatible with how a significant and growing portion of their users actually browse. The question isn’t whether LLM agent detection becomes a standard layer in web security stacks. It’s which company builds the version that everyone ends up using.

Source: https://dev.to/devansh365/i-built-a-browser-sdk-that-detects-llm-agents-heres-how-it-works-3bdk