Detection Signals
Every session leaves a trail. A real browser on a real device, driven by a real person over a safe network, looks one way. Automation, tampering, throwaway infrastructure, and stolen identities look another. Noxtica reads that trail and tells you, in plain terms, how much to trust the session in front of you.
We don’t hand you a raw pile of measurements to interpret. We answer four questions, combine the answers, and return a single calibrated risk tier — with the confidence behind it and the reasons that drove it. Your code acts on the tier; the rest is ours to figure out.
Four questions, one answer
Noxtica looks at every session across four layers. Each layer answers a different question, and no single layer decides anything on its own.
| Layer | The question | What it tells you |
|---|---|---|
| Browser | Is the browser real? | Whether the session comes from a genuine browser or an automated, headless, or spoofed one. |
| Network | Is the network safe? | Whether traffic arrives from ordinary connectivity or from anonymizing, datacenter, or abuse-prone infrastructure. |
| Device | Is the device real? | Whether the hardware behind the session is a real machine or a virtualized, emulated, or disposable environment. |
| User | Is the user real? | Whether the interaction looks human or carries the tells of scripted, automated behavior. |
Any one layer can be fooled in isolation — that’s the point of looking at four. A session has to look right across all of them to earn trust, and the contradictions between layers are often the loudest signal of all.
One calibrated risk tier
The four layers don’t come back to you as four separate scores to reconcile. Noxtica combines them into one calibrated risk tier that maps to how you should treat the session:
- Minimal — the boring middle of the population; almost all real human traffic.
- Low — a slight anomaly, often a privacy browser or unusual-but-legitimate setup.
- Medium — suggestive of automation or fraud, but not conclusive.
- High — strong evidence of automation, tampering, or infrastructure abuse.
- Critical — multiple layers agree; almost certainly malicious.
The tier never arrives alone. It comes with a confidence measure — how much Noxtica actually knew about the session — and a list of reasons naming what drove the result. That’s a decision you can defend: to your product team, to legal, and to the customer who asks why they were challenged.
This is calibration, not a verdict. Noxtica doesn’t tell you “this is a bot.” It tells you the risk tier, how confident it is, and why — and your code makes the call. (More on why that matters in Why calibration, not verdicts.)
Sealed before it leaves the browser
Here’s the part attackers can’t get around: the answer is sealed to the request before it ever leaves the browser.
A risk signal is only useful if it arrives intact. A clever attacker’s first move is to read the result, see they’ve been flagged, and quietly rewrite it to say “all clear.” Noxtica closes that door. The session’s signals are bound to the specific request on the device and sealed shut, so anything tampered with in flight no longer matches — and your server can tell.
For you, that means the tier your code reads is the tier Noxtica produced. No replayed results, no edited verdicts, no “trust me” data from the client. The evidence is the evidence.
How a signal becomes a decision
Walk it through with a single session — say, a signup attempt.
- Signals. When the page loads, Noxtica quietly reads the four layers — is the browser real, is the network safe, is the device real, is the user real — and seals the answers to the request.
- Calibrated tier. Your server verifies the sealed result. Noxtica weighs the layers together, accounts for how much it knew, and returns a single tier with its confidence and reasons. This signup comes back high: the browser looks automated, the network is a datacenter range, and there’s no human interaction to speak of.
- Your policy. Your code reads
highand applies the rule you chose for signups — block it, challenge it, observe it, or allow it. A payment form might hold out for stronger evidence; a read-only API might allow and simply log. The tier is the input; the line is yours to draw.
That’s the whole loop: signals in, calibrated tier out, your policy decides. You never have to reverse-engineer a score or trust a number you can’t explain — every decision traces back to named reasons you can read.
Related reading
- Threat categories — the kinds of abuse these layers are built to catch.
- Browser runtime — how collection runs in the page without slowing it down.
- Integration flow — the end-to-end path from session to decision.
- Why calibration, not verdicts — why the result is a tier plus confidence, not a yes/no.