ScrapeBadger's auto-escalation engine executes PerimeterX's Security Module in a genuine browser, generates a valid Security Token, simulates humanlike behavioral biometrics, and routes through residential IPs — passing Bot Defender, Code Defender, and Collective Intelligence in a single API call.
PerimeterX rebranded to HUMAN Security after merging with White Ops in 2022, but the underlying detection stack is still the platform engineers know as PerimeterX. Its Bot Defender product protects e-commerce giants, ticketing platforms, financial services, and travel sites — sites where credential stuffing, scalping, and inventory hoarding cause the most damage. PerimeterX is best known for its behavioral biometrics layer, which fingerprints how a user moves their mouse, scrolls, and types — at a granularity most other vendors don't even attempt.
Three products work together. Bot Defender runs the Security Module — an obfuscated JavaScript that collects 100+ device, browser, and behavioral signals, encrypts them, and POSTs them to PerimeterX's collector to obtain a _px3 Security Token. Code Defender monitors the loaded JavaScript itself, detecting injected scripts, modified prototypes, and tampered Security Module code. Collective Intelligence is the cross-customer threat feed — IPs and fingerprints flagged on one HUMAN-protected site can be blocked across the entire network within seconds.
What makes PerimeterX uniquely difficult to bypass is the behavioral biometrics layer. The Security Module captures mouse trajectory curves, scroll velocity profiles, keyboard cadence, touch event pressure (on mobile), and inter-action timing — then runs them through ML models trained on real human interaction patterns. Stealth browsers that pass canvas and TLS checks still get blocked because their behavioral biometrics don't look human. ScrapeBadger executes the Security Module in a real browser environment with humanised interaction, so the biometric stream looks indistinguishable from a real user.
Page Load
↓
Security Module loads = (obfuscated PerimeterX JS)
↓ collects 100+ signals
↓
Behavioral biometrics = (mouse, scroll, keystroke patterns)
↓ Code Defender watches for tampering
↓
POST = /api/v1/collector/<site_id>
↓ encrypted signal payload
↓
_px3 Security Token = (set on success)
↓
_pxhd, _pxvid = (session cookies)
↓ Collective Intelligence cross-checks IP / fingerprint
403 / 429 Block = ← invalid token or flagged IP
200 OK = ← Security Token validated
Security Module JS, Security Token, behavioral biometrics, fingerprinting
Detects script injection, prototype tampering, modified Security Module code
Cross-customer threat feed — flagged IPs blocked network-wide in seconds
PerimeterX layers are dominated by behavioral biometrics — the most distinctive feature in the HUMAN stack. A scraper can pass everything else and still get blocked by mouse-movement ML alone.
Like every enterprise bot management platform, PerimeterX inspects the JA3 / JA4 hash from the TLS ClientHello. Cipher suite order, extension list, and supported curves must match a real browser profile. Python's requests and httpx produce hashes matching no known browser and are blocked at the edge — before the Security Module even loads.
The Security Module is the obfuscated PerimeterX JavaScript that loads on every protected page. It collects 100+ device, browser, and behavioral signals — canvas hash, WebGL GPU vendor, navigator API values, plugin list, screen properties, and the full behavioral biometrics stream — encrypts them, and POSTs them to the PerimeterX collector. A valid response sets the _px3 Security Token cookie. HTTP-only clients have no JS engine and cannot execute this script at all.
PerimeterX's defining detection layer. The Security Module captures mouse trajectory curves (Bezier-like vs straight-line), scroll velocity profiles (smooth deceleration vs constant rate), keystroke cadence (inter-key timing distribution), touch event pressure on mobile, and inter-action timing (how long the user dwells before clicking). All of this is fed into ML models trained on real human interaction. Stealth browsers that don't simulate humanlike movement get blocked here even after passing every other layer.
Code Defender is a second product that runs alongside Bot Defender. It watches the JavaScript runtime itself — detecting injected scripts, modified Function.prototype.toString (a common stealth-browser patch), tampered Security Module code, and unauthorised script origins. Stealth toolkits that override prototype methods to hide automation flags often trigger Code Defender even when their behavioral simulation is good.
Datacenter IPs from AWS, GCP, Azure, and DigitalOcean are pre-flagged as high bot-risk. PerimeterX also operates Collective Intelligence — a cross-customer threat feed where IPs and device fingerprints flagged on any HUMAN-protected site propagate to all customer sites within seconds. A scraper burned on one HUMAN site can find itself blocked on dozens of others before its next request lands.
All signals combine into a per-session risk score, evaluated by ML models tuned per customer site. High-risk sessions are blocked (403) or rate-limited (429). Mid-risk sessions are challenged with a CAPTCHA. Low-risk sessions pass. The scoring is continuous — a session that starts trusted can be re-scored mid-scrape if behavioral signals drift, triggering re-challenges or progressive blocks against long-running scrapers.
PerimeterX is the platform where behavioral simulation matters most. ScrapeBadger executes the Security Module in a real browser and generates humanised mouse, scroll, and keystroke streams — so the biometrics layer scores the session as a real user.
Every request is sent with a JA3/JA4 TLS fingerprint matching a real Chrome, Edge, or Safari profile — cipher order, extension list, and supported curves all aligned with the User-Agent. Sec-Fetch-* and other browser-only headers are set correctly. This passes the edge gate before the Security Module is even served.
ScrapeBadger's Patchright stealth browser executes PerimeterX's obfuscated Security Module as a real Chrome session does. The script collects genuine signals — real canvas hash, actual WebGL GPU strings, correct navigator values — encrypts them, and the POST to the PerimeterX collector returns a valid _px3 Security Token alongside _pxhd and _pxvid session cookies.
The browser session generates Bezier-curve mouse trajectories, decelerating scroll velocity, variable keystroke cadence, and natural inter-action timing — all the biometric streams the Security Module measures. The behavioral signal payload submitted to PerimeterX looks indistinguishable from a real user's, so the biometrics ML model scores the session as low risk.
All requests are routed through residential ISP IPs in 150+ countries. Genuine residential IPs carry real reputation in PerimeterX's database — they are not flagged in Collective Intelligence the way datacenter or known proxy-pool IPs are. ScrapeBadger's pool is rotated and geographically matched to each target site, included on all plans at no extra cost.
One API call. ScrapeBadger executes the Security Module, generates a Security Token, simulates humanlike biometrics, and routes residentially — automatically.
# pip install scrapebadger
from scrapebadger import ScrapeBadger
client = ScrapeBadger("sb_live_your_api_key")
# ScrapeBadger auto-detects PerimeterX (HUMAN), executes the
# Security Module, generates _px3 Security Token, simulates
# behavioral biometrics, and bypasses Code Defender + Collective.
result = client.scrape(
url="https://perimeterx-protected-site.com/products",
country="us", # route through US residential IP
render_js=True, # execute Security Module JS
bypass_perimeterx=True, # full PerimeterX bypass stack
)
print(result.html)
print(result.status_code) # 200
# PerimeterX session cookies obtained automatically:
print(result.cookies['_px3']) # Security Token
print(result.cookies['_pxhd']) # session cookie
print(result.cookies['_pxvid']) # visitor IDWhy PerimeterX's behavioral biometrics layer makes DIY approaches especially fragile.
| Method | ScrapeBadger | requests / httpx | Playwright standard | Nodriver | Patchright (self-hosted) |
|---|---|---|---|---|---|
| Bypasses TLS / JA3 fingerprinting | Yes — auto | No | No | Partial | Partial |
| Executes Security Module JS | Yes — genuine execution | No — no JS engine | No — webdriver exposed | Sometimes | Yes |
| Generates valid _px3 Security Token | Yes — auto | No | No | Sometimes | Sometimes |
| Humanlike behavioral biometrics | Yes — Bezier mouse, decelerating scroll | No | No | No | Manual setup |
| Bypasses Code Defender | Yes — no prototype tampering | No | No | Partial | Partial |
| Residential proxies included | Yes — 150+ countries | No | No | No — extra cost | No — extra cost |
| Survives Collective Intelligence | Yes — fresh residential IPs | No | No | Limited | Limited |
| Breaks when PerimeterX updates | Never — execution-level bypass | Already broken | Already broken | Regularly | Regularly |
Patchright and Nodriver can execute the Security Module reasonably well but still need a humanlike behavioral biometrics stream and residential IPs that survive Collective Intelligence — neither is included by default. ScrapeBadger handles all three layers in a single call.
PerimeterX is the platform where behavioral biometrics matters most. Stealth browsers alone aren't enough — humanised interaction is the difference between block and pass.
The Security Module captures mouse trajectory curves, scroll deceleration profiles, and keystroke timing — and feeds them into ML models trained on real users. ScrapeBadger generates Bezier-curve mouse paths, decelerating scrolls, and variable keystroke cadence out of the box — so the biometrics layer scores the session as a real user and never escalates to Code Defender or CAPTCHA.
Many stealth toolkits patch Function.prototype.toString and other native methods to hide automation flags. Code Defender detects exactly these tampering patterns. ScrapeBadger uses the Patchright stealth approach — modifications are made at the build level, not by patching prototypes at runtime — so Code Defender sees a clean, unmodified browser environment.
PerimeterX's Collective Intelligence cross-customer threat feed propagates flagged IPs across the network within seconds. A datacenter IP that gets burned on one HUMAN site is blocked on dozens of others before your next request. ScrapeBadger's residential pool (150+ countries, included) carries clean reputation and rotates fresh IPs continuously, so Collective Intelligence flagging is far less of a risk.
Failed requests — PerimeterX blocks, Security Token validation failures, Code Defender flags, Collective Intelligence rejections, or behavioral score escalations — are never charged. Credits deduct only when ScrapeBadger returns a successful, real-content response. Against PerimeterX's continuous re-scoring, not paying for failures is meaningful.
Start free with 1,000 credits. Pay-as-you-go credits never expire. Subscription plans available at lower per-credit rates.
Start anytime — credits never expire
Best for small teams and steady workloads
For growing projects — save vs PAYG
For professionals and high-volume usage
Maximum scale at the lowest per-credit rate
Custom credit volumes, dedicated infrastructure, SLA guarantees, invoice billing, and a dedicated account manager.
A PerimeterX bypass is a technique or service that allows automated requests to pass through PerimeterX (now HUMAN Security) Bot Defender — including TLS fingerprinting, Security Module JavaScript execution, _px3 Security Token validation, behavioral biometrics, Code Defender script-tampering checks, and Collective Intelligence cross-customer threat scoring — without being blocked. ScrapeBadger handles every layer automatically: real-browser execution generates a valid Security Token, humanised mouse and scroll movement passes the biometrics ML model, no prototype tampering keeps Code Defender clean, and residential IPs survive Collective Intelligence.
PerimeterX merged with White Ops in 2022 and rebranded the combined company as HUMAN Security. The underlying detection technology — Bot Defender, Security Module, _px3 Security Token, behavioral biometrics — is still the same platform engineers know as PerimeterX. You will see "HUMAN" in marketing material and "PerimeterX" or "_px*" in cookies, JavaScript paths, and technical documentation. A PerimeterX bypass and a HUMAN Security bypass refer to the same thing.
The `_px3` cookie is PerimeterX's primary Security Token. It is generated by submitting a valid encrypted signal payload — produced by the Security Module JavaScript — to the PerimeterX collector endpoint (typically `/api/v1/collector/<site_id>`). A valid response sets `_px3` along with `_pxhd` (session) and `_pxvid` (visitor ID) cookies. Subsequent requests must carry these cookies, and the `_px3` token is re-validated continuously based on the behavioral signals collected throughout the session. Without a valid Security Token, requests are blocked with 403 or 429.
Behavioral biometrics is PerimeterX's most distinctive detection layer. The Security Module captures the full stream of user interaction events — mouse trajectory curves (real users move along Bezier-like curves, bots move in straight lines), scroll velocity profiles (real users decelerate before stopping, bots scroll at constant rate), keystroke cadence (real typing has variable inter-key timing), and inter-action dwell time. These are fed into ML models trained on real human interaction patterns. Stealth browsers that pass canvas, TLS, and webdriver checks still get blocked here because their behavioral biometrics don't look human. ScrapeBadger generates humanlike biometric streams out of the box.
Code Defender is a second HUMAN Security product that runs alongside Bot Defender. While Bot Defender focuses on the request and the user, Code Defender watches the JavaScript runtime itself — looking for injected scripts from unauthorised origins, modified prototype methods (a common stealth-browser tactic), tampered Security Module code, and other client-side script integrity violations. Many stealth toolkits patch `Function.prototype.toString` or native API methods to hide automation flags, which is exactly the pattern Code Defender catches. ScrapeBadger uses build-level stealth modifications instead of runtime patching, so the JavaScript runtime stays clean.
Collective Intelligence is HUMAN Security's cross-customer threat data feed. When an IP, device fingerprint, or session pattern is flagged on any one HUMAN-protected site, that information propagates across the entire customer network within seconds. A scraper that gets burned on one site can find itself blocked on dozens of others before its next request lands. Datacenter IPs and known proxy pool IPs are flagged especially aggressively. ScrapeBadger uses genuine residential ISP IPs in 150+ countries — these carry clean reputation in HUMAN's database and rotate continuously, so Collective Intelligence flagging is far less of a problem than with datacenter or shared-proxy infrastructure.
ScrapeBadger starts free with 1,000 credits — no credit card required. Pay-as-you-go packs start at $10 with credits that never expire. Subscription plans start at $49/month with lower per-credit rates and monthly rollover. You are only charged for successful responses — PerimeterX blocks, Security Token failures, Code Defender flags, Collective Intelligence rejections, and timeouts are always free. The full PerimeterX bypass stack (Security Module execution, _px3 token, behavioral biometrics, Code Defender safety, residential proxies, TLS impersonation) is included in your existing credit balance at no extra per-request charge.
1,000 free credits, no credit card required. Security Module, _px3 token, behavioral biometrics, Code Defender — handled automatically in one API call.
Get 1,000 free creditsNo subscription · Credits never expire · 14-day money-back guarantee