Detecting AI Agents with JA4 TLS Fingerprinting

Published 2026-04-05 | CounterAgent Research

The Problem

AI agents are increasingly making HTTP requests that look identical to human browser traffic. User-Agent strings are trivially spoofed, and many agent frameworks now mimic browser headers. Traditional bot detection fails.

JA4: A Deeper Signal

JA4 fingerprints are derived from the TLS ClientHello — the very first packet in any HTTPS connection. This captures the cipher suites, extensions, and ALPN protocols offered by the client's TLS library. Unlike User-Agent strings, these are extremely difficult to spoof without recompiling the TLS library itself.

Key Findings

• ClaudeBot and GPTBot share the same cipher hash (61a7ad8aa9b6) with only 10 cipher suites — this is NOT vanilla Go net/http, which offers 13 ciphers
• Python httpx and urllib3 share a cipher hash (bfa337485184) but differ in extension ordering, making JA4 sufficient to distinguish them
• Node.js undici/fetch and Go with HTTP/2 disabled produce identical JA4 fingerprints — runtime disambiguation requires JA4H
• 67% of multi-page visitors claiming browser User-Agents skip /favicon.ico — a strong bot indicator

Detection Methodology

CounterAgent uses a 5-layer detection approach:

1. JA4 vs User-Agent mismatch (cipher count, known bot hashes, TLS version)
2. Header anomalies (missing Accept-Language, Sec-Fetch-*, header count)
3. Path patterns (agent discovery endpoints, API probing, favicon behaviour)
4. Timing analysis (sub-100ms intervals, machine-like variance)
5. Known JA4 matching against reference probe catalogue

Try It

Use the detection API or connect via MCP to test your own traffic.

Related

• Agent Fingerprint Database
• TLS Fingerprinting Methodology
• LangChain vs CrewAI Fingerprints
• Cloudflare Workers Botnet Analysis
• API Quickstart Guide