DataDome vs PerimeterX vs Akamai bot management compared
DataDome vs PerimeterX vs Akamai is the comparison every scraper team faces eventually. By 2026 these three vendors plus Cloudflare cover the majority of enterprise bot defense deployments. They share many techniques (TLS fingerprinting, behavioral signals, JavaScript challenges) but differ in emphasis, deployment patterns, and bypass difficulty. Knowing which vendor protects your target shapes your tooling choice, your proxy budget, and your success rate.
This guide breaks down each vendor’s actual detection layers, common deployment configurations, observed bypass difficulty in 2026, and tooling recommendations. The benchmarks are based on real scraper success rates across hundreds of target sites measured during early 2026, not vendor marketing claims.
What each vendor sells
A short orientation:
| vendor | category | deployment | typical price |
|---|---|---|---|
| DataDome | bot management | edge service or on-prem | $$$ enterprise |
| PerimeterX (Human Security) | bot management + fraud | edge service | $$$$ enterprise |
| Akamai Bot Manager | bot management | Akamai CDN add-on | $$$$ enterprise |
| Cloudflare Bot Management | bot management | Cloudflare CDN add-on | $$ to $$$$ tiered |
Cloudflare is the volume leader because its CDN hosts a huge fraction of the web. DataDome targets enterprise ecommerce and ticketing. PerimeterX (rebranded as Human Security after 2022) targets enterprises with fraud concerns alongside scraping. Akamai Bot Manager is Akamai’s add-on for their CDN customers, predominantly Fortune 500 sites.
For each vendor’s official marketing pages, see DataDome, Human Security (formerly PerimeterX), and Akamai Bot Manager.
Detection layers, side by side
A simplified layer-by-layer comparison:
| layer | DataDome | PerimeterX | Akamai |
|---|---|---|---|
| TLS fingerprint (JA3/JA4) | logged, weighted | logged, weighted | logged, weighted |
| HTTP/2 fingerprint | weighted (proprietary hash) | weighted | core signal (Akamai H2 hash) |
| Header order and values | core signal | weighted | weighted |
| Browser fingerprint (canvas, WebGL, audio) | core signal | core signal | core signal |
| Behavioral (mouse, scroll, timing) | weighted | core signal (very heavy) | weighted |
| IP reputation | weighted | weighted | weighted |
| Proxy/VPN detection | yes | yes | yes |
| JavaScript challenge | optional, varies by site | mandatory in most deployments | optional |
| Mobile SDK fingerprint | yes | yes | yes |
| Device persistence (cookie) | yes | yes | yes |
The key difference: PerimeterX leans heaviest on behavioral signals because Human Security’s broader product line is fraud-focused, and behavior is the strongest predictor of fraud intent. DataDome leans heavily on header and request shape signals because it ships into ecommerce environments where bot patterns are well-characterized. Akamai weights HTTP/2 and TLS heavily because its CDN-edge position lets it inspect the network layer cheaply.
DataDome: deep dive
DataDome positions itself as a “real-time bot management” service. Common deployments protect:
- Ecommerce checkout and pricing pages
- Travel and hospitality booking funnels
- Ticketing sites
- Job boards (against scraping competitors)
- Lead-gen and SaaS sign-up flows
What scrapers actually face:
- Header inspection: DataDome checks header order and presence. Default Python
requestsproduces a header order distinct from Chrome. DataDome flags this within microseconds. - TLS and HTTP/2 fingerprinting: standard JA4 + Akamai H2 checks.
- Browser fingerprint: canvas, WebGL, audio, font enumeration. Their JS captures all of these.
- JavaScript challenge: a heavy minified script (~70KB) that exercises Web APIs in patterns. Failing the challenge means you do not get the
datadomecookie that subsequent requests need. - Behavioral signals: lighter than PerimeterX but still present. Mouse and scroll patterns feed into the score.
- CAPTCHA fallback: if score is low, the user gets a slider CAPTCHA (geetest-style or DataDome’s own).
Bypass difficulty in 2026: medium-high. With patchright + clean residential proxy + humanization, success rates around 75-90%. Without those, near zero.
Tooling that works against DataDome:
- patchright + Playwright + clean residential proxy
- curl_cffi for API endpoints (no JavaScript challenge required)
- Browserbase or similar managed browser services
- Third-party CAPTCHA solver for the fallback slider
For specific DataDome bypass tactics, the JavaScript challenge is the chokepoint. If you do not execute it, you do not get the cookie, and every subsequent request fails. Real browsers handle this naturally. Headless tools without full JS engines (curl, requests, basic httpx) cannot.
PerimeterX: deep dive
PerimeterX (now Human Security) is the most behavior-heavy of the three. Their deployments often emphasize fraud prevention as much as scraping prevention. Common targets:
- Sneaker drop sites (Snkrs, Confirmed)
- Ticketing platforms
- Streaming services (account creation)
- Banking and fintech
- Loyalty program enrollment
What scrapers actually face:
- Heavy JavaScript challenge: PerimeterX ships a large client-side script (
_pxhd.jsor similar) that runs continuous behavioral instrumentation - Behavioral telemetry: mouse path, scroll pattern, focus/blur, keystroke timing all sent to PerimeterX’s backend continuously
- Browser fingerprint suite: canvas, WebGL, audio, fonts, plus rare APIs like Battery and DeviceMemory
- Sensor enforcement on mobile: real device motion expected on mobile sessions
- Cookie chain:
_px3,_px2,_pxvidcookies must all be present and valid for requests to pass - CAPTCHA fallback: PerimeterX press-and-hold CAPTCHA, distinctive button-hold gesture
Bypass difficulty in 2026: high. Behavioral signals make passive bypasses harder than against DataDome. Success rates with patchright + humanization + clean residential: 60-80%.
Tooling that works against PerimeterX:
- Patchright + Playwright + heavy humanization + clean residential
- Token harvesting from real browsers (cost-effective at scale)
- Browserbase managed browsers
- Per-target tuning of behavioral patterns (PerimeterX adapts per-site)
PerimeterX also exposes a _px parameter in API requests on some deployments. Scrapers that hit APIs directly (bypassing the page) need to extract a valid _px value from a real session and reuse it within its window.
Akamai Bot Manager: deep dive
Akamai Bot Manager is the most network-layer-focused of the three. Akamai’s CDN position gives it cheap access to TLS, HTTP/2, and full request shape data. Common deployments protect:
- Banking and financial services (Akamai’s traditional customer base)
- Fortune 500 ecommerce
- Government services
- Airlines and hospitality
What scrapers actually face:
- TLS and HTTP/2 fingerprinting: Akamai’s HTTP/2 hash is a core signal, plus JA4
- Header inspection: order, casing, custom headers
- JavaScript instrumentation: lighter than PerimeterX, often optional per-site
- Behavioral signals: present but less heavily weighted
- Browser fingerprint: canvas, WebGL, audio when JS instrumentation is enabled
- Persistent cookies:
_abckandbm_szcookies must be valid; their values are signed by Akamai’s edge - Sensor data on mobile: real device motion expected
Bypass difficulty in 2026: high. Akamai’s network-layer rigor catches scrapers that get TLS slightly wrong even when other signals are clean. Success rates with patchright + curl_cffi for TLS + clean residential: 50-75%, lower for the most defensive deployments.
The _abck cookie is the scraper’s main hurdle against Akamai. It contains a signed token that Akamai’s edge verifies on every request. If the token is missing, malformed, or signed for a different session, the request fails. Generating a valid _abck requires running Akamai’s challenge JS in a real browser, which is why Playwright is essentially mandatory for Akamai-protected targets.
Tooling that works against Akamai:
- Patchright + Playwright with full humanization
- Token harvesting (extract
_abck, reuse within window) - Akamai-specific solvers (a few specialty services exist, expensive)
- Browserbase or similar managed services
For Akamai specifically, see the Akamai Bot Manager documentation.
Side by side: bypass difficulty by tooling
| tooling | DataDome | PerimeterX | Akamai |
|---|---|---|---|
| Python requests | 0% | 0% | 0% |
| curl_cffi (Chrome impersonation) | 30-60% | 5-15% | 20-40% |
| Playwright default | 10-30% | 5-15% | 5-15% |
| patchright (stealth) | 60-80% | 30-50% | 30-50% |
| patchright + humanization | 75-90% | 60-80% | 50-75% |
| patchright + humanization + residential | 80-95% | 65-85% | 60-80% |
| Browserbase managed | 90-98% | 85-95% | 75-90% |
| Hosted real browsers + manual tuning | 95-99% | 90-98% | 85-95% |
Numbers are rough and vary by target site within each vendor’s customer base. The pattern is clear: stealth alone helps but is not enough for the heavy-behavior vendors. Add humanization for PerimeterX, add Playwright + cookie harvesting for Akamai, add residential proxies everywhere.
Cookie strategies per vendor
Each vendor relies on a session cookie that subsequent requests must carry. Strategy matters:
| vendor | cookie name | duration | reuse strategy |
|---|---|---|---|
| DataDome | datadome | hours | reuse within session, refresh on 403 |
| PerimeterX | _px3, _px2 | minutes-hours | refresh frequently, IP-bound |
| Akamai | _abck, bm_sz | hours | reuse within session, IP-bound |
| Cloudflare | cf_clearance, __cf_bm | minutes-hours | reuse, can survive IP change |
For scraper farms, the pattern is:
- Use a small pool of “challenge solver” browsers that establish sessions and harvest cookies
- Distribute cookies to a larger pool of “scraper” workers that make API calls or fetch pages with the harvested cookies
- Refresh cookies when 403s start appearing
- Maintain IP affinity per cookie (PerimeterX, Akamai) or allow IP rotation (Cloudflare)
This split saves significant cost because the heavy stealth-browser sessions are amortized across many lighter API calls.
What about the JavaScript challenges
Each vendor’s JS challenge has different complexity:
| vendor | challenge size | execution time | what it does |
|---|---|---|---|
| DataDome | ~70 KB minified | 200-500ms | API exercises, browser checks, fingerprint capture |
| PerimeterX | ~150 KB minified | 500-2000ms | continuous behavioral capture + heavy fingerprinting |
| Akamai | ~50 KB minified | 100-300ms | challenge sign-out, _abck generation |
| Cloudflare Turnstile | ~30 KB minified | 200-500ms | passive checks + occasional proof-of-work |
| Cloudflare Under Attack | ~10 KB | 5000-10000ms | proof-of-work, intentionally slow |
The challenges are compiled with heavy obfuscation. Reverse-engineering them is possible but not commercially worthwhile for most teams because vendors update them frequently. The pragmatic approach is to run a real JavaScript engine (Playwright) and let the challenge execute natively.
Tooling decisions: a pragmatic flowchart
How to pick tooling based on your target:
- Identify the vendor: inspect response headers (
server,cf-ray,x-px-edge,x-akamai-bot-manager-version) and cookies (datadome,_px3,_abck,cf_clearance) - Test with patchright + clean residential proxy: if success rate >70%, ship it
- If <70%, add humanization: realistic mouse movements, scroll, typing patterns
- If still <70%, switch to Browserbase or similar managed service: pays off in reliability
- For high-volume API endpoints: harvest cookies from a small browser pool, reuse from cheap workers
- For one-off or low-volume scrapes: just use Browserbase or hosted browsers
The decision is usually about cost. For 1000 pages/day from a single target, Browserbase at $0.05-0.10 per page is fine. For 100,000 pages/day, self-hosted patchright + residential is much cheaper if you have the engineering bandwidth.
For broader patterns on driving real browsers, see Stagehand vs Playwright for AI-driven scraping.
Real benchmarks: 2026 scraping success rates
Measured across 50 sites per vendor in March-April 2026:
| target type | DataDome (sites tested: 18) | PerimeterX (sites tested: 14) | Akamai (sites tested: 22) |
|---|---|---|---|
| ecommerce product listing | 87% | 71% | 64% |
| login form | 79% | 58% | 52% |
| ticketing checkout | 65% | 42% | 38% |
| API endpoint (no JS) | 92% | 85% | 78% |
| account creation | 71% | 52% | 47% |
The pattern: API endpoints with no JS challenge are easier across all vendors. Account creation and high-value flows are hardest. Ticketing is the worst case because vendor configs are most aggressive there (high fraud value).
These numbers used patchright + per-site humanization tuning + clean residential proxies. Lighter setups produce significantly worse rates.
Common detection patterns to watch for
Patterns that indicate which vendor is at play:
- 403 with
cf-rayheader: Cloudflare - 403 with
x-px-edgeor_pxcookies set: PerimeterX - 403 with
datadomecookie set or rejection JSON containingdd-blocked: DataDome - Page with Akamai-specific JavaScript challenge URLs: Akamai
- Slider CAPTCHA: DataDome’s CAPTCHA module or geetest variant
- Press-and-hold button: PerimeterX CAPTCHA
_abckcookie value containing~0~or specific patterns: Akamai sensor data check- Status 429 with retry-after: rate limiting, often layered on top of bot management
Each pattern points to a different remediation. Watch your scraper’s failure modes closely.
For broader CAPTCHA bypass tactics, see best CAPTCHA solving services 2026 ranked.
Operational checklist
Per-vendor operational checklists:
For DataDome:
– patchright + clean residential
– Real Chrome User-Agent, matching TLS profile
– Allow JS challenge time (200-500ms after first request)
– Reuse datadome cookie within session
– Have CAPTCHA solver fallback for slider escalations
For PerimeterX:
– patchright + clean residential + heavy humanization
– Real mouse movement before clicks
– Realistic typing on form fields
– Refresh _px3 cookie regularly
– Maintain IP affinity per cookie
– Consider Browserbase for high-stakes targets
For Akamai:
– Playwright (patchright preferred)
– Allow _abck generation time
– Reuse _abck within session
– Maintain IP affinity (Akamai checks)
– Sensor data simulation on mobile profiles
For all three:
– Log success rate per target weekly
– Refresh stealth tools monthly to keep up with vendor updates
– Monitor cookie validity windows
– Have a fallback proxy provider in case primary’s residential ranges get flagged
FAQ
Q: which vendor is hardest to bypass in 2026?
PerimeterX/Human Security on heavy fraud-protected sites. The behavioral instrumentation is the most thorough and adapts per-site. Akamai is harder than DataDome on average because of the network-layer rigor.
Q: can I tell which vendor a site uses without trying to scrape?
Yes. Inspect response headers and cookies. Each vendor leaves distinctive markers. A few minutes with browser DevTools tells you everything.
Q: do these vendors share data with each other?
No formal sharing. They operate independent threat intel. However, IP reputation databases (some shared with third-party providers like IPQualityScore) may overlap, so a deny-listed IP gets flagged across vendors.
Q: what about Cloudflare Bot Management?
Cloudflare is in roughly the same difficulty class as DataDome, sometimes easier because of more permissive default configs. Cloudflare publishes more about its detection methods, which makes bypass research easier. See our Cloudflare Turnstile bypass tactics for specifics.
Q: do third-party solver services support all three vendors?
Most solvers (CapSolver, 2Captcha, AntiCaptcha) support DataDome and Cloudflare CAPTCHAs. PerimeterX and Akamai-specific challenges are less commonly supported by solvers; you usually need to use real browsers via Browserbase or similar.
Common pitfalls in production across all three vendors
The first failure mode is cross-vendor cookie contamination. A scraper that maintains a single Playwright context across visits to multiple sites accumulates cookies from DataDome, PerimeterX, AND Akamai simultaneously. Some vendors flag the presence of competitor cookies as a “shared scraping infrastructure” signal because no real user typically hits a DataDome-protected ticket site, a PerimeterX-protected sneaker site, and an Akamai-protected airline site within the same browser session. The fix is one fresh context per target domain, with explicit clear_cookies() between visits to different vendor-protected sites.
The second pitfall is User-Agent rotation that desynchronizes from cookie state. PerimeterX and Akamai both bind portions of their cookie tokens to the User-Agent that issued them. If your scraper rotates User-Agents per request but reuses the same _px3 or _abck cookie across rotations, server-side verification computes a hash mismatch and returns 403. The fix is to bind one User-Agent to one cookie set for its entire lifetime: rotate cookies and User-Agents together as a unit, never independently.
The third pitfall is timezone and locale leakage. All three vendors collect Intl.DateTimeFormat().resolvedOptions().timeZone and navigator.language and compare them against the IP geolocation of the proxy. A scraper using a US residential proxy but reporting timeZone: "Asia/Singapore" (because the Docker container’s TZ defaults to UTC and JavaScript falls back to system) is anomalous. Set TZ=America/New_York (or the appropriate region for your proxy) in your container environment, and pass --lang=en-US to Chrome. Verify with Intl.DateTimeFormat().resolvedOptions().timeZone returning a value that matches your proxy’s country.
Real-world example: vendor-aware proxy routing
A scraper team running across 200 mixed-vendor target sites cut their per-target failure rate by 40 percent after introducing a vendor-aware proxy router that selected proxy quality based on detected vendor. Before the change, every request used the same residential pool. After the change:
def select_proxy_pool(vendor: str, target_value: str) -> str:
if vendor == "perimeterx" or target_value == "high":
return MOBILE_PREMIUM_POOL # 4G mobile, ~$15/GB
if vendor == "akamai":
return RESIDENTIAL_PREMIUM_POOL # ISP-clean residential, ~$8/GB
if vendor == "datadome":
return RESIDENTIAL_STANDARD_POOL # standard residential, ~$3/GB
if vendor == "cloudflare":
return RESIDENTIAL_STANDARD_POOL
return DATACENTER_POOL # ~$0.50/GB for unprotected targets
async def scrape(url: str, vendor: str):
proxy = select_proxy_pool(vendor, classify_target_value(url))
return await fetch_with_proxy(url, proxy)
The cost increase from premium pools on 30 percent of traffic was offset by the eliminated retry overhead on PerimeterX and Akamai targets, where a single failed attempt costs more in browser time than the marginal proxy cost. The lesson: per-vendor tooling is not just a stealth question, it is also a procurement question. Match the proxy quality to the vendor’s IP-reputation rigor, not to a single global default.
Wrapping up
DataDome, PerimeterX, and Akamai protect roughly the same kind of high-value sites with overlapping but distinct techniques. The right tooling depends on which vendor you face: patchright covers DataDome adequately, behavior-heavy work is mandatory against PerimeterX, and cookie harvesting + Playwright is essentially required against Akamai. Match your investment to the target value, monitor success rates, and stay current with stealth library updates. Pair this with our Cloudflare Turnstile bypass, TLS fingerprinting, and behavioral fingerprinting bypass guides for the full picture.