惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
O
OpenAI News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 三生石上(FineUI控件)
Webroot Blog
Webroot Blog
GbyAI
GbyAI
S
SegmentFault 最新的问题
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
J
Java Code Geeks
Google DeepMind News
Google DeepMind News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
博客园 - 【当耐特】
S
Secure Thoughts
酷 壳 – CoolShell
酷 壳 – CoolShell
AWS News Blog
AWS News Blog
Engineering at Meta
Engineering at Meta
S
Security Affairs
H
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
D
DataBreaches.Net
云风的 BLOG
云风的 BLOG
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
Spread Privacy
Spread Privacy
T
Threatpost
Forbes - Security
Forbes - Security
C
Cisco Blogs
Scott Helme
Scott Helme
Attack and Defense Labs
Attack and Defense Labs
Simon Willison's Weblog
Simon Willison's Weblog
腾讯CDC
The Last Watchdog
The Last Watchdog
Cloudbric
Cloudbric
Last Week in AI
Last Week in AI
Recorded Future
Recorded Future
小众软件
小众软件
V
Vulnerabilities – Threatpost
美团技术团队
人人都是产品经理
人人都是产品经理
有赞技术团队
有赞技术团队
Apple Machine Learning Research
Apple Machine Learning Research
Hacker News - Newest:
Hacker News - Newest: "LLM"
I
Intezer
月光博客
月光博客
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 司徒正美
C
Cybersecurity and Infrastructure Security Agency CISA
Martin Fowler
Martin Fowler
博客园 - 聂微东

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Why Web Agents Fail on Protected Sites — And How to Fix It at the Infrastructure Level
Tinyfishie · 2026-05-16 · via DEV Community

Web agents are increasingly central to how AI systems interact with the web — automating research, extracting structured data, completing multi-step workflows. But in production, many of them fail. Not because the agent logic is wrong. Because the browser infrastructure underneath isn't built for the modern web.

This article explains why protected sites are hard for automated agents, what kinds of solutions exist, and what "infrastructure-level" actually means in practice.

What Makes a Site "Protected"

Most developers think of site protection in terms of CAPTCHAs — the visible challenge that asks you to identify traffic lights or type distorted text. But modern access management goes several layers deeper.

When a request arrives at a protected site, the system evaluates multiple signals simultaneously:

  1. IP reputation. Where is this request coming from? Datacenter IP ranges (AWS, GCP, Azure) are associated with automated traffic by default. An agent running on a cloud VM gets flagged at this layer before anything else is checked. Residential IPs are associated with real users and treated differently.

  2. TLS fingerprint. Before the HTTP request arrives, the TLS handshake reveals what client is making it. A Python requests session or Node fetch call has a fingerprint protection systems identify in milliseconds — before your agent has seen the first byte of the page. Automation libraries have distinct signatures that differ from real browsers, and this check happens before a single page loads.

  3. HTTP protocol patterns. Real browsers use HTTP/2 with specific header ordering and frame sequencing. Many automation tools default to HTTP/1.1 or send headers in a different order, creating a mismatch protection systems detect before any page logic runs.

  4. Browser environment. Headless browsers have detectable properties — missing plugins, inconsistent hardware attributes, non-standard rendering metrics. An agent using headless Chrome without additional configuration exposes dozens of these signals simultaneously. Protection systems check them against known browser profiles.

  5. Behavioral signals. Mouse movement patterns, scroll behavior, timing between interactions — real users produce different patterns than automated tools. An agent that navigates directly to a button and clicks it in 40ms looks nothing like a human. Modern protection systems use statistical models trained on real user behavior to flag these patterns.

  6. Challenge responses. When earlier signals are ambiguous, the system issues a challenge (CAPTCHA or equivalent) that requires human-verifiable interaction. Passing the first five layers reduces how often this happens, but doesn't eliminate it entirely.

These signals compound. An agent that passes IP checks but fails environment checks still gets flagged. The failure mode most teams don't anticipate isn't the initial block — it's silent degradation: some protection systems let requests through while returning subtly incomplete data. By the time you notice, weeks of collection may be compromised. Each signal independently might seem manageable, but all of them together require a coherent approach.

The Assembly Problem

For developers who encounter this, the natural response is to assemble solutions: add a proxy service, configure the browser environment, simulate realistic timing. The components exist — residential proxies, browser configuration libraries, behavioral timing modules.

The problem isn't finding the pieces. It's maintaining the stack.

Access management systems are not static. They update continuously as they learn new patterns. A browser configuration that works today may be detectable in six weeks. The proxy pool that performs well this month may have degraded reputation by next quarter. The behavioral patterns that pass current analysis may fail against a new detection model.

This creates an ongoing engineering problem: someone on your team is responsible for watching it, updating it, and debugging it when things break in production. For teams that are fundamentally building agents — not infrastructure — this is a high tax on engineering attention.

A realistic estimate for a production DIY access management stack: $500–5,000/month in services — residential proxies alone run $3–15/GB depending on provider and geography (based on published rates from major providers as of Q1 2026), plus cloud compute and any fallback solving services — plus ongoing engineering time to keep it current. The services are the smaller cost. The real cost is the engineer maintaining the stack as detection systems evolve.

Infrastructure-Level vs. Application-Level Solutions

There's a meaningful architectural distinction in how access management can be handled:

Application-level: Your agent code handles access management. You configure proxies, harden the browser environment, add retry logic, and tune behavioral timing in your application. You control every layer and are responsible for maintaining each one as conditions change.

Infrastructure-level: A platform layer handles access management before your agent code runs. The agent receives a browser session already configured with appropriate access properties. Your application code doesn't need to know the details — and doesn't need to update when protection systems evolve.

The difference matters most for maintenance burden. When protection systems update, application-level solutions require you to update your code. Infrastructure-level solutions push that maintenance to the platform layer.

Neither model is universally better:

  • Application-level gives you full control over every component. It's more cost-effective at very high volume if you have dedicated infrastructure engineering bandwidth and need compliance auditability at every layer.
  • Infrastructure-level trades control for reduced maintenance. It makes sense for teams focused on agent capabilities who don't want access management to be a recurring engineering concern.

The right choice depends on your team's constraints — not on which approach sounds more sophisticated.

What Infrastructure-Level Looks Like in Practice

TinyFish is built around the infrastructure-level model. Rather than exposing access management components for developers to configure, it handles them as a platform service.

The developer-facing interface is minimal:

{
  "goal": "Extract pricing data from this page",
  "url": "https://example.com/pricing",
  "browser_profile": "stealth"
}

Enter fullscreen mode Exit fullscreen mode

browser_profile: "stealth" activates infrastructure-level access handling. The platform layer configures the session appropriately for the target site. Your agent code stays the same regardless of what protection system the site uses.

To make this concrete: an agent monitoring price changes on a heavily protected retail site sends its first request. Under managed mode, the infrastructure layer handles routing, session configuration, and request properties automatically. The agent receives the page content and proceeds to the next step. On the third request 90 seconds later, the infrastructure layer rotates session parameters silently. The agent doesn't see it.

The auto-reconfiguration behavior is relevant here. In the Mind2Web benchmark, one task initially encountered an access issue and completed successfully on a subsequent run after the infrastructure layer reconfigured automatically — without developer input. This is what infrastructure-level handling means in practice: adaptation happens at the platform layer, not in your code.

Honest Capabilities

Infrastructure-level solutions don't eliminate all access challenges. Some sites use systems aggressive enough to require different approaches.

What works reliably. Sites with standard access controls are handled automatically in managed mode. Across the Mind2Web benchmark, TinyFish achieved approximately 90% task success across 136 live websites — all 300 execution traces are published publicly for independent review.

What has limitations. Sites using enterprise-grade protection systems are handled in some configurations, but with lower consistency than standard protection. If your target uses one of these systems, test with the free tier before committing.

What no tool handles. Sites that implement hard IP-level blocks have made an architectural decision to reject automated access. No browser infrastructure, regardless of how it's configured, can address a hard block at the network level.

Access challenges that appear despite infrastructure handling. Web agents on heavily protected sites sometimes encounter verification challenges even with infrastructure-level handling in place. TinyFish runs real browser sessions with infrastructure-level request handling. For sites where verification challenges still appear, third-party services can be integrated at the application layer as a fallback.

Two Browser Profiles

TinyFish offers two modes:

  • infrastructure mode ("stealth") — Full infrastructure-level access handling. Use for any production workflow against external sites with access controls. Slightly slower due to platform-layer processing.
  • lite — Minimal access handling, faster execution. Use for internal tools, public APIs, or sites with no access controls.

Default to managed for production agent workflows against external sites. Switch to lite only after confirming the target has no access controls.

The Right Question

The question of "which tool handles more protection systems" focuses on the wrong variable — it measures the tool instead of measuring your team's operational burden. The more durable question is architectural: where should access management live in your system?

For teams building AI agents, the better question is architectural: where does access management belong in your system?

If it belongs in your application — because you need full control, compliance auditability, or cost optimization at scale — build it there and staff accordingly.

If it belongs at the infrastructure layer — because your team's job is building agent capabilities, not maintaining access management — use a platform that handles it.

TinyFish gives you 500 free steps to test against the site that's actually giving you trouble. No credit card.

👉 Start free on TinyFish

FAQ

What protection systems does TinyFish handle?

Managed mode works reliably on sites with standard access controls. Sites using enterprise-grade protection systems have lower consistency. Hard IP-level blocks cannot be handled by any tool. Test with the free tier against your specific target before committing to production volume.

Do I need to configure proxies separately?

No. Residential proxy routing is included in every TinyFish plan at no extra cost. Add proxy_config: { enabled: true, country_code: "US" } to route through a specific geography. Supported countries: US, GB, CA, DE, FR, JP, AU.

What happens when access fails?

The infrastructure layer detects failures and attempts reconfiguration automatically — without your input. If reconfiguration succeeds, the task continues. If it fails, the run completes with a failure status including screenshots and execution logs for every step, accessible via the streaming URL.

How does managed mode affect speed?

Managed mode is slightly slower than lite mode due to infrastructure-layer processing. Simple extractions typically take 10–30 seconds. Multi-step workflows take 30–90 seconds depending on complexity. For sites without access controls, lite mode is faster and lower cost.

How does TinyFish compare to Browserbase or Firecrawl?

Browserbase provides cloud browsers where you implement access management in your application code via Stagehand or your own scripts — an application-level model. Firecrawl handles basic rendering with a crawl-focused API — a different architectural model from infrastructure-level access handling. TinyFish handles access management at the infrastructure layer, activated with a single parameter. See TinyFish vs Browserbase and TinyFish vs Firecrawl for detailed breakdowns.

Related Reading