Cipher checks

Cipher runs more than fifty individual checks across five tiers. Each check looks at one kind of evidence and contributes to the overall risk score. This page explains what every check detects and, at a high level, the signal it looks at.

The exact thresholds, weightings, and models behind these checks are part of how Cipher stays hard to game, so they are not published here. What follows is the intent of each check.

How tiers stack

A tier includes every check from the tiers below it. Tier 1 is fast and runs on every response. Higher tiers add deeper behavioral, network, and content analysis, and cost more credits per validation.

Tier 1: timing and basic behavior

Fast, universal checks that catch the most common low-effort and bot responses.

Rapid completion. Detects responses finished faster than a person could plausibly read and answer. Cipher weighs total time against how much there was to read and answer.
Uniform timing. Flags responses where every question took almost exactly the same amount of time, which is unusual for a human reading questions of different lengths.
Low interaction. Catches responses with almost no mouse movement, clicks, or keystrokes, a sign the form was filled programmatically.
Straight-line answers. Detects picking the same option down a whole grid or scale (for example, all "Agree"), a classic sign of someone not reading.
Impossibly fast. A stricter speed check for sections answered faster than physically possible to read.
Minimal effort. Flags open text answers that are empty, one word, or clearly put no thought in.

Tier 2: device and automation

Checks that look at the browser and device for signs of bots and tooling.

Excessive paste. Detects answers that were pasted rather than typed, especially large blocks pasted into open fields.
Pointer velocity spikes. Flags mouse movement that jumps at speeds or in patterns a hand does not produce.
WebDriver detected. Looks for the browser flags that automation frameworks leave behind.
Automation detected. A broader check for headless browsers and scripted environments.
Missing plugins. Real browsers expose a typical set of capabilities. Their absence can indicate a synthetic environment.
Suspicious user agent. Flags user-agent strings that are malformed, spoofed, or associated with known bots.
Device fingerprint mismatch. Detects when the device signals do not hang together the way a genuine device would.
Screen anomaly. Flags unusual or impossible screen and viewport dimensions.
Suspicious pauses. Detects pause patterns between actions that look automated rather than human.

Tier 3: advanced behavior and basic AI

Deeper behavioral analysis plus a first pass at AI-written content.

Robotic typing. Looks at the rhythm of keystrokes for the unnaturally even cadence machines produce.
Mouse teleporting. Detects the pointer jumping between points without the continuous path a hand traces.
No corrections. Humans backspace and edit. A long, flawless entry with zero corrections can indicate paste or automation.
Excessive tab switching. Flags repeatedly leaving the survey, which can indicate looking up or sharing answers.
Window focus loss. Detects the survey window losing focus at times that suggest the respondent was not engaged.
AI content (basic). A first-pass check for open answers that read as machine generated.
Contradiction (basic). Catches answers that directly conflict with each other within the same response.

Tier 4: network and content quality

Network reputation plus stronger content analysis.

Hover behavior. Looks at whether the cursor hovers and dwells the way a reading human's does.
Scroll patterns. Detects scrolling that is too smooth, too uniform, or absent given the page length.
Mouse acceleration. Examines the acceleration profile of movement for human versus synthetic signatures.
VPN detection. Flags connections coming through common VPN services.
Datacenter IP. Flags traffic originating from servers and hosting providers rather than residential networks.
Plagiarism (basic). Checks open answers against common sources and other responses for copied text.
Quality assessment. Scores whether open answers are relevant, specific, and on topic.
Semantic analysis. Looks at whether answers are meaningful and coherent rather than filler that only looks valid.

Tier 5: full AI analysis and fraud rings

The deepest tier, including coordinated-fraud detection across responses.

AI content (full). A thorough analysis for machine-generated open text.
Contradiction (full). Cross-checks the whole response set for subtle logical inconsistencies.
Plagiarism (full). A deeper originality check across a wider set of sources and submissions.
Fraud ring detection. Identifies clusters of responses that appear to come from the same coordinated source.
Answer sharing. Detects responses with near-identical answers, a sign of shared answer keys.
Coordinated timing. Flags groups of responses submitted in synchronized bursts.
Device sharing. Detects many responses tied to the same underlying device.
Tor detection. Flags connections arriving over the Tor network.
Proxy detection. Flags anonymizing proxies used to mask origin.
Timezone validation. Checks whether the device timezone is consistent with the network location.
Baseline deviation. Compares a response against the normal pattern for the survey to spot outliers.
Perplexity analysis. A language-model signal used to help distinguish human from generated text.
Burstiness analysis. Examines the natural variation in human writing that generated text often lacks.

Beyond the named checks

Underneath these checks, Cipher extracts dozens of granular features from each response, covering mouse dynamics, keystroke timing, device profile, network reputation, content quality, and attention or honeypot checks. The named checks above combine those features into the signals you see in the dashboard and in the validation API response.