As if we needed another reason to dislike CAPTCHAs, those site-access tests that make you prove you’re human by selecting blurry photos of traffic lights, motorcycles, staircases, and vertically oriented rivers.
As it turns out, AI bots can solve CAPTCHA challenges, too, even when their programming says don’t solve them.
Dorian Schultz, red-team data scientist at AI security platform provider SPLX, recently shared his success in misdirecting a ChatGPT agent to complete some image- and text-based CAPTCHA tests. His secret? A bit of coaxing and prompt injection.
While the SPLX demo revealed that a ChatGPT agent still needs help sliding a puzzle piece or reading some distorted text, recent research has shown AI models figuring out CAPTCHA faster than cybersecurity professionals would like.
The success rate is forcing industry pros to explore new methods of answering the bot-or-not question, including systems that analyze behavior like mouse movements, typing speed, and IP reputation, rather than asking users to select all motorcycles.
“The future is deeper integrations with applications to monitor the behavior of the interaction, and deciding whether that’s a bot or not,” Christos Kalantzis, chief technology and product officer at HUMAN, told IT Brew. “AI is evolving faster than today’s traditional CAPTCHAs can evolve to protect sites.”
Bot are you talking about? A CAPTCHA, or “Completely Automated Public Turing test to tell Computers and Humans Apart,” presents site entrants with a task that’s easy for a human and difficult for a bot to solve, at least in theory. Without CAPTCHAs, a malicious bot could easily gain access to a site, then perform operations like spreading spam or pulling content and credentials.
Cybersecurity company Imperva, in a recent report, found that 51% of all 2024’s internet activity was bot-based.
AI has shown success in completing image- and text-based challenges, even tougher ones. In 2024, Singapore’s Nanyang Technological University researchers revealed how LLMs could solve emerging CAPTCHAs, including one requiring minor Bingo knowledge. An ETH Zurich university team also reported using their “YOLO” imaging model to pass image-based challenges related to Google’s second-generation mechanism, reCAPTCHAv2.
If that wasn’t bad enough for CAPTCHA, they’ve also become a favorite target for threat actors trying to get victims to hack themselves.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
No more games. Google’s reCAPTCHAv3, released in 2018, calculates a reliability score rather than presenting a CAPTCHA challenge, determining bots based on “interactions with your site.”
Reid Tatoris, senior director of product at Cloudflare, shared how the company’s CAPTCHA-less Turnstile mechanism (announced in September 2022) uses on-page JavaScript to analyze actions like mouse movement and browser plugins. Cloudflare detections also monitor actions indicating suspicious behavior, such as:
- How often does this device access an account sign-up page across the entire Cloudflare network?
- Where is this request coming from?
- Is it from a known architecture?
- Is it from a known agent?
“The idea of classifying behaviors and helping customers block a behavior, rather than just blocking automation, I think, is where security needs to move,” Tatoris said, considering the SPLX demonstration.
“Let’s say LLMs [large language models] can now get to a point where they perfectly mimic human interaction on the site. What you would still identify is, what’s the behavior they’re trying to do? And then, if that behavior comes from a bad human or a bad agent or a bad program, that you could block that bad behavior either way.”
HUMAN’s “Precheck” mechanism also uses behavioral analysis (and no CAPTCHA challenge) to detect bots. According to the company’s site, suspicious traffic (like a request that’s missing a cookie) gets flagged and further inspected with “invisible” device challenges.
Analytics tools will be needed, too, to regulate bot behavior as agentic AI—a kind of approved, if not automatically “good” bot—is utilized more frequently to inspect websites.
Kalantzis said the company is currently partnering with OpenAI to integrate a protocol for cryptographically verifying ChatGPT-agent interactions. The company’s new AgenticTrust feature, released in July 2025, evaluates the behavior of agent activity. (Cloudflare also in July announced the integration of message signatures to verify bots and their origins).
“That’s where the market is moving to allow agents,” Kalantzis said. “It’s really knowing the provenance and the intent of the agent and, based on how much data is being provided, a customer then can choose how the level of trust they require to interact and transact with their website.”