DataDome Releases VM-Based Obfuscation: The Next Evolution in Client-Side Detection Security

In the ongoing arms race between fraudsters and security teams, client-side detection represents both a critical defense layer and an inherent vulnerability. DataDome’s detection logic, running directly in the browser to identify malicious automation, is, by definition, publicly accessible. Any attacker with developer tools can inspect, pause, and analyze our code. This demands continuous innovation in how we protect our detection capabilities.

Traditional obfuscation methods, which simply encode text or add “junk” code, are no longer sufficient. Sophisticated threat actors have developed automated deobfuscation tools that can unravel these protections in minutes. At DataDome, we’ve long recognized that classic obfuscation alone cannot protect advanced client-side detection logic. The code’s logic remains visible, just harder to read. 

DataDome has already employed advanced obfuscation techniques, including dynamic code regeneration and WebAssembly (WASM) compilation to stay ahead of attackers. But the sophistication of fraudsters continues to evolve, demanding even more robust protection.

Today, we’re announcing the release of Virtual Machine (VM) obfuscation for DataDome Device Check and Slider, our most significant advancement in client-side protection to date. Combined with our existing dynamic and WASM protections, this three-layer defense represents the cutting edge of client-side detection security.

Introducing VM-based obfuscation: Transforming how detection code executes

While our existing obfuscation techniques have proven highly effective, VM obfuscation makes it even more challenging for bad actors to detect our code. Rather than obscuring what code says, VM obfuscation changes how code runs. We’ve built a custom Virtual Machine that operates entirely within the browser, creating an execution environment that is architecturally different from standard JavaScript.

How our VM-based obfuscation works

A Virtual Machine is a program that simulates a computer. Just as a physical CPU reads machine code and executes instructions, our VM reads custom bytecode and executes it step by step, all within the browser environment.

At build time: A proprietary compiler translates our detection logic into bytecode. The original source code never ships to the browser. Instead, we deliver a sequence of binary instructions where each instruction is simply a number (an “opcode”) followed by its operands. From an attacker’s perspective, the browser receives only an opaque stream of bytes with no discernible structure.

At runtime: An interpreter executes the bytecode instruction by instruction. It maintains its own internal state, including:

• A program counter that tracks which instruction to execute next
• A stack for temporary values and computation
• Internal memory for variables and data structures

The operations our VM understands—arithmetic, comparisons, memory access, control flow, and browser API calls—form a proprietary instruction set. This custom language is unique to DataDome with no public specification or documentation.

Why VM obfuscation is uniquely powerful

VM obfuscation creates multiple layers of complexity that make reverse engineering prohibitively difficult:

Blurred execution boundaries
In the interpreter, instruction fetching, decoding, and execution blend together in non-linear ways. Control flow becomes jumps between bytecode addresses with no recognizable structure. This makes both static analysis (reading the code) and dynamic analysis (watching it run with a debugger) exponentially harder.

No public tooling
Deobfuscation tools exist because standard obfuscation patterns are well-documented. Our custom VM has no public specification, no documentation, and no existing reverse engineering tools. Attackers cannot simply download a deobfuscator; they must build one from scratch. This requires significant time and expertise.

Instruction decomposition
Our VM uses a far more atomic instruction set than JavaScript. A single high-level operation might decompose into dozens of bytecode instructions. High-level constructs like if/else statements and loops disappear entirely, replaced by conditional jumps scattered throughout the bytecode. Attackers tracing execution see no familiar patterns, only a flat sequence of cryptic instructions.

A constantly evolving target
Like our existing codebase, the VM itself is subject to our dynamic regeneration pipeline. On a regular deployment schedule, the entire system rebuilds:

• Opcodes are remapped: An instruction encoded as 0x1F becomes 0x7A. The mapping between numbers and operations randomizes from scratch.
• Bytecode structure changes: The binary format and instruction layout evolve, invalidating any attacker documentation.
• Interpreter architecture evolves: The VM’s internal implementation is restructured with reorganized data structures and execution flow.

This makes our VM a moving target. Any progress attackers make expires with the next deployment. 

DataDome’s three-layer obfuscation strategy

VM obfuscation completes DataDome’s defense-in-depth approach to client-side protection. Our three-layer strategy now combines:

1. Virtual Machine (VM) obfuscation [NEW]

Our newest and most sophisticated layer, VM obfuscation, fundamentally transforms code execution. Rather than hiding code, we change how it runs, creating a proprietary execution environment that resists both automated and manual reverse engineering.

2. Dynamic code regeneration [ENHANCED]

Our existing dynamic regeneration system continuously rebuilds and redeploys our entire protection stack, including the new VM. On a regular schedule, every aspect of our obfuscation changes: variable names, code structure, encryption keys, and now, VM opcodes and interpreter architecture. This turns protection into an economic equation: the cost and time to reverse engineer our system far exceeds its useful lifetime.

3. WebAssembly (WASM) compilation [EXISTING]

Critical portions of our detection logic are compiled into WebAssembly modules. Unlike JavaScript, WASM delivers pre-compiled binary code that executes in the browser’s low-level runtime. This provides both performance benefits and obfuscation by design, as compiled binaries resist traditional JavaScript analysis methods.

These three techniques create layered defenses. Breaking through one layer still leaves attackers facing two more, each requiring fundamentally different reverse engineering approaches.

Security without compromise: Transparent performance

Advanced protection is only valuable if it doesn’t degrade the experience for legitimate users. At DataDome, security and user experience aren’t trade-offs.

Before releasing VM obfuscation into production, we rigorously measured its performance impact across our Device Check and Slider implementations. The results show that sophisticated security doesn’t require sacrificing speed:

• Median execution time: Improved after VM implementation, decreasing by ~15%
• P95 execution time: No measurable increase in tail latency with the release; further optimization, deployed a few days later, eventually improved it
• User-perceived performance: Completely transparent

The following graphs show the performance measured in production before and after VM deployment, combining both Slider and Device Check code execution time.

These measurements prove that VM-based obfuscation introduces zero perceivable overhead for end users, despite its architectural complexity. Our detection runs just as fast while being exponentially harder to reverse engineer.

This performance transparency reflects our engineering philosophy: ruthless protection with optimized UX. Every millisecond matters in e-commerce, where even small delays impact conversion rates. 

DataDome leads in client-side detection security

The release of VM-based obfuscation solidifies DataDome’s position at the forefront of client-side detection security. By combining VM obfuscation with our existing dynamic regeneration and WebAssembly techniques, we’ve created the most sophisticated client-side protection available in bot management.

This three-layer defense-in-depth strategy ensures:

1. VM obfuscation transforms code execution, making reverse engineering exponentially more complex
2. Dynamic regeneration continuously evolves all protection layers, invalidating attacker progress automatically
3. WebAssembly provides compiled binary protection with native performance characteristics

No single technique is a silver bullet. But together, they create a protection system where the time, cost, and expertise required to breach our defenses far exceeds any attacker’s ROI—especially when that protection automatically resets with each deployment.

DataDome’s Device Check and Slider now benefit from this complete three-layer obfuscation system, offering industry-leading protection against the most sophisticated bot operators, without compromising speed, reliability, or user experience.

The future of client-side protection

Client-side detection will always face the challenge of running in a hostile environment. But with continuous innovation and the right architectural approach, that challenge becomes manageable.

The release of VM obfuscation marks a major milestone in DataDome’s ongoing commitment to staying ahead of threats. By changing how our detection code executes and combining it with our proven dynamic and WebAssembly protections, we’ve built a system that is exponentially harder to reverse engineer, adapts automatically over time, and maintains optimal performance.

For organizations facing sophisticated automation threats, classic obfuscation is no longer sufficient. The future of client-side security lies in multi-layered, continuously evolving protection. With the release of VM obfuscation, DataDome continues to lead the way.

Want to see which bots and malicious agents can access your website? DataDome’s Vulnerability Scan shows you exactly where your defenses are exposed. Get a free scan today to see what threats are getting through and how to stop them.