Guillotine is used as a stealth enhancement layer for headless browsers. Its primary function is to evade detection systems that rely on fingerprinting or behavior analysis to identify non-human traffic. While it has legitimate use cases in research and automated testing, it is increasingly associated with adversarial automation and fraud.
Common use cases include:

• Enhancing Puppeteer-based scraping bots to appear human
• Bypassing browser fingerprinting defenses on websites and login flows
• Evading anti-bot JavaScript that tests for headless artifacts like navigator.webdriver
• Supporting credential stuffing, inventory scalping, and account enumeration bots
• Powering click fraud and ad fraud operations by spoofing real user interactions

Because Guillotine operates at the JavaScript layer, it is highly flexible and can adapt to changes in detection techniques. Its ability to mask both static and behavioral anomalies makes it a popular choice for adversaries targeting high-value web applications and authentication systems.

Detecting Guillotine requires deeper inspection of browser behavior beyond simple fingerprinting. It is best approached with multi-layered, heuristic-based detection.
Detection signals:

• Inconsistencies in JavaScript behavior — patched values like navigator.webdriver may be undefined, but deeper inspection (e.g., iframe-based probing) can still reveal automation context
• Anomalous Function.prototype.toString() output — patched functions may appear native but lack expected behavior under dynamic inspection
• Canvas and audio fingerprint evasion — Guillotine may return valid entropy, but values often repeat across sessions or differ subtly from real browsers
• Permissions API anomalies — Notification.permission and permissions.query() behaviors are often incorrectly spoofed
• WebGL and GPU anomalies — WebGLRenderer or shader output may show signs of spoofing or low entropy
• Timing and event trace inconsistencies — mouse, scroll, and input events may not follow real human rhythm, even with patched telemetry

Blocking strategies:

• Implement multi-factor fingerprinting that includes time-based entropy analysis and cross-checks between unrelated signals
• Use iframe-based rechecks that verify browser behavior from multiple execution contexts
• Deploy behavioral detection (e.g., movement curves, typing delay variance) to profile non-human interactions
• Test for over-patched environments — e.g., all detection flags appearing “perfect” may itself be a signal of evasion
• Regularly rotate detection scripts and challenge-response logic to stay ahead of patchers like Guillotine
• Integrate dynamic JavaScript traps that trigger unique responses from stealth-patched browsers