How do you handle sites with Cloudflare, DataDome, or CAPTCHAs?

I use headless browsers, residential proxies, and custom fingerprinting to bypass most anti-bot systems. If a site is genuinely locked down, I'll tell you upfront during scoping, not after you've paid.

What does 'clean data' actually mean?

Every delivery goes through automated validation: schema checks, null detection, deduplication, and format verification. You get structured rows ready to import, not raw HTML or broken encodings.

What data sources can you work with?

Any publicly accessible website or API. If you can see it in a browser without logging in, I can extract it. I also work with public APIs, government databases, and open data portals.

What happens if the source site changes its layout?

For one-time jobs, the delivery is final. For recurring pipelines, I monitor for breakage and fix scrapers within 24 hours of detection, usually before you notice.

How do recurring deliveries work?

I set up an automated pipeline that runs on your schedule (daily, weekly, monthly) and delivers fresh data to your inbox, Google Sheets, S3 bucket, database, or API endpoint. You just consume the data.

Yes. Happy to sign your NDA before we discuss any project details. I work with financial firms, legal teams, and enterprise clients regularly.

What if the delivered data isn't what I expected?

Every project includes revisions. If the output doesn't match what was scoped, I re-run and re-deliver at no extra cost. If I can't deliver what was promised, you don't pay.

The Anti-Bot Landscape in 2026: What You Need to Know Before Starting a Scraping Project

The world changed

If you tried web scraping five years ago and are coming back to it now, the landscape is different. The easy sites are still easy. Government portals, academic databases, small business directories. These work the same way they always have.

But the sites where the valuable data lives? Social media platforms, large e-commerce, financial services, travel aggregators? These have invested heavily in anti-bot systems, and the arms race is real.

This article is an honest overview of what anti-bot protection looks like in 2026. Not a how-to (that would be irresponsible), but a what-to-expect so you can scope projects accurately and budget accordingly.

The tiers of difficulty

Not all websites are equally defended. In practice, scraping targets fall into roughly four tiers:

Tier 1: No protection

Government data portals, municipal records, academic databases, small business websites. These serve their content as plain HTML with no detection, no rate limiting, and no CAPTCHAs. A basic Python script with requests and BeautifulSoup handles them fine.

These sites are easy to scrape but often hard to scale because of pagination quirks, inconsistent schemas, and the sheer number of individual sites (3,143 US counties, for example, each with its own portal).

Tier 2: Basic protection

Mid-size e-commerce sites, news outlets, real estate listing portals. These typically have basic rate limiting, sometimes CAPTCHAs on search pages, and may block datacenter IPs. Rotating residential proxies and reasonable request pacing handle most of them.

Tier 3: Serious protection

Platforms like LinkedIn, Amazon, Booking.com, Zillow. These run professional anti-bot services (Cloudflare, DataDome, PerimeterX, Akamai) that analyze request patterns, browser fingerprints, and behavioral signals. Getting through them requires specialized infrastructure and ongoing maintenance as detection models update.

Tier 4: Actively hostile

TikTok and Instagram in 2026 are at the top of this tier. Both platforms actively invest in detection and regularly change their access patterns. TikTok combines web application firewalls with device fingerprinting and behavioral analysis. Instagram rotates its internal API signatures every few weeks. These are not "set and forget" targets. Any pipeline that works today needs active maintenance to keep working next month.

What anti-bot systems actually check

Without getting into specifics that would help bad actors, here is a high-level view of what modern anti-bot systems evaluate:

Request-level signals: IP reputation (datacenter vs residential vs mobile), request rate and timing patterns, HTTP header consistency (do the headers match a real browser?), TLS fingerprint.

Browser-level signals: JavaScript execution environment (is this a real browser or a headless tool?), canvas and WebGL fingerprints, viewport and screen resolution consistency, installed fonts and plugins.

Behavioral signals: Mouse movement patterns, scroll behavior, click timing, navigation flow (did you arrive from a search page or jump directly to a deep URL?).

Session-level signals: How long the session lasts, how many pages are visited, whether the activity pattern matches a human browsing session or a bot iterating through a list.

The most sophisticated systems combine all of these into a risk score. Below a threshold, the request is served normally. Above it, the user sees a CAPTCHA, a block page, or gets silently redirected to a honeypot with fake data.

What this means for your project

The practical implications for anyone planning a scraping project in 2026:

Budget for the tier, not just the data

A Tier 1 extraction (government portal, 10,000 records) is a completely different project from a Tier 3 extraction (LinkedIn profiles, 10,000 records). The data might be structurally similar, but the infrastructure cost, development time, and maintenance burden are not in the same category. Make sure your budget and timeline reflect the actual difficulty of the source, not just the volume of data.

Maintenance is the real cost

For Tier 3 and Tier 4 targets, the initial build is maybe 30% of the total effort over a year. The remaining 70% is maintenance. Anti-bot vendors ship detection updates on a continuous cycle. A scraper that worked last Tuesday might get blocked this Thursday. For any ongoing pipeline against a defended site, maintenance is not optional.

Not everything needs to be hard

Before committing to a complex scraping project, check whether a simpler source covers the same data. Public APIs, data resellers, government bulk downloads, academic datasets. Sometimes the data you want is available through a channel that does not require fighting an anti-bot system at all. I always check for these alternatives before recommending a scraping approach.

The difficulty is the value

Here is the counterintuitive part: the harder a site is to scrape, the more valuable a managed scraping service becomes. If LinkedIn data were easy to extract, every sales team would do it themselves and the data would have no competitive value. The fact that it is hard means the people who can do it reliably have a real service to offer, and the people who need the data are better off paying for that service than spending months trying to replicate it.

A few things I have learned

After three years and 200+ projects across all four tiers, a few observations:

The easy sites break just as often as the hard ones. A county assessor website that has not been updated since 2008 can change its entire URL structure overnight when the county migrates to a new vendor. No anti-bot needed to break a scraper.

The best scrapers look like normal users. This is not a secret. It is the fundamental principle. The more your automated traffic resembles real human browsing, the less likely it is to be detected. Everything else is details.

Speed is usually the wrong priority. Clients often ask "how fast can you scrape it?" The answer is: fast enough that you get your data on time, slow enough that the pipeline does not get blocked. Reliability beats speed every time.

Most projects are not Tier 4. For every TikTok-level engagement, there are ten county-records projects that are straightforward once you handle the per-site variation. Do not assume your project is harder than it is. Let the scoping call determine the real difficulty.

The bottom line

Anti-bot protection in 2026 is real, sophisticated, and continuously evolving. It should not stop you from getting the data you need, but it should inform how you scope the project, who you hire, and what you budget for maintenance.

If the target is a simple site, try it yourself. If the target is defended, hire someone who has dealt with that specific tier before and can tell you honestly what the pipeline will cost to build and maintain over time. The scoping call is free and the answer might save you weeks of wasted effort.