The Field Guide
What anti-cheat can and cannot see
Every cheat, however it is built, sorts by one question: does it ever touch the machine the anti-cheat is watching? On the machine, detection has a real chance. Off it, detection goes blind, and a record of how you actually played is the only thing that can still show a game was clean.
“How do you catch each kind of cheat?” sounds like a list of a hundred tricks. It collapses to one line the moment you ask where the cheat runs.
On the watched machine, or off it. That single boundary explains the whole map.
Does the cheat ever touch the machine the anti-cheat is watching?
The modern frontier of cheating is a migration from left to right, off the machine. The further right it goes, the less any scanner can see, and the more a record of play is the only thing left that can show a game was clean.
The one question that sorts them all
An anti-cheat is a program on your computer. Like any program, it can only inspect what is on that computer with it: the game's memory, running code, loaded drivers, the input arriving at the machine. That is a lot, and against cheats that live there it is powerful. But it is also the whole of its reach. Anything happening outside that machine is, to the anti-cheat, weather on another planet.
So the useful way to read any cheat is not by what it does, the aimbot, the wallhack, the auto-fire, but by where it does it. A cheat that runs on the watched machine is reachable, and the fight is a signature-and-behavior race the defender can win rounds in but never end. A cheat that keeps its work off the machine, on a second device or a second computer or in the pixels alone, is not so much undefeated as unseen: there is no cheat on the host to find. Below, the families, from the ones most on the machine to the ones most off it, then the two that work a different seam: the input itself, and the ban.
The families, by where they run
Six architecturally distinct families cover the field. The feature names blur together, one family can wear many, so each card is keyed to the thing that actually decides detectability: the zone it operates in, what assumption it breaks, what can and cannot see it, and where a record of play covers the gap.
Aimbots, wallhacks (ESP), and triggerbots built as code that runs inside the game and reads or writes its memory. The classic PC cheat.
A bot that reads the rendered image the way you do, a color-keyed or object-detecting model, then moves the aim. It touches no game memory.
A second device that reads the game PC's memory directly over the internal bus, with the cheat's logic running on a separate computer.
The game's video output is captured to a second computer, an AI there finds targets, and the aim is moved back through a device that presents as an ordinary mouse.
Hardware that shapes or replays input, a recoil macro on a device or a controller-to-mouse converter, presenting to the game as an ordinary mouse or controller.
A tool that fakes the hardware identifiers a game reads, so a banned machine reads as new. It wins no round; it defeats the punishment, which is why the same sellers offer it beside the cheats.
Where catching hits its ceiling
Read the cards top to bottom and a pattern falls out. The defences split into two kinds. Some are trailing: they need to see a cheat before they can name it, so a signature scan or a device fingerprint always runs a step behind a new build. They buy time and raise cost; they never close the gap. The others are fundamental: they do not need to recognize the cheat at all.
There are only three fundamental moves, and each has a ceiling. You can withhold the data, so the client is never sent what it should not see, and a wallhack has nothing to read. You can judge the behavior instead of the binary, so even an unseen cheat is flagged by its effect on the aim. And you can raise the trust floor with hardware attestation, so evasion gets expensive. Withholding cannot hide what the game must reveal, a footstep, a peek, a teammate on the minimap. Behaviour blurs into the human distribution exactly as cheats learn to look human, and it is capped forever by the cost of punishing an innocent expert. Attestation gates hardware rather than seeing a cheat, and trades away accessibility and privacy to do it.
The moment a cheat stops touching the watched machine, the contest stops being detection and becomes a judgment call: telling cheat-shaped play from human-shaped play. That is a guess, however good, never a certainty.
What completes the picture
None of this says detection is pointless. On the machine it is strong and getting stronger, and the fundamental defences above are real engineering that make whole classes of cheat harder or impossible. The honest reading is narrower and more useful: catching is excellent where the cheat is on the box and structurally bounded where it has moved off. And the frontier is moving off.
That is not a counsel of despair; it is a map of where a second thing is needed. Detection asks can we catch what is wrong. It has a ceiling, and the ceiling is exactly the off-machine column above. The complement asks a different question, can the honest player show what was right, and it has none of those ceilings. A record of play is not a better scanner competing with the anti-cheat. It is the thing that covers the ground the scanner cannot reach: the unseen cheat, the contested clip, the expert who looks too good. Where the whole right-hand side of the spectrum goes dark, a record is still lit.
That is the through-line of the entire Field Guide, and it is why this map ends where it does. You cannot always catch the cheat. You can always keep the proof of how you played.
How this entry is written
This is a reference about how cheating and its defences are built. It follows the Field Guide's rules, with care taken around a sensitive subject.
- Category, never recipe. Each family is named at the level a security advisory uses, what class of thing it is and where it runs. We never explain how to build, buy, configure, or run one. The test for every line: does it help you understand what a defender can and cannot see, or does it help someone cheat. Only the first ships.
- The record, never a referral. We describe the shape of the cheat economy from security research and vendor documentation. We name no seller and link to no store.
- Sourced to the defenders. Every claim about how a family is detected comes from anti-cheat engineering material and peer-reviewed security research, cited below.
This map is the companion to why “undetected” is a product: that entry makes the argument, this one walks the families. For the guardians themselves, each anti-cheat has its own plate in the guide.
- Server-side data minimization against wallhacks (VALORANT Fog of War): Riot Games Technology
- The on-host vs off-host boundary, trailing vs fundamental defences, and attestation limits: A Systematic Review of Technical Defenses Against Software-Based Cheating (arXiv)
- Behavioral detection and its erosion as cheats learn to look human: GAN-Aimbots (arXiv) · VACnet, GDC 2018
- Kernel anti-cheat power and the limits of auditing it: Kernel-Level Anti-Cheat analysis, ARES 2024 (arXiv)
Vera Project. “What anti-cheat can and cannot see.” Vera Field Guide (Field Note). The Vera Project. https://www.veraproject.xyz/field-guide/what-anti-cheat-sees
