The Field Guide

What anti-cheat can and cannot see

Every cheat, however it is built, sorts by one question: does it ever touch the machine the anti-cheat is watching? On the machine, detection has a real chance. Off it, detection goes blind, and a record of how you actually played is the only thing that can still show a game was clean.

“How do you catch each kind of cheat?” sounds like a list of a hundred tricks. It collapses to one line the moment you ask where the cheat runs.

On the watched machine, or off it. That single boundary explains the whole map.

Does the cheat ever touch the machine the anti-cheat is watching?

On the machineIt runs as code, reads memory, or leaves an artifact. The anti-cheat has a real chance, in a signature race it never fully finishes.
Off the machineA device on the bus, a second PC, a bot that only reads the screen. Nothing to scan, so on-host detection goes near-blind.

The modern frontier of cheating is a migration from left to right, off the machine. The further right it goes, the less any scanner can see, and the more a record of play is the only thing left that can show a game was clean.

01

The one question that sorts them all

An anti-cheat is a program on your computer. Like any program, it can only inspect what is on that computer with it: the game's memory, running code, loaded drivers, the input arriving at the machine. That is a lot, and against cheats that live there it is powerful. But it is also the whole of its reach. Anything happening outside that machine is, to the anti-cheat, weather on another planet.

So the useful way to read any cheat is not by what it does, the aimbot, the wallhack, the auto-fire, but by where it does it. A cheat that runs on the watched machine is reachable, and the fight is a signature-and-behavior race the defender can win rounds in but never end. A cheat that keeps its work off the machine, on a second device or a second computer or in the pixels alone, is not so much undefeated as unseen: there is no cheat on the host to find. Below, the families, from the ones most on the machine to the ones most off it, then the two that work a different seam: the input itself, and the ban.

02

The families, by where they run

Six architecturally distinct families cover the field. The feature names blur together, one family can wear many, so each card is keyed to the thing that actually decides detectability: the zone it operates in, what assumption it breaks, what can and cannot see it, and where a record of play covers the gap.

Internal cheats (injection and memory)on the machine

Aimbots, wallhacks (ESP), and triggerbots built as code that runs inside the game and reads or writes its memory. The classic PC cheat.

DefeatsThe assumption that a game's own memory is private to the game.
What sees itReachable. Because it runs on the watched machine, it leaves artifacts: injected code, anomalous reads, tampering. This is exactly what a kernel anti-cheat is built to find.
DetectionTrailing. A signature has to be written after a sample is found, so a new or private build is undetected until it is caught, and then the seller ships another.
Where proof coversA record built as you play does not wait for the catch. It can show a match was clean during the very window a signature has not closed yet.
On-screen and pixel botsreads the screen

A bot that reads the rendered image the way you do, a color-keyed or object-detecting model, then moves the aim. It touches no game memory.

DefeatsThe assumption that the screen is only there for a human to look at.
What sees itPartly blind. With no memory access, memory scanning finds nothing. On the same PC, screen capture and synthetic input can still be seen, and a decoy only a bot reacts to can flag it.
DetectionBehavioral. The tell is in the motion, but as the models grow more human-like, the gap the detector relies on keeps shrinking.
Where proof coversBehaviour is contestable, and elite play looks suspicious. A record moves the question from “does your aim look too good” to “here is the game you actually played.”
DMA and hardware cardsoff the machine

A second device that reads the game PC's memory directly over the internal bus, with the cheat's logic running on a separate computer.

DefeatsThe assumption that reading a machine's memory means running software on it.
What sees itNear-blind. The PC runs no cheat software, so host scanning has almost nothing to see. The responses are hardware attestation and device fingerprinting, and a reconfigurable card is built to slip the fingerprint.
DetectionStructural blind spot. The read is passive and physically external; the only durable signal is the behavior the cheat produces, judged elsewhere.
Where proof coversYou cannot see the reader, but you never needed to. A record of how the human played does not depend on catching the device at all.
Second PC with AI visionoff the machine

The game's video output is captured to a second computer, an AI there finds targets, and the aim is moved back through a device that presents as an ordinary mouse.

DefeatsThe assumption that the machine playing the game is the only machine involved.
What sees itZero surface. Nothing cheat-related touches the game PC and no memory is read, so on-host anti-cheat has nothing to inspect. Only the behavior of the aim, judged server-side, remains.
DetectionStructural blind spot. The video out and the emulated input are the same signals a legitimate player produces; there is nothing distinctive left for a scanner to key on.
Where proof coversThe purest case. The cheat is invisible and the play is all that is left, so a record of that play is the only thing that can still show it was clean.
Converters, input devices, and macrosinput only

Hardware that shapes or replays input, a recoil macro on a device or a controller-to-mouse converter, presenting to the game as an ordinary mouse or controller.

DefeatsThe assumption that input arrives from a human hand.
What sees itMostly blind on a device. A device-level macro shows only as standard input, so there is nothing on the host to scan. Only the statistics of the input, impossibly consistent with no human jitter, give it away.
DetectionBehavioral, and evadable. The signal is the absence of human jitter, and it holds only while the input stays machine-perfect.
Where proof coversWhere behavior is the only tell and behavior can be humanized, a record of the whole session is the ground truth an input filter is only ever estimating.
Ban-evasion (identifier spoofers)defeats the ban

A tool that fakes the hardware identifiers a game reads, so a banned machine reads as new. It wins no round; it defeats the punishment, which is why the same sellers offer it beside the cheats.

DefeatsThe assumption that a ban can bind to a person or a machine.
What sees itReachable, but the target is identity. It runs on the machine, so it is detectable in principle, and identity rooted in a hardware security chip raises the cost sharply, at an accessibility and privacy price. Buying new hardware always resets it.
DetectionTrailing, plus a costly floor. Software-readable identifiers are inherently spoofable; attestation raises the price without ever binding a person for certain.
Where proof coversA record has nothing to forge, so a spoofer has nothing to defeat. The whole family exists to shed a verdict, and a record is not one.
03

Where catching hits its ceiling

Read the cards top to bottom and a pattern falls out. The defences split into two kinds. Some are trailing: they need to see a cheat before they can name it, so a signature scan or a device fingerprint always runs a step behind a new build. They buy time and raise cost; they never close the gap. The others are fundamental: they do not need to recognize the cheat at all.

There are only three fundamental moves, and each has a ceiling. You can withhold the data, so the client is never sent what it should not see, and a wallhack has nothing to read. You can judge the behavior instead of the binary, so even an unseen cheat is flagged by its effect on the aim. And you can raise the trust floor with hardware attestation, so evasion gets expensive. Withholding cannot hide what the game must reveal, a footstep, a peek, a teammate on the minimap. Behaviour blurs into the human distribution exactly as cheats learn to look human, and it is capped forever by the cost of punishing an innocent expert. Attestation gates hardware rather than seeing a cheat, and trades away accessibility and privacy to do it.

The moment a cheat stops touching the watched machine, the contest stops being detection and becomes a judgment call: telling cheat-shaped play from human-shaped play. That is a guess, however good, never a certainty.

04

What completes the picture

None of this says detection is pointless. On the machine it is strong and getting stronger, and the fundamental defences above are real engineering that make whole classes of cheat harder or impossible. The honest reading is narrower and more useful: catching is excellent where the cheat is on the box and structurally bounded where it has moved off. And the frontier is moving off.

That is not a counsel of despair; it is a map of where a second thing is needed. Detection asks can we catch what is wrong. It has a ceiling, and the ceiling is exactly the off-machine column above. The complement asks a different question, can the honest player show what was right, and it has none of those ceilings. A record of play is not a better scanner competing with the anti-cheat. It is the thing that covers the ground the scanner cannot reach: the unseen cheat, the contested clip, the expert who looks too good. Where the whole right-hand side of the spectrum goes dark, a record is still lit.

That is the through-line of the entire Field Guide, and it is why this map ends where it does. You cannot always catch the cheat. You can always keep the proof of how you played.

How this entry is written

This is a reference about how cheating and its defences are built. It follows the Field Guide's rules, with care taken around a sensitive subject.

  • Category, never recipe. Each family is named at the level a security advisory uses, what class of thing it is and where it runs. We never explain how to build, buy, configure, or run one. The test for every line: does it help you understand what a defender can and cannot see, or does it help someone cheat. Only the first ships.
  • The record, never a referral. We describe the shape of the cheat economy from security research and vendor documentation. We name no seller and link to no store.
  • Sourced to the defenders. Every claim about how a family is detected comes from anti-cheat engineering material and peer-reviewed security research, cited below.
The practical thing
If you play
When someone insists a game is “unhackable” because the anti-cheat is aggressive, you now know the boundary: it is strong against cheats on the machine and near-blind to the ones that stay off it. That is not a reason to worry more. It is a reason to value what you can actually see and check.
If you compete
The cheats hardest to catch are exactly the ones that make an honest expert look guilty, because both are judged by behavior alone. The way out of that trap is not a better accusation. It is a record of how you played that does not depend on anyone catching anything.
If you build
Detection and provenance are not rivals; they cover different halves of the board. Keep investing in on-host detection and the fundamental defences, and pair them with a verifiable record for the off-machine cases no scanner reaches. Catching and proving, together.

This map is the companion to why “undetected” is a product: that entry makes the argument, this one walks the families. For the guardians themselves, each anti-cheat has its own plate in the guide.

Sources
Cite this entry

Vera Project. “What anti-cheat can and cannot see.” Vera Field Guide (Field Note). The Vera Project. https://www.veraproject.xyz/field-guide/what-anti-cheat-sees