Reverse once, run forever: designing client-side defenses that assume the attacker has already read every line

There's a sentence every engineer in this field eventually says out loud, usually with a sigh:

"But the code is right there in their browser."

It is. That's the whole problem, and pretending otherwise is how most bot defenses quietly fail. Anything we ship to detect automation runs inside an environment the attacker owns completely: their CPU, their debugger, their clock, their unlimited patience. They can set a breakpoint anywhere. They can run our logic ten thousand times and diff the outputs. They can rip a function out and study it in a lab.

So we made peace with an uncomfortable starting assumption: the attacker has read every line of our client code. Not "might." Has. Once you actually believe that, most of the industry's playbook reveals itself as theater, and a much more interesting design space opens up.

The asymmetry nobody escapes