Tech.

All tiersThe lower layers persist automatically. Same VM = same OS UUID, MAC, hostname, static IP. Nothing rotates without your request.

Operator+Browser layer: Multilogin or Dolphin Anti license bundled. Each profile gets its own user-data-dir plus a sidecar JSON (canvas seed, WebGL renderer string, audio noise function — all deterministic per profile). Chrome version pinned (auto-update disabled). BYO works too — bring your Multilogin license and we mount your config.

Three layers:

• Chrome Enterprise Policy · WebRtcIPHandlingPolicy = disable_non_proxied_udp (policy file pre-deployed on Windows seats)
• Firefox · media.peerconnection.ice.default_address_only = true
• Network level · egress always exits via the seat's static IP — STUN responses leak only the advertising IP, which equals the static IP

Result: WebRTC stays functional, no leak. Want it fully disabled? Hardened image provided on request.

Most clouds (Vultr, DigitalOcean, AWS) run KVM with the CPUID hypervisor bit (leaf 1, ECX bit 31) exposed. Suppressing it requires a kernel patch and rebuild.

Default tiersCPUID hypervisor bit exposed. Most anti-bots don't ban on this alone — residential VPN users and corporate VMs show the same signal.

Vault / Survival Kit

• DMI strings masked to generic (BIOS vendor "American Megatrends")
• VirtIO / Hyper-V synthetic device names renamed
• Windows seats: vmtools / vboxservice registry entries cleaned
• MAC OUIs use cloud provider defaults (Vultr/DO ranges, neutral)
• Bare-metal options: Vultr Bare Metal or OVH dedicated. +$80–150/mo per seat. No hypervisor bit at all.

Three-tier setup:

• Sprint / Persistent SwiftShader (software rendering). WebGL UNMASKED_RENDERER = "Google SwiftShader". Detectable.
• Operator QEMU virgl + spoofed GL_RENDERER string ("Intel Iris OpenGL"). Mid-grade — passes targets that don't heuristic-check.
• Survival Kit / GPU add-on AWS g4dn (NVIDIA T4) or Vultr A40 bare metal. SR-IOV passthrough. Real GeForce/Quadro strings. +$50–120/mo per seat.

Field experience by vendor:

• Cloudflare Turnstile / Managed Challenge · High pass rate. Custom Chrome build with patched JA3/JA4 (natural SNI ordering) + persistent FP + clean IP.
• DataDome · Behavioral-signal heavy. Infrastructure is 30%, your automation code is 70%. Infra passes; mouse/timing automation is your side.
• Akamai Bot Manager · Similar split. TLS + FP from us, behavior from you.
• PerimeterX / HUMAN · Canvas/WebGL sensitive. Multilogin profiles pass cleanly.
• Imperva / Incapsula · Frequent false positives on Korean residential. SG/JP Vultr IPs resolve this.

Default: datacenter IPs from the chosen cloud.

• Vultr Tokyo / Seoul · KR-friendly ASN, low blacklist density
• DigitalOcean SG / NYC · clean datacenter pools
• Hetzner FSN / HEL · EU jurisdiction, less abused than OVH

Need residential?

• Bring your own Bright Data / IPRoyal / Smartproxy subscription — we wire SOCKS5 proxy chain inside the seat (Chrome-level or OS-wide route)
• We do not operate a residential network ourselves — liability area, not our scope

Mobile / 4G: same policy. Your subscription (e.g. Soax mobile pool), we integrate into the seat.

Inter-customer (between seats):

• Each seat = dedicated VM (KVM)
• Disk, RAM, network namespace fully isolated
• Dedicated IPv4. Never shared with other customers, ever
• VM escape risk — depends on hypervisor / cloud provider responsibility

Intra-seat (within one seat, Operator+ only):

• Multilogin / Dolphin profile = own user-data-dir
• Cookie / localStorage / IndexedDB / Service Worker — all isolated per profile
• Separate FP config file per profile
• Per-profile proxy (each profile can exit via a different residential IP)

Default mstsc exposes:

• ClientName, ClientAddress, ClientHostname header
• Device redirection (printer / drive / smart card / COM ports)
• RDP protocol fingerprint (mstsc vs xrdp vs FreeRDP all distinguishable)

Our defaults:

• All device redirections OFF by default
• Clipboard sync OFF (enable on request)
• Generic ClientName via mstsc parameter

Recommendation: Use Guacamole (HTML5 over HTTPS) instead of RDP. External observers see only HTTPS traffic. Place behind Cloudflare Tunnel → server IP also hidden. Native RDP fingerprint completely bypassed.

Stronger setup: WireGuard tunnel + Guacamole on the internal IP. External view = nothing but HTTPS to Cloudflare.

We don't sell automation as a service, but the Chrome build on Operator+ seats is automation-friendly:

• Pinned Playwright / Puppeteer versions (no auto-update)
• Low-level Chromium patches:
  • navigator.webdriver = false (at compile-time, not JS injection)
  • chrome.runtime, chrome.app respond naturally
  • Permissions API: notification/camera defaults realistic
• CDP websocket fingerprint slightly cleaned up (automation signatures)
• playwright-stealth + puppeteer-extra-plugin-stealth pre-installed
• Battery API spoofed
• DeviceMotion / DeviceOrientation: realistic device-like noise

Bring your Selenium / Puppeteer / Playwright code and run it — same image, same Chrome build, all benefits inherited.