We run an independent observatory that measures how bots and AI agents behave on the open web. Last week we caught something that's worth writing about. The pattern It started with a TLS fingerprint that kept showing up across different IP addresses. Same handshake, same parameters, same JA4 hash: t13d311100_e8f1e7e78f70_d41ae481755e . That fingerprint is interesting on its own. It tells you the client uses TLS 1.3, with 31 cipher suites and 11 extensions. But the part that matters is the ALPN field. It's empty. Real browsers always advertise ALPN. Chrome sends h2 . Firefox sends h2 . Safari sends h2 . They negotiate HTTP/2 because every modern browser uses HTTP/2. A client that connects with TLS 1.3 in 2026 and announces no ALPN is not a browser. It's an HTTP library — Go's net/http, Python's requests with custom TLS, something in that family. So we already knew: not a browser. Whatever was visiting us was pretending to be one. What it was pretending The user agents told the rest of the story.…