FAQ

What is Incogsurf for?

Authorised security testing of systems you own or have explicit written permission to test. Red-team your own signup flow against your own anti-fraud stack. Probe your own delivery-app one-promo-code-per-account rule. Test the Web Application Firewall in front of your staging env. That's the design centre.

How is it different from Playwright / Puppeteer?

Playwright drives a browser by API. Incogsurf is a browser you drive by hand. The point isn't to automate browsing — it's to make a single browsing session look plausibly humanlike from a detection system's perspective, with a coherent fingerprint, sticky residential proxy, warmed cookie history, and aged calendar-time on the identity.

Stealth-Playwright and similar try to make headless automation undetectable. They fight the framework's automation tells. We don't have those tells because we use a real Chrome binary you operate with your mouse.

Can I script Incogsurf with Playwright?

No, and the AUP forbids it. The product is manual by design — automating signups across hundreds of profiles is exactly the abuse pattern we don't want to enable.

Does Incogsurf bypass captcha?

Not directly. We pass the navigator.webdriver / hardwareConcurrency / WebGL fingerprint checks that captcha vendors use as part of their bot-score. If you're solving captchas on a target system, you solve them the same way a human does — by reading them. Incogsurf does not integrate with captcha-solving services.

What jurisdictions can I test in?

Wherever you have authorisation. Unauthorised probing is criminal in most jurisdictions (Computer Misuse Act in UK, Computer Fraud and Abuse Act in US, NL Wetboek van Strafrecht art. 138ab, equivalent statutes elsewhere). The AUP makes this explicit; the operator who clicks through accepts the responsibility for staying inside their scope.

Is the binary signed?

Yes. The installer is signed with the company's Authenticode certificate; Windows shows the signer as Serointech VOF. The Chrome for Testing download is a Google-signed binary, unmodified by us.

How fresh are the fingerprint bundles?

We stage 50 unused bundles at any time. The bundle generator pulls from real Windows-Chrome canonical constants and randomises only the surface that's actually per-machine (canvas hash, audio hash, GPU string per a small whitelist). Bundles are versioned with the Chrome milestone they target; stale bundles get pruned automatically.

Why Windows only?

Because that's what 91% of Chrome-on-the-internet uses, and a non-Windows Chrome fingerprint sticks out. macOS support is a backlog item for once we have enough mac-on-target operators to justify the maintenance burden.

What about mobile?

Out of scope. Mobile-attestation tokens (Play Integrity, Apple DeviceCheck) are bound to real device hardware and can't be spoofed at the browser layer. Mobile-emulation anti-detect is a different product category.

What data do you collect about my testing?

Only what's necessary to run the service: tenant + user identifiers, identity tuples (encrypted at rest), billing data via Stripe, audit events for privileged actions, bandwidth metering. We don't see the URLs you visit, the traffic on the proxy, or the contents of your sessions. Full breakdown: Privacy Policy.

How do I cancel?

Account → Billing → Manage subscription (opens the Stripe Customer Portal). Cancellation takes effect at the end of the current billing period.

To delete the account entirely (not just cancel): Account → Profile → Danger zone → Delete my account. Permanent deletion is scheduled 30 days out; signing back in within that window cancels the deletion and restores everything.

How do I export my data?

Account → Profile → Danger zone → Download my data. You get a single JSON archive of every row we hold scoped to your account (identities encrypted with the per-tenant key; nothing else redacted). GDPR Article 15.