reese84 + UTMVC

Bypass Incapsula Protection with a single API call

Generate valid reese84 sensors and ___utmvc payloads for Imperva, no browsers, just fast, reliable API responses.

Create account Read the docs
solve_incapsula.py
from hyper_sdk import Session, IncapsulaReese84Input

session = Session(api_key="your-api-key")

# Generate reese84 sensor data, no browser
result = session.generate_reese84_sensor(
    IncapsulaReese84Input(
        page_url=page_url,
        script=reese_script,
        script_url=reese_script_url,
        user_agent=ua,
        ip=proxy_ip,
        accept_language="en-US,en;q=0.9",
    )
)

# POST sensor to the script, set the reese84 cookie
token = client.post(
    reese_script_url,
    data=result.payload,
).text
# reese84 cookie valid, requests pass
200 OK · reese84 validgenerated in 9ms
<10ms
Reese84 generation
1B+
Requests served / month
Auto
Updated on every Incapsula change
<12h
Engineer support response
Understanding the challenge

What is Incapsula protection?

Incapsula, now Imperva, guards login, checkout and API endpoints across enterprise sites. It fingerprints the runtime with reese84, gates access behind the ___utmvc cookie, and escalates to captcha when trust drops.

Why it's hard to bypass

Incapsula layers a heavily obfuscated reese84 sensor over a rotating UTMVC challenge, then scores network-level signals too. Re-implementing the sensor by hand breaks on every Imperva update, and running the real script needs a full browser.

Our API reproduces the reese84 and ___utmvc payloads from a single HTTP call. If Incapsula escalates to hCaptcha or GeeTest, clear that with a third-party solver, then resume the standard flow.

Protection mechanisms

Reese84 sensor fingerprinting

A hidden JavaScript sensor collects device, canvas and timing entropy, then expects a signed reese84 payload posted back.

UTMVC dynamic challenge

The ___utmvc cookie is only issued after a rotating, obfuscated challenge script is executed correctly.

Fingerprint & header-order analysis

TLS handshake and header ordering are checked alongside the JavaScript signals. HTTP libraries betray automation here.

JS environment checks

The challenge probes navigator, screen and event entropy to confirm a real browser ran it.

The traditional approach

Headless browsers & Puppeteer

Run the reese84 sensor in a real browser per session
Re-execute the UTMVC challenge script on every block
Constantly patched as Imperva detects automation
Slow, memory-hungry and hard to scale
VS
The Hyper Solutions approach

One unified API call

Sub-10ms reese84 sensor generation
___utmvc payload generation from script content
Works with your own HTTP client, no browser
Auto-updated by our team when Incapsula changes
Full coverage

Every Incapsula challenge, one API

Select a challenge type to see what it is, when it fires, and exactly how we resolve it.

Reese84 Sensor

Core
POST /reese84
sensor required reese84 valid
What it is

The core Incapsula check. A hidden sensor script collects device and timing entropy and expects a signed reese84 sensor payload before it issues a valid reese84 token.

When it is triggered

On virtually every Incapsula-protected endpoint, your first request is challenged until valid reese84 data is posted.

How our API solves it

Send the page URL, script content, script URL, user-agent, IP, accept-language and optional PoW context to the API. We return the reese84 sensor payload in under 10ms. POST it to the sensor script and set the returned value as your reese84 cookie.

reese84.py
result = session.generate_reese84_sensor(
    IncapsulaReese84Input(
        page_url=page_url,
        script=reese_script,
        script_url=reese_script_url,
        user_agent=ua,
        ip=proxy_ip,
        accept_language="en-US,en;q=0.9",
    )
)
token = post(reese_script_url, result.payload).text
# set token as the reese84 cookie
Returns
payload
The workflow

How the bypass works

Pick Reese84 or UTMVC and follow the same flow. Find the script, generate the payload, submit it, and store the cookie. Most developers integrate in under 30 minutes.

01

Find the script path

Load the page and parse it for the reese84 sensor-script path Incapsula injected.

session.parse_reese84_script_path(page.text)
02

Generate sensor via our API

Send the script, script URL, page URL, user-agent, IP, accept-language and optional PoW context to the API. It returns the reese84 sensor payload, ready to submit.

session.generate_reese84_sensor(...)
03

Submit to the script

POST the sensor to the script with the target parameters. The response carries your token.

POST payload -> token
04

Set the cookie

Take the token from the response and set it as the reese84 cookie. Protected routes now pass.

client.cookies["reese84"] = token
request timeline · incapsula reese84 validation
you->GET https://www.target.com/
site<-200 page · reese84 script reference · no trusted cookie
you->parse reese84 script URL + current session context
you->POST Hyper API · /reese84 script + scriptUrl + userAgent + pageUrl
hyper<-200 · reese84 payload · 9ms
1 · new API round trip · <10ms
you->POST payload to reese84 script endpoint
site<-200 · reese84 token returned
you->GET protected route with reese84 cookie
site<-200 OK request allowed
Full walkthrough with code in every SDK -> examples repo
The case for an API

API vs browser automation

Headless browsers can technically run the reese84 sensor until the next Imperva update, or until the per-session overhead crushes throughput. Here's how a managed API compares on the metrics teams actually feel.

Metric
Hyper Solutions
Puppeteer / Playwright
Reese84 generation
<10ms
3-9 seconds
UTMVC generation
<50ms
1-3 seconds
Memory usage
<1 MB per call
200-500 MB per session
Maintenance
Zero, auto-updated by our team
Script updates break it
Detection rate
Low, native sensor generation
High, framework fingerprinted
Scalability
Millions of solves, horizontally
Hundreds of concurrent solves
* Performance comparison based on real-world testing of airline award availability scraping. Browser automation metrics include full page loads with all resources. Results may vary based on target website, network conditions, and implementation.
Pricing

Pay for requests, not browsers

One account covers Akamai, Kasada, DataDome and Incapsula. Start self-serve, then move to a monthly bundle for a lower per-request rate. Reese84 and UTMVC are included on every plan.

Pay as you go

Self-serve. Top up a balance and pay only for the requests you generate.

€3/ 1k requests
flat rate · every Incapsula challengeStart free trial
All four Hyper products
Reese84 and UTMVC included
Auto-updated against every Incapsula change
Sub-10ms reese84 generation
Community Discord support
Integration support not included
Most popular
Subscription

A monthly request bundle with the best per-request rate. Pick the volume that fits.

350/ month · 250K requests
about €0.0014 per requestCreate account
Everything in pay as you go, plus
250K requests / month included
Lower per-request rate at higher volume
Direct support from the engineers
Migration help from your old stack
Enterprise

Committed-use volume pricing with a direct line to the founding team.

Custom
Let's talk volumeTalk to the team
Volume and committed-use pricing
Contractual SLAs, open to your terms
Mutual NDA (MNDA) standard
Dedicated Slack channel with our team
Auto-updated against every Incapsula change
Integration support is included with every Subscription and Enterprise plan, and pay-as-you-go is self-serve. Need more than 1M requests a month? Talk to sales.
Deep dive

Outputs & example payloads

What the API returns, what Incapsula sets, and exactly what a reese84 or UTMVC request and response look like on the wire.

Fields and where they come from
userAgentyou provide

The exact browser user-agent used on the page request and payload submission.

pageUrlyou provide

The target page URL where Incapsula injected the challenge.

scriptyou provide

The Reese84 or UTMVC script content fetched from the target.

scriptUrlparsed

The script URL parsed from the target page. POST the generated payload back to this flow.

ipyou provide

The egress IP the payload is generated for. It must match the IP your target request exits from.

acceptLanguageyou provide

The Accept-Language header from the same session, kept consistent across the flow.

powoptional

Optional proof-of-work context when the target challenge includes it.

POST https://incapsula.hypersolutions.co/reese84

{
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
  "pageUrl": "https://www.target.com/login",
  "script": "/* reese84 challenge script */",
  "scriptUrl": "https://www.target.com/_Incapsula_Resource?...",
  "ip": "203.0.113.10",
  "acceptLanguage": "en-US,en;q=0.9",
  "pow": "optional-pow-context"
}
SDKs

In your language.

MIT-licensed, on npm / PyPI / GitHub. Reese84 parsing, UTMVC payload generation, captcha escalation detection, and cookie validation in every SDK, or skip them and hit the HTTP API directly.

Nodenpm i hyper-sdk-js
Pythonpip install hyper-sdk
Gogo get github.com/Hyper-Solutions/hyper-sdk-go/v2
Read the docs
FAQ

Incapsula bypass questions

Anything not covered here, including whether your exact target is supported, gets a faster answer in Discord than anywhere else.

Ask in Discord
After you POST the generated sensor to the script and set the returned token as your reese84 cookie, your next request to a protected route returns 200 instead of a challenge.
Reese84 is the core sensor, a signed JavaScript fingerprint payload. UTMVC is a separate challenge layer that issues the ___utmvc cookie after a rotating script runs. Some sites use one, some use both.
Yes, when Incapsula escalates to hCaptcha or GeeTest. Use a third-party captcha solver for that provider, submit its token to the target, then resume the standard reese84 or UTMVC flow.
Yes. The API targets Incapsula and Imperva itself rather than any single site, so it works across enterprise retail, finance, travel and SaaS targets.
You manage your own HTTP client cookie jar as usual. The API returns a payload; you POST it through the target flow and store the resulting cookie.
Usual culprits are an IP mismatch, a rotated user-agent, or an unhandled UTMVC or captcha layer. Match IP and UA, handle those layers, and the blocks clear.

Ready to bypass Incapsula protection?

Drop in an official SDK and clear your first challenge in minutes. Pay-as-you-go to start, with subscription bundles when you scale.

Create account Read the docs
self-serve · pay per call · no minimums