How should I respond to exploiters?

My current system, when it detects exploits, it sorts them into one of a few categories:

• Clear, unlikely to be exploiting
• Severity 1, may be exploiting; no penalty (mod called if still on sev 1 after 15 mins)
• Severity 2, likely exploiting; kick (if still on sev 2 after 15 mins)
• Severity 3, definitely exploiting; ban (immediately when reaching sev 3)

The severity is based on the user’s history with the anti cheat and how detectable the exploit is, e.g. if you’re being detected as tampering with data your severity is going to rise much faster compared to something harder to pick up, like speedhacking.

Ideally, banning in the first place is not what you want to do (unpopular opinion), and instead the game should prevent exploits as much as possible in the first place. If its severity 3 and you know its exploitable, why not fix the underlying problem? Though it may not be easy, it’s a good approach.

I wouldn’t rely on detection too much anyway, you should also have a game mod team to handle bans. Perhaps a detection system like what you have, integrated with game moderation to find people with history and determine what action to take.

It prevents most exploits, some Severity 1 exploits are ignored as they can often be false positives, however, the game does not allow users to clearly exploit.

Usually this is what happens, reports from users are sent before the user’s exploits to trigger the server enough times to trigger punishment; not to mention moderators are often alerted automatically.

.
Thank you for your response, it has given me insight.

I’m going to mark the post as resolved later on so that way the post isn’t ignored.

Personally I feel as if this approach is considered old fashion without the ability to restrict IPs (not including the hacky workarounds to achieve it)

Most exploiters use throwaway accounts to do damage therefore banning them is just simply going to provoke them. While ridiculous as this might seem you should get on the perpetrators good side by any means possible. Roblox themselves have resorted to this practice in the past as seen here.

Alright here is how I would go about your system:

• Clear, unlikely to be exploiting
• Severity 1, may be exploiting; no penalty (mod called if still on sev 1 after 15 mins)
• Severity 2, likely exploiting; give a warning (if you receive three warnings you are kicked, then every warning after is a kick)
• Severity 3, definitely exploiting; ban (kick from the server, if happens three times ban)

So if you get three warnings you get kicked and if you get three kicks you are banned.

In all honesty though the better way of going about exploiters is to stop them from being able to in the first place. Only trust the client if it doesn’t matter if they edit that script, if not do it via the server.

As Semaphorism said, banning is not ideal, it’s a really bad player experience if it hits innocent players and you will get a lot of complaints. Imagine 1 little bug (forgetting to lower the severity etc.) could result in this. If anything, the best “punishment” in my opinion would be teleporting the suspected player and make them rejoin your game, that would make them have to inject the exploit to the Roblox player again, and if you’re doing this excessively it would result in them getting banned from Roblox for exploiting.

The best solutions against this would be to prevent the exploits from happening, but how this works is totally depending on your game. For instance, if you have a running game, you would like to set the most acceptable velocity rate to the max speed of the user, and if the player exceeds this for a little period of time, then you would need to do something, but not kicking them or banning them from your game. What you could do would be to lower the player’s max speed and if they’re still exceeding it despite reducing the max speed then you could certainly know they are cheating, just reset them.

But never make the player feel like they’re being “watched”, it just makes them uncomfortable. Sometimes, messages like “Hello, we think you are exploiting and will kindly ask you to stop, proceeding will result in various punishments. Do not attempt to bypass our Anti Cheat 2000” could result to more exploiting. It could make them feel like “Now I must exploit their game to prove them wrong, nobody will know I’m exploiting”.

You can also think of Jailbreak, it was prone to exploiting, they had no checks if players went to fast or teleported. They could rob anything at any time, as soon as the places were available to rob. I’m not sure how the network structure was when I last played and met the exploiter but it really did seem like they had bad input validation and checks on the server, as an exploiter could rob the bank in 0.1 seconds, which must mean that the server was basically just waiting for the client to send a request to give them their money. This is the kind of stuff you want to avoid, have proper checks on your server and on the client.

Having moderators (in the long run) is bad practice, I mean, sure, but you would need many moderators that you can rely on and trust, you would also need to have a good system in place for not making false reports to the mod team. The choice is entirely yours, though.