Knightmare Server-side Anti-Cheat Service [updated 3/19/2025]

I’ve noticed in my time playing lots of various Roblox games here that hacker cheating is pretty rampant among the top games. I have read about various client based anti-cheat resources here and I’m not going to wade into any political debate about client anti-cheat vs. server anti-cheat detection. What I am offering to the community is a server based anti-cheat system that covers most of the basic types of cheating with lots of tune-able settings and detailed explanations for how to use them. I understand that developers want to devote their time to “developing” and not so much to combating cheaters. With this resource, anyone can get some good, basic, anti-cheat service going for any game to spend more time doing what you love to do. I’ll post up some video examples, but this first post is just getting the code out and how to install it in your game.

This anti-cheat service detects (4) types of client based cheating and performs a “soft punishment” when detected. The first being Speed cheating. If a player is moving faster than they should, it will stop them in place until they stop. The second detection is Flying detection. If the player is up in the air longer than makes sense for your game, it will “ground” them; over and over until they stop. The third detection is Teleport cheating. Teleport through walls, extreme long distances, etc. will be punished by being force-teleport back to where they started; over and over until they stop. The final detection is Jump cheating. Players that are jumping higher than what you set will have their velocity sapped so they fall back down when detected.

Everything is now run in the Plugin
No more endless scrolling text of the config files. I’ve setup a modular “Free” plugin that allows anyone to setup and configure all (4) of the basic cheat detection modules directly in Roblox Studio. Easy installation, setup, upgrades, etc. If you want more from the plugin, like the client cheating test tool, revocable player trust settings, etc. Then you can still buy those modules via gamepass or get the full version the same way.

If you would rather go right to the Fully Featured plugin version via a USD purchase, you’ll find that here:

To see this Plugin in action, this is a test world you can play in. The Knightmare Anti-Cheat Testing World is setup under default settings and the plugin Client Cheat Testing Tool enabled for more fun.

I’ve written a developers guide for nearly all of the configuration settings to this service in the tutorial section of the forum here:

Finally:
Fear not, this doesn’t mean this is moving to a paid only service, only that the “old school” way of manually doing the configuration and setup is migrating away from downloading models. The model will remain free like it always has. The plugin is a great way to allow everyone access to this anti-cheat service or allow developers to offer some type of financial support to keep the anti-cheat community going strong!

Example Videos of Anti-Cheat Service vs. Client Exploits:
Running Speed Cheat:

Flying Cheat:

Teleport Cheat:

Jump Cheat: (Default Jump Power 13, then switched to 100, then 1000)

Finally, how much server CPU does this use? This screen-shot below is from a public server running all cheat detections with 10 active players. Basically, it depends on how active the players are, but when watching it myself, it would fluctuate between 0.5% and 0.3% CPU. That’s half a percent or less depending how on much movement the players were doing. So, you can take a linear guess at what load to expect in your game if you want to support 20 players, 50 players, 100 players, etc. I made a simple linear calculation below:
10 players – 0.5% CPU
20 Players – 1% CPU
50 Players – 2.5% CPU
100 Players – 5% CPU
200 Players – 10% CPU
400 Players – 20% CPU
700 Players – 35% CPU

RobloxScreenShot20240102_1348240701462×624 138 KB

This seems pretty good, gotta say it tho, when the running anti-cheat is running it just seems like the Player has bad Internet

I have a tip, move all of the configuration to a ModuleScript so the script is cleaner

I was going to have it in parts for each type of detection because I wanted to be able to have people update without having to re-do the configuration every update but decided to put it all in one big script for ease of installing with one copy/paste action. Unless I find a really major bug in the logic or a bug that causes way too many false detection events despite tuning, the configuration for most will probably be one and done. These detection events are based on what I see most in-game when players are cheating. It can’t be the end all to cheating, but it’s a good start for anyone wanting to stop the most blatant cheaters.

Yes I know, but if you move the Configuration to a ModuleScriot and put it there you will not have to scroll down for 5 minutes to get to the actual code, but if you want to keep it like this then you’re good

If it gets positive attention, I could go that route just for the sake of update ease. I don’t plan on doing lots of changes to it unless Roblox has some features in the future that mimic what this does that is helpful or if I find a better way to detect checking that doesn’t require a very complex system that just eats server CPU. Right now, it’s a big pile of code that someone can look through and decide what they want to use or maybe build off of it as it might need to be tailored more to how their game works, etc.
I just hate to see so many games ruined by blatant client hacking, so I figured I would do my part to at least help.

Yeah I agree, hopefully this gets a lot of attention and you will be able to make less Games be cheated

I didn’t seem to see any setting about changing the HumanoidRig, does this mean this anti-cheat only works with R15?

It works with both by checking for R6 parts and R15 parts in case a sever had a mix of players.

Nice rubberbanding, but why not reset their walkspeed by changing it server-side also? Noobie exploiters will be very confused why their walkspeed is not working because the server is replicating the original walkspeed back to the client.

The client exploiter I was testing with doesn’t work that way. It basically locks in the client speed, so setting this on the server had no effect in my testing. I’m not sure why Roblox designed the client/server this way, but it seems to work like this:
Normal Way:
Server → Client “Hey, use walkspeed 16”
Client → Server “Ok”

Client Hack
Server → Client “Hey, use walkspeed 16”
Client → Server "Ok, still using walkspeed 900 "

The server has no sanity checks for the client on movement for some reason.
You don’t even need a client hack to test this, just clicking the title bar on the Roblox program (which freezes the program while you move it around the desktop) will freeze your player in mid-air until you let go of the window. The server is 100% trusting what the client sends it, for a lot of things, not everything.

Hm, from my testing, resetting WalkSpeed works and replicates, I know more experienced exploiters can ignore RakNet changes; In which you’d use the rubberbanding method.

At least we have FE now (Because someone thought having the server allow Client to Server replications without any restrictions would be a good idea)

That’s the main reason why I didn’t do any walkspeed changes because the server has no way to tell what kind of exploit the client is using. A normal user should never see the rubber-band effect, even with lag as the walkspeed should have the same drift regardless of lag. If the character is walking at speed 16, even with lag, that will cover the same distance in 0.25 seconds for both the server and client. Of course, no two devices run at exactly the same speed, that’s why I put that fudge factor into it just to balance that part out. That means one could exploit the speed to perhaps 16.5 instead of 16 and maybe still skate by the server detection, but the flat out double, triple, insane speeds that most try to use will be easy to catch. It will never be perfect as one could simply “speed” for a short moment and then wait for the cool-down and then speed again, but the averaging of doing that just makes it harder for the exploiter to play a normal game.

I made some really horrible code to “estimate” the walkspeed based on magnitude and current server-sided walkspeed:

repeat
		local rootcframe = humanoidroot.CFrame
		local resolvedvector = rootcframe.LookVector:Dot(humanoidroot.Velocity) / rootcframe.LookVector.Magnitude
		local result = math.round(math.abs(resolvedvector))
		
		if result > (humanoid.WalkSpeed + 5) and humanoid.Health ~= 0 and ply:IsDescendantOf(game) and humanoid.Sit ~= true then
			warn(ply.Name .." might be changing their WalkSpeed")
			local serverView = humanoid.WalkSpeed
			humanoid.WalkSpeed = 0
			task.wait(0.1)
			print(ply.Name .."'s WalkSpeed was reset to ".. serverView)
			humanoid.WalkSpeed = serverView
		end

		task.wait(3.5)
	until halt == true

It has a few redundant checks, it’s old code, nothing much to write home about but I’d thought I would share
result > (humanoid.WalkSpeed + 5) is used as a buffer

Why don’ t you just use math.floor and a Part’ s Magnitude, if it’ s normal it should return the actual player’ s WalkSpeed! Also the setting humanoid WalkSpeed to 0… I don’ t know about that since well they can just change their velocity to their MoveDirection * HackyNumber, so why don’ t you neutralize their velocity if that happens?
Edit: The waits are really unnecessary

In my testing, if you try to extrapolate the speed from the magnitude of the velocity, then you rely on the “client” to be sending truthful information about the velocity which can be hacked to report false numbers. The only “hack-proof” way I’ve discovered to measure the speed is the player position. The player position can also be “hacked” because the client can send any position also (that’s how the teleport hacks work) but doing a rolling position compare is not hack-able because it depends on the logic checking it. The moment the player enters the server, it’s location is recorded and compared to the previous after a short delay. This rolling path of movement can be checked logically by the server for speed cheating (among other things). Anything that depends on the client being “truthful” such as walkspeeds, etc. won’t work when the client has full control over this.
As far as the task.waits, I’m not sure of what other way a server can “track” time? Using server frames isn’t reliable because those go down as the server gets busy, but the way I’m using the task.waits also has a drift calculator that keeps the speed calculations in-line with the actual player speed.

If there is a more efficient way to calculate player speed that doesn’t depend on the client sending “true” information, I’m all for it.

Sprint systems are most likely on the client.

It would be smart to treat all exploiters like the smartest exploiters. I wouldn’t rely on hope that the exploiter is dumb!

There is a problem because when falling it triggers speed cheat, not fall cheat

Yeah, that part can be tricky. In the configuration section this part below (in code section). The default freefall time is 2.0 seconds. This has to be tweaked against the “highest” possible fall in your game. An easy way to check what is working, enable the debug output for speed cheating and watch the values as you test jump off your highest possible points in your game. If your game has points to jump off that are so high that the player is spending a long time in freefall (accelerating the entire way) the freefall default might have to be so high that it makes it difficult to detect the difference between falling fast and just moving too fast. If those really high “falling” events are rare, then using a very high freefall time might not be an issue. It will vary from game to game.

--[[
How long to ignore Free Fall in seconds when ignoreFreeFalling is set to false above.
Once the timer expires, the speed will be tracked again to check for speed cheat
detections even when falling.
Default = 2.0 seconds
--]]
local debugSpeedCheatDetection = false

local maxFreeFallTime = 2.0