Between 2022 and 2026, commodity bot mitigation shifted from binary, single-signal blocklisting toward composite trust scoring: a request is admitted only if it satisfies a conjunction of independently evaluated detection layers. Cloudflare, which fronts a large share of all sites that deploy bot-mitigation tooling, exemplifies this architecture with a stack we decompose into fifteen layers grouped into five domains — network and transport, client environment, behavioral, interactive challenge, and programmable-cryptographic controls. This paper offers a defender-oriented taxonomy of that stack. For each layer we characterize the signal it reads, the structural reason it is or is not evadable, and the residual hardness that remains after best-effort evasion. Our central observation is that evadability is not uniform: layers that read artifacts a client emits (TLS handshakes, HTTP/2 frame ordering, header order) are structurally weak because the artifact can be reproduced exactly, whereas layers that read properties a client must continuously possess (genuine per-zone behavioral history, a privately held cryptographic credential) resist forgery by construction. We argue that the long-run defensive trajectory follows from this asymmetry, and that newer mechanisms such as cryptographic agent attestation are a different kind of control altogether: forgery-resistant by construction. Their present weakness is not cryptographic but a matter of deployment, since current configurations fail open when no signature is presented.