Almost every paid FiveM anticheat lists "heartbeat protection" or "anti-tamper" on the feature page. Almost none of them explain it. Here is the actual mechanism, the failure modes that kill cheap implementations, and what to look for when you evaluate a product.
What a heartbeat does
The problem the heartbeat solves: if your anticheat is a Lua resource on the client, a sufficiently determined cheat can stop it from running. The cheat finds the resource in the loaded list, terminates it, swallows the error, and continues. The player then looks like a clean session because the AC stopped reporting.
A heartbeat counters this. The client-side AC sends a small, signed message to the server on a fixed interval (typically every 1 to 5 seconds). The server tracks the interval and reacts when the messages stop arriving - kicking, flagging, or banning depending on configuration. If a cheat kills the client-side AC, the server stops getting heartbeats and acts on the silence.
What makes a heartbeat actually work
A heartbeat is only useful if the cheat cannot fake it. Cheap implementations fail at three specific points:
- Forgeable signing. If the heartbeat payload is just a constant string ("ALIVE"), a cheat can keep sending that same string after killing the AC, and the server cannot tell the difference. Real heartbeats are signed with a per-session key the server issues at connect time.
- Static intervals. If the heartbeat fires every 5.000 seconds on the dot, a cheat can replay the last legitimate heartbeat on schedule. Real heartbeats include a server-issued nonce or a rolling counter so each message is unique and ordered.
- Single-source verification. If the server only checks "did I get a message in the last N seconds," a cheat can cooperate by sending fake messages. Real implementations cross-reference the heartbeat with other signals (event timing, trust score, session metadata) so a forged heartbeat alone is not enough to look clean.
Where it sits in the detection stack
A heartbeat is a complement to other detection layers, not a replacement. Here is what each layer detects:
- Signature scan: catches known cheats running normally.
- Behavioral scoring: catches unknown cheats producing abnormal telemetry.
- Heartbeat: catches cheats that try to disable detection itself.
- Server-side event validation: catches cheats that attack handlers regardless of the client state.
A cheater who kills the client-side AC cannot evade the heartbeat. A cheater who tries to forge the heartbeat cannot evade the signing or the nonce. A cheater who does both still cannot evade server-side event validation. Each layer covers a class of attacks the others miss.
Failure modes worth knowing
Heartbeat systems have a real-world cost: they generate noise on player disconnects, especially on lower-bandwidth connections.
- Network drops. A player on a flaky home internet connection may legitimately drop heartbeats during a 30-second outage. A naive implementation would kick them; a tuned one waits for several missed beats and confirms with another signal before acting.
- Client crashes. If the FiveM client crashes, the heartbeat stops. If the server kicks immediately, the player gets a confusing "you were kicked" message instead of a clean disconnect. Most products treat the first 10 to 30 seconds of silence as a possible crash before escalating.
- High-latency regions. Players in geographically distant regions may have heartbeat timing variance that a strict interval rule would flag. Tunable intervals per server help here.
These are tuning problems, not architectural ones. The interesting question for evaluating a product is whether the vendor exposes the tuning knobs (timeout, escalation policy, jitter tolerance) or hides them behind a single "enable heartbeat" toggle. The latter forces you to take the vendor's defaults regardless of whether they fit your player base.
Practical takeaway
When evaluating an anticheat for heartbeat protection specifically, the questions to ask:
- Is the heartbeat signed with a per-session key issued by the server?
- Does the protocol include a server-issued nonce or rolling counter?
- What is the default timeout, and is it tunable?
- What action is taken on a missed heartbeat - kick, soft-ban, flag for admin review?
- Does the system cross-reference heartbeat health with other signals before acting?
Vendors that can answer all five clearly are running real anti-tamper. Vendors that wave at heartbeat as a marketing bullet are usually shipping the cheap version that loses to a moderately competent cheat in under a week.