Dual-layer architecture: how Raven Anticheat runs client + server detection together
Raven runs client-side and server-side detection in parallel by default. Bypassing either layer leaves the other one watching - which is what stops most modern Fivem cheats from going undetected.
Why a single layer is not enough
Most Fivem anticheats lean on one layer of detection: either a hardened client-side stack that watches for injected DLLs, hooked APIs, and known menu signatures, or a server-side stack that validates events and rejects impossible game-state transitions. Each layer has a known failure mode. A client-side-only AC fails the moment a cheat manages to hide its loader from signature checks. A server-side-only AC fails the moment a cheat respects the legal event surface but uses client-side hacks (silent aim, ESP, wallhacks) that never trigger a server event. Dual-layer detection means the layer that does see the cheat catches it, and the layer that does not still produces a behavioral signal that admins can review.
What the client layer watches
On the client side, Raven monitors injected modules, hooked engine functions, NUI DevTools state, the integrity of its own resource files, and the runtime presence of known cheat loaders. Signatures for the most active mod-menu families - Eulen, Redengine, HamMafia, Lynx, Impulse, Nexus - are kept current on a 1-7 day shipping cadence (see /changelog). When a known signature fires, evidence is captured (screenshot + detection trace) and uploaded to the cloud panel. When the signature does not fire but anomalies do, the trust score on that player drops, surfacing them on the live map for admin review.
What the server layer watches
On the server side, Raven runs an event-validation pass on every server event the player triggers. Event names that should never come from a client are blocked outright; event payloads that exceed plausible bounds (item quantities, money deltas, vehicle spawns per minute) are rejected and logged; event sequences that match known exploit patterns - the chained event sequence used by Redengine variants, for example - are blocked at the pattern level. Server-side detection runs even if every client check is bypassed, which is why server-side coverage is non-negotiable.
How the two layers cooperate
A heartbeat loop ties the layers together. The client periodically reports a signed hash of its critical runtime state to the server. If the heartbeat stops, the server treats the client as tampered and applies the configured response - warn, kick, or auto-ban. If the heartbeat keeps coming but its payload no longer matches expected values, the server logs the divergence and feeds it into the trust-score model. Either way, the server has a continuous read on whether the client layer is still functioning, so a cheat that disables the client layer immediately becomes visible from the server side.
Why this matters for "bypass-resistant"
No anticheat is bypass-proof. The honest framing is that bypassing a single-layer AC requires defeating one stack; bypassing dual-layer Raven requires defeating two stacks at the same time, plus the heartbeat, plus the trust-score model that surfaces behavioral anomalies. The cost of a successful undetected bypass is meaningfully higher, and the time it takes to ship a patch is shorter, because the layer that did notice the cheat hands its capture data to the team that ships the next signature update.