Login
Back to blog
6 min read|

Why Vanguard can't catch 2PC aimbots

Why Vanguard can't catch 2PC aimbots

Vanguard is a kernel-mode driver. Technically, it's an x64 signed driver that Windows loads into ring 0 at boot, before any user-mode process starts. Once loaded, it has access to everything: process memory, kernel callbacks, driver signatures, loaded DLLs, page fault handlers, every low-level hook point an anti-cheat might care about.

That's the problem internal cheats are trying to solve, and it's why most of them fail eventually.

How Vanguard finds internal cheats

Internal cheats, the kind that inject DLLs into the Valorant process or read its memory via a driver, have to live somewhere on your machine. Vanguard watches for:

  • Process memory of every running executable, flagging suspicious API calls or known cheat signatures
  • Loaded drivers against a growing allowlist of vulnerable or known-bad drivers (BYOVD attacks, abusable signed drivers, etc.)
  • Hook points at common injection spots (kernel callbacks, syscall table modifications)
  • Integrity of the Valorant process itself, checksumming code pages, watching for unexpected threads

When a new cheat releases, it has maybe a few weeks of runway before Vanguard's heuristics pick up either the cheat's own driver or the technique it uses. When a ban wave hits, the pattern is visible: big drops in a specific cheat provider's user count, shuttered Discord servers, chargeback spikes.

What 2PC setups change

The technique is old, almost stupid in its simplicity: run the cheat on a different computer.

That computer does three things: read the Valorant video feed via a capture card, detect enemies using AI computer vision, and send aim adjustments as real mouse input through a hardware aim device.

Now consider what Vanguard can see on the gaming PC:

  • Valorant (unchanged, running normally)
  • Windows (unchanged, running normally)
  • A capture card driver (commodity hardware, HDCP-compliant, doesn't capture DRM content, nothing suspicious)
  • A mouse connected via USB (Ferrum, presenting as a standard HID device)

That's it. The cheat itself is on a completely different physical computer, running a completely different OS image, connected only by HDMI (carrying the game video out to the capture card) and USB (carrying mouse input from the aim device in).

Neither of those is anti-cheat territory. Vanguard doesn't scan your monitor. Vanguard can't see across an HDMI cable. Vanguard doesn't scan every mouse you plug in.

But couldn't Vanguard just detect the capture card?

It could try, but:

  • Millions of streamers, content creators, and competitive players use capture cards legitimately. Blocking them would break streaming integrations that Riot actively supports.
  • Hardware capture isn't unique to cheating. It's used for CX testing, accessibility setups, hardware-in-the-loop debugging.
  • Even if Vanguard blocks capture cards, the signal is "capture card present", not "aimbot present". False positive rate would be catastrophic.

Couldn't Vanguard detect the aim device?

An aim device like Ferrum presents to Windows as a standard HID mouse. It's indistinguishable from a Logitech G Pro Wireless at the USB protocol level. Blocking it means blocking mice generally, which Vanguard cannot do.

Some anti-cheats (ESEA's historically) have experimented with mouse movement analysis, looking for statistical patterns that differ from human input. This is where future detection might come from, but:

  • It requires very large training datasets of known-cheater vs known-honest movement
  • False positive rate has to be near-zero, or legitimate players get banned for their real aim
  • Modern AI aimbots (including ours) output movement that mimics human microjitter specifically because the AI is trained on real play footage

This is an arms race, but it's an arms race at the motion-statistics level, not at the detect-the-cheat level. Current state: 2PC aimbots with well-designed motion profiles are effectively statistically invisible.

Why not everyone does this

If 2PC is this safe, why do most cheaters still use internal cheats?

  • Cost: a Ferrum plus capture card plus second PC is €500 to €1000 up front. Internal cheats cost €30 a month.
  • Effort: 2PC takes a weekend to set up right. Internal cheats install like any app.
  • Portability: you can't 2PC on a LAN tournament PC. Internal cheats (in theory) work anywhere until they get detected.

It's a deliberate trade: more up-front cost and effort, for near-permanent undetectability.

What this means for you

If you've been banned before, internal cheats are a treadmill. Every few weeks, another wave, another new account, another round of paying.

2PC is different. Our zero-detection record since launch isn't marketing. It's the natural consequence of running on separate hardware. Vanguard is very good at what it does. We just don't give it anything to do.

Related: How tipsyaim works · Hardware overview · Valorant AI pricing