CoreShun Anti-Exploit Suite
Production-grade exploit defense for Roblox games
Overview
A modular, server-authoritative anti-exploit system that protects your game against the most common exploits — speed hacks, teleport, fly, jump cheats, humanoid tampering, remote spam, and more. Comes with a polished in-game admin dashboard, persistent ban storage, optional Discord webhook alerts, and a configurable strike system that auto-kicks and auto-bans repeat offenders.
Built on the same architecture as the CoreShun Admin Dashboard. Open source, fully readable Luau, no obfuscation.
Features
9 Detection Modules
- Walkspeed — flags abnormal movement velocity (default >34 studs/s)
- JumpPower — catches super-jump exploits via jump-height tracking
- Teleport — detects sudden position deltas in a single tick
- Fly — flags airborne players who don't fall
- Noclip — experimental wall-clip detector (off by default)
- RemoteSpam — per-player rate limiter for RemoteEvents
- HumanoidTampering — server-watches WalkSpeed/JumpPower/HipHeight property changes
- InvalidAnimation — optional animation ID whitelist enforcement
- AltAccountFlag — flags suspicious new accounts
Strike System
- Configurable strikes per detection (1-10) and per-detection severity (1-3)
- Auto-kick threshold (default 5 strikes), auto-ban threshold (default 12)
- Strikes auto-decay (default: 1 strike removed every 60 idle seconds)
- Admins can clear strikes from the dashboard
Live Admin Dashboard (in-game)
- Live Feed — real-time stream of detections, color-coded by severity
- Players — active roster with strike counts, whitelist toggle, history lookup
- Stats — total counts grouped by detection type and action taken
- Bans — active ban list with one-click unban
- Settings — runtime ON/OFF for each detection (no restart needed)
- Open with Right-Ctrl, F4, or chat command /aex
Server-Authoritative Architecture
- All enforcement happens server-side — the client cannot lie or bypass
- Heartbeat-driven detection loop with per-check sample rates
- Whitelist support for testers, devs, and content creators (UserId, group rank, game owner)
- Spawn grace period prevents false positives during respawn
5 Action Types Per Detection
- Log — silent record only
- Warn — notify the player
- Rollback — reset position/velocity to last legal state
- Kick — remove from server with custom message
- Ban — persistent DataStore ban with rejoin block
Persistent Storage
- Per-player rolling incident history (last 100, configurable)
- Persistent ban records survive server restarts
- Global aggregate stats DataStore
- Auto-flushed every 30 seconds and on server shutdown
- Browse anytime with the DataStore Editor plugin
Optional Discord Webhook
- Real-time alerts to your Discord channel for high-severity detections
- Severity-filtered (only fires for severity ≥ configured threshold)
- One-line setup: paste webhook URL into config
Easy Installation
- Drop the .rbxmx into Studio — auto-places into ServerScriptService and StarterPlayerScripts
- Add your UserId to Config.Admins to access the dashboard
- Tune detection thresholds for your game's pace
- Press Right-Ctrl in-game and start watching detections fire
What's Included
- AntiExploitConfig.lua — single source of truth for all thresholds and admin/whitelist
- AntiExploitServer.lua — main detection engine with all 9 modules
- AntiExploitClient.lua — lightweight client (auto-mounts dashboard for admins)
- AntiExploitDashboard.lua — full 5-tab admin UI
- TestExploits.lua — developer test panel to simulate exploits on yourself
- README.txt — full installation and usage docs
Installation
Option A: Model File (.rbxmx)
- File > Insert from File > select CoreShunAntiExploit.rbxmx
- Scripts auto-place into ServerScriptService and StarterPlayerScripts
- Open AntiExploitConfig.lua and add your UserId to Config.Admins
- Press Right-Ctrl in-game to open the dashboard
Option B: Manual
- AntiExploitConfig.lua → ServerScriptService (ModuleScript)
- AntiExploitServer.lua → ServerScriptService (Script, sibling of config)
- AntiExploitClient.lua → StarterPlayer.StarterPlayerScripts (LocalScript)
- AntiExploitDashboard.lua → StarterPlayer.StarterPlayerScripts (ModuleScript, sibling of client)
Frequently Asked
Will this false-positive my fast-paced game?
All thresholds are configurable per detection. Adjust MaxWalkSpeed/Tolerance for your game, or disable individual detections that don't fit your gameplay.
Does this catch every exploit?
No anti-exploit catches everything. This focuses on the highest-impact server-side checks. Combine with FilteringEnabled, server-authoritative gameplay, and good RemoteEvent validation.
Can I add my own custom detections?
Yes. The codebase is open and extensible. Each detection follows the same pattern: a check function that calls applyAction(player, name, detail, action, severity).
Does it integrate with my existing admin tools?
The system is standalone but uses the same DataStore patterns as my Admin Dashboard. You can read incident logs from your own UI by querying CoreShunAntiExploitIncidents.
Support
Discord: discord.gg/hdB5tadkk8
Open source. Fully readable Luau. No obfuscation. Modify freely.
