How Does Activision Ricochet Work?
Ricochet is Activision's kernel-mode anti-cheat for Call of Duty (Modern Warfare, Warzone, Vanguard, Modern Warfare II, MWIII, Black Ops 6, Black Ops 7). It loads a signed kernel driver, performs signature scanning, hooks the standard kernel callbacks for process and image events, runs server-side replay analysis ("Spectator" and damage-shield systems that cloak or de-armor suspected cheaters), and in Black Ops 7 (2025) added Microsoft Remote Attestation as a gating layer. Massive ban waves are typical.
Ricochet launched in late 2021 as Activision''s answer to escalating cheat-driven attrition in Warzone. It has gone through five years of expansion and now spans every modern Call of Duty title. The architecture is both kernel-mode client-side AND a deeply integrated server-side decoupling layer that responds to suspected cheaters in real time.
Kernel driver basics
Ricochet ships a signed kernel driver loaded at COD launch. It registers process creation, thread creation, and image-load callbacks via the standard PsSetCreateProcessNotifyRoutineEx / PsSetLoadImageNotifyRoutine / PsSetCreateThreadNotifyRoutine interfaces, strips handle access rights to the COD process, scans memory for cheat signatures, walks loaded module lists for traces of recently-loaded drivers, and exports telemetry. So far this is conventional kernel AC.
What makes Ricochet distinctive — server-side mitigations
Ricochet pioneered server-side cheat mitigation rather than pure ban response. When the AC suspects a player of cheating but hasn''t yet earned a confirmation-grade signal, the server can: (1) "Cloak" — make the suspected cheater invisible to the suspected wallhack''s perspective; (2) "Damage Shield" — render the suspected cheater immune to bullets from the suspected aimbot user; (3) "Hallucinations" — inject fake player models into the cheater''s view. The point is to let the suspected cheater "burn" — to keep playing detectably-broken sessions long enough to collect evidence — rather than tip them off with an instant ban.
Black Ops 7 and Remote Attestation
Call of Duty Black Ops 7 (Nov 2025) added Microsoft Remote Attestation as part of Ricochet''s startup flow. The implementation rejects sessions where the TPM-signed attestation quote indicates an untrusted boot state — test-signing enabled, unsigned drivers loaded, Secure Boot disabled. This is the first AAA shooter to publicly gate matchmaking on platform attestation. The implication: BO7 raised the floor of "what hardware-software state is required to play" higher than any prior COD release. See What is Microsoft Remote Attestation.
Ban wave cadence
Ricochet runs aggressive ban waves — typical announcement patterns are quarterly with single-wave totals in the tens of thousands to low hundreds of thousands. Activision publishes Ricochet progress reports periodically with ban totals. The pattern: bans land in waves rather than instantly, accumulated evidence is processed in batches, and many bans pull from telemetry weeks old.
What Ricochet reads — and what it doesn''t
Like every kernel AC, Ricochet sees: process memory in the COD process, loaded drivers on the system, kernel callbacks for new processes, SMBIOS and hardware fingerprint, TPM identifiers and (for BO7+) attestation quotes. It does not see: contents of a separate machine, properly hidden DMA reads with bypassed IOMMU + AER-clean firmware, or perfectly externalized cheating that never touches the COD process address space. The arms race converges where it always does — hardware roots of trust and behavioral ML.
Practical impact and RawCheats
COD is one of the cheat-industry''s biggest markets and one of the most ban-heavy. Operating safely requires aggressive HWID hygiene (always run a spoofer before cheating sessions — see Raw Spoofer), behavioral tuning (no obvious aimbot, no clear no-recoil, tournament-tier settings — see our COD Warzone Guide), and account isolation (cheating account ≠ main, ever). The Ricochet architecture punishes carelessness brutally and disproportionately at wave-ban time.
Forward look
BO7''s attestation move suggests Ricochet is the AAA AC most aggressively committing to the hardware-attestation roadmap. Expect TPM-bound HWID enforcement, possible Pluton-gated matchmaking, and continued investment in server-side ML cloaking. The "buy the cheap public cheat and play Warzone" era is over; what remains is a smaller, more careful, more expensive cheating market.
How Ricochet compares to EAC, BattlEye, and Vanguard
Ricochet sits in the upper-middle of the kernel-AC stack. It''s less invasive at the platform-attestation level than Vanguard (which requires TPM 2.0 + ELAM-loaded driver + Secure Boot at full enforcement), and roughly on par with BattlEye and EAC for client-side kernel surveillance. Where Ricochet distinguishes itself is the server-side mitigation layer — the Cloak/Damage Shield/Hallucinations system has no direct analog in other consumer ACs. Most ACs flag-and-ban or flag-and-review; Ricochet flag-and-degrades-the-cheater''s-experience, then bans. This produces longer evidence-collection windows and harder-to-anticipate ban timing.
What Ricochet has been adding through 2024-2026
The trajectory: deeper Unreal Engine integration (COD shares engine lineage with Unreal-derived branches), expanded behavioral ML on demo replays, the Black Ops 7 Microsoft Remote Attestation flow, and tighter HWID-correlation through Activision''s account infrastructure. Black Ops 7''s Nov 2025 launch was the most significant Ricochet upgrade in years — the attestation gate moved COD''s AC floor up materially. For cheaters, the practical impact is that COD has shifted from "moderate" to "harder" on the difficulty scale within 18 months. The "buy a public cheat for $15/month and grind Warzone" era is structurally over for serious cheaters. See COD Warzone Cheats Guide.
Related Pages
Sources
- Ricochet Anti-Cheat — Activision
- Ricochet Progress Update — Activision
- BO7 Anti-Cheat Update — Activision
Related Questions
Spray analyzers are server-side anti-cheat detectors that compare a player's recoil compensation pattern against the weapon's actual recoil curve across many shots. A human player produces variance shot-to-shot; a no-recoil cheat produces statistically perfect compensation. Server-side ML analyzes the inverse correlation between weapon recoil vector and player view-angle deltas, flags sessions where the correlation is improbably close to -1.0, and queues bans. PUBG's Zakynthos used this to ban 45K accounts Feb 23 - Mar 1, 2026.
A kernel-level anti-cheat is anti-cheat software that runs in ring 0 — the same privilege level as the Windows kernel — via a signed driver loaded into the OS. This gives it visibility into all processes, threads, drivers, kernel callbacks, and physical memory on the system. Examples: Easy Anti-Cheat (EAC), BattlEye (BEDaisy.sys), Riot Vanguard (vgk.sys), Activision Ricochet, NeacSafe, Zakynthos. Defense Matrix and VAC are NOT kernel-level — they run in user mode.
Microsoft Remote Attestation is a Windows platform feature that lets a remote server cryptographically verify a client device''s identity, boot state, and configuration using the TPM 2.0 endorsement key (EK) certificate plus signed boot-log measurements. The TPM signs an attestation quote with a hardware-protected key, the server validates it against the TPM vendor''s CA, and the result is a non-spoofable answer to "is this machine in a trusted state?" Adopted by Call of Duty Black Ops 7 and increasingly by AAA anti-cheats in 2026.
The best COD Warzone cheat in 2026 is extremely hard to find because Black Ops 7 introduced Microsoft Remote Attestation — cryptographic boot-chain validation to Microsoft's cloud. Activision Ricochet runs alongside Remote Attestation, producing one of the hardest AC stacks in 2026. Sustained Warzone bypass requires hypervisor-level engineering that doesn't match consumer-tier cheat pricing. RawCheats does not ship a Warzone product. The Warzone cheat market is heavily concentrated with brittle resellers and infostealer traps.
