Ricochet is Activision's in-house anti-cheat, built specifically for Call of Duty after years of cheating problems in Warzone.
Two halves: kernel driver and server analytics
Ricochet has two parts. On PC it installs a kernel-level driver that loads with the game and monitors for cheats from a privileged position. Separately, server-side analytics watch gameplay for statistically impossible behaviour. The two work together — the driver sees the system, the server sees the patterns.
Mitigations, not just bans
Ricochet is known for in-game mitigations applied to suspected cheaters before a ban: measures that reduce a cheater's effectiveness — limiting their damage, hiding legitimate players from them, or disabling their gear. These buy time while a case is confirmed.
How bans escalate
Confirmed cheating leads to bans, and for repeat or severe cases Activision applies hardware bans. A hardware ban records identifiers from the physical machine, so a new account on the same PC can be caught. The kernel driver gives Ricochet a clear view of those identifiers — disk, network, registry and firmware values alike.
Why the firmware layer matters
As with every kernel anti-cheat, the identifiers Ricochet reads split into two groups: software and registry values that can be changed, and firmware-resident values — the SMBIOS UUID, the BIOS serial — that ordinary software cannot rewrite. A hardware ban that leans on the firmware group is the most durable kind.
The takeaway
Ricochet is purpose-built and aggressive: a kernel driver, server analytics and live mitigations. For anyone researching how modern anti-cheat behaves, it is one of the clearest examples of enforcement that reaches past the account to the hardware itself.