Bot Protection

Ten detection layers, AI crawlers named and catalogued, and numbers that only ever count people.

Everything the filters caught, on one board

The Bot Center shows what never reached your numbers: blocked requests per day, the top offenders by name, which detection method caught them, and the state of the blocklists. Not a black box: a report on the noise, kept separate from the signal.

Your bots get their own dashboard, not your dashboard.

  • Blocked volume per day, with the worst bots named.
  • Every catch attributed to the method that made it.
  • Blocklists auto-refresh; the footer keeps the daily count.

You see exactly what you are not counting.

Bot Center docs
Bot Protection Active
Last 30 days
Blocked / day · +12%
48,210
18.4% of traffic · +22 flagged
Top blocked
ChatGPT-User2,980
GPTBot2,140
python-requests1,860
PerplexityBot1,310
Bytespider1,090
AI crawler intent · 12,840
LiveLive Retrieval5,120
IndexSearch Indexing4,300
TrainModel Training3,420
By detection method
Bot User Agents21,460
Datacenter IPs14,890
Spam Referrers4,230
Headless Browsers3,510
Velocity Limits2,440
Zero-engagement
22%
9,840 of 44,700 sessions
Desktop14% (3,210 of 22,930)
Mobile31% (5,120 of 16,510)
Tablet29% (1,510 of 5,260)
Blocklists
Datacenter IPs3,430
Spam domains2,322
Bot UA patterns79
VPN whitelisted5,430
refreshed today

Ten checks before anything counts

Four checks run in the browser before a single event is sent: WebDriver flags, software GPU rendering, empty language lists, impossible execution timing. Six more run server-side: 79+ bot user-agent signatures, 3,430 datacenter IP ranges, spam referrers, velocity limits, interaction analysis, behavioral scoring.

Client-side and server-side, in series.

  • Headless browsers fail before they send anything.
  • Datacenter traffic is matched against curated CIDR ranges.
  • One flagged layer is enough: blocked or tagged, never counted.

Ten locks on the front door.

How bot detection works
Detection Pipeline
1 WebDriver detection navigator.webdriver
2 Software GPU check SwiftShader / llvmpipe
3 Browser language count languages = 0
4 Execution timing 0ms = automation
5 User agent patterns 79+ signatures
6 Datacenter IP ranges 3,430 CIDR ranges
7 Spam referrer filter 2,322 domains
8 Fingerprint velocity 100+/10min = blocked
9 Interaction analysis scroll + no interaction
10 Behavioral scoring mouse, scroll, input
Client-side (browser) Server-side (API)

Know which AI bots read your site

57 AI bots are catalogued by intent: live retrieval (ChatGPT or Perplexity fetching your page for an answer, right now), search indexing, and model training. Each crawler is listed with its request volume and last visit, separate from your visitor numbers.

Visibility without contamination.

  • GPTBot, ClaudeBot, PerplexityBot, and friends, by name.
  • Live retrieval vs indexing vs training, told apart.
  • Crawlers that ignore robots.txt are still visible here.

The AI reads your site. Now you can watch it read.

AI crawler tracking
AI CrawlersLast 30 days · 12,840 requests
LiveLive retrieval 5,120IndexSearch indexing 4,300TrainModel training 3,420
BotIntentRequests ↓Last crawl
ChatGPT-UserLive2,98012m ago
GPTBotTrain2,1402h ago
PerplexityBotLive1,31038m ago
OAI-SearchBotIndex1,2401h ago
BytespiderTrain1,0903h ago
ClaudeBotTrain8605h ago
Google-ExtendedTrain6409h ago
CCBotTrain4101d ago
57 AI bots catalogued across live retrieval, search indexing, and model training

One score that says if your traffic is real

Zero-engagement measures the share of sessions with no scroll, no clicks, and minimal time. Healthy sites sit under 25%. When the score spikes, the breakdown points at the culprit: bots that spoof mobile devices cluster on specific screen sizes, and an 89% zero-engagement bucket is not a coincidence.

A smoke detector for fake traffic.

  • Zero-engagement share, overall and per device.
  • Screen-size drill-down exposes spoofed-device clusters.
  • Under 25% healthy, over 40% worth investigating.

When something is off, this number says so first.

Engagement Tracking
Traffic qualityZero-engagement sessions · Last 30 days
42.3%
3,847 of 9,103 sessions showed no scroll, no clicks, and almost no time.
Under 25%: healthy traffic25-40%: worth investigatingOver 40%: significant bot activity
Desktop
11.2%412 of 3,680
Mobile
67.4%3,289 of 4,881
XS (<576px)
89.1%2,904 of 3,260
SM (576-767px)
17.8%289 of 1,621
Tablet
8.4%12 of 142
One screen size at 89% zero-engagement is not an audience, it is a device-spoofing botnet. Filter those sessions and flag them, and the score walks back under 25%.

The last word is yours

Automation catches the crowd; you catch the stragglers. Open any session, judge the journey, and flag it as a bot in two clicks: it disappears from every metric, retroactively. Or delete it outright and it is gone from the database.

Flag, delete, done. Retroactive everywhere.

  • Flag as Bot removes a session from all numbers, past included.
  • Delete removes it entirely, events and all.
  • Flagged bots stay visible in the Bot Center, so nothing hides.

Your data, curated by the person who knows the site best.

Session Tracking
Sessions
3.6. 11:24 - 11:28Google · Germany · Desktop · macOS · Chrome
/pricing1:3478%
/signup1:0891%
Flag as BotDelete
3.6. 11:21 - 11:21Direct · Netherlands · Desktop · Linux · Chrome
/0:010%
3.6. 11:17 - 11:17Direct · Singapore · Desktop · Windows · Chromebot
/wp-login.php0:000%
3.6. 11:12 - 11:16LinkedIn · United Kingdom · Desktop · Windows · Edge
/features1:0270%
/docs/installation2:2288%
Flagged sessions leave every metric, retroactively. Deleted sessions leave the database.

Frequently asked questions

Having another question?

Reach out! We will be happy to help with any pre-sales questions.

Does bot filtering slow my site down?

No. The four client-side checks are simple property reads that take microseconds, and the six server-side layers run after the request leaves the browser. Visitors never wait on any of it.

How fresh are the blocklists?

Curated and auto-refreshed: 3,430 datacenter IP ranges, 2,322 spam referrer domains, and 79+ bot user-agent signatures, with 5,430 VPN ranges deliberately whitelisted so privacy-conscious real visitors are not punished.

Do bots show up in my reports at all?

Not in your visitor numbers. Blocked and flagged traffic is kept out of every KPI, panel, and realtime view, and appears only in the Bot Center, where you can audit what was caught and why.

Can I see AI bots I blocked in robots.txt?

Yes, when they come anyway. robots.txt is a request, not a wall: crawlers that ignore it still hit your server, and the AI Crawlers view lists them by name with volume and last visit. The polite ones that honor your robots.txt simply stop appearing.

What if the filters miss one, or catch a real visitor?

You have the last word both ways. Flag any session as a bot and it leaves every metric retroactively; sessions you flagged by mistake can be judged from their full journey before you commit. Deletion is permanent and complete.