Invalid traffic splits into two classes, and the split decides how you catch it. General invalid traffic (GIVT) is identifiable from lists and known signatures: declared bots, data-centre IP ranges, search crawlers. Sophisticated invalid traffic (SIVT) imitates a real person and gets past lists, so it can only be caught by checking whether a session’s behaviour and fingerprint agree with each other.
Invalid traffic is the IAB/MRC umbrella term for ad traffic that should not be billed. The IAB Tech Lab and the Media Rating Council defined the GIVT/SIVT distinction so the industry could agree on what counts as filterable and what needs deeper inspection. The two halves are not degrees of badness. They are categories defined by how detectable they are.
GIVT: caught by a list
GIVT is the traffic that announces itself, or that lives somewhere no real shopper would. A few concrete cases:
- Declared bots and crawlers that identify themselves in the user agent, including search-engine and SEO crawlers.
- Traffic originating from data-centre and hosting IP ranges, where no human is sitting at a browser.
Both are caught the same way: by matching against a published list of signatures, user-agent strings, and ASN ranges. The IAB maintains a spiders-and-bots list precisely for this. Because the identifiers are stable and shared, GIVT filtering is cheap and reliable. A data-centre ASN is a data-centre ASN whether or not the operator wants to hide.
This is the easy half. Most ad platforms, including Google, filter a large share of GIVT before they bill you, and they are good at it.
SIVT: caught by contradiction
SIVT is the traffic that does not show up on any list, because it is built to look human. Hijacked consumer devices recruited into a botnet. Bots routed through residential proxies so their IP looks like a home connection. Automation frameworks driving a real browser to produce human-like mouse paths. None of these carry a signature you can blocklist, because the whole point of the technique is to borrow a legitimate-looking surface.
You cannot filter SIVT by IP, because the IP is a real home. You cannot filter it by user agent, because the user agent is a real browser’s. What you can do is check whether the session is internally consistent. A session built by automation tends to contradict itself somewhere: a navigator surface that disagrees with the TLS fingerprint, an Accept-Language header that does not match the JavaScript language, a cursor moving with super-human regularity, a canvas hash that does not cohere with the claimed browser.
That contradiction is the tell. A real browser driven by a real person is consistent across dozens of independent signals because one device produced all of them. A faked session has to forge each surface separately, and the forgeries rarely line up.
It also helps that the browser under test does not get the benefit of the doubt. A scorer that only subtracts on detection can be beaten by sending an empty or forged signal, which would otherwise look clean. ClickLens checks the beacon against server-attested evidence — a signed payload, the trusted HTTP user agent, the TLS class — so a session missing its corroboration is capped to suspect rather than allowed to score human on its own say-so.
Why the split changes the tooling
If your defence is a blocklist, you catch GIVT and miss SIVT entirely, and SIVT is where the spend goes once an operator is serious. List filtering has no way to flag a residential-proxy bot, because nothing on the list matches. You need the second method: score the session on how well its signals agree, weight automation and behaviour and fingerprint and network reputation, and cap the verdict when the evidence is forged or missing.
ClickLens runs both. GIVT-style checks knock out the obvious data-centre and declared-bot traffic. The harder work is the consistency scoring that catches SIVT, and the engine is tested against datasets built to beat it, including residential-proxy and fingerprint-rotation suites, with the bar set two ways: bots must be caught and real humans in the same dataset must survive.
Where to read further
The detection methodology sets out the five scoring categories and how each deduction is named and inspectable. The glossary entries for GIVT and SIVT give the short definitions if you only need to cite the distinction. If you want to see which class your own traffic falls into, the audit scores a sample and shows the reasons behind each verdict.