Detection you can audit
Every ClickLens verdict is the weighted sum of named signals across five categories, and it is exactly recomputable from the data we store. No opaque model decides whether your visitor was a person. This page is how the score is built, how we keep it honest when the browser lies, and how we know it works.
Five categories, one transparent score
A session scores from 0 to 100. Above 70 it is human, 40 to 70 is suspect, below 40 is a bot. The number is a weighted sum of five categories, and each one lists the specific checks that moved it. The weights are fixed and published below, not tuned per customer.
Automation detection
Headless and webdriver markers, automation-framework artifacts left by Puppeteer, Playwright and Selenium, and a navigator surface that contradicts itself. The signals a real browser does not carry.
Behavioural signals
Pointer-path geometry, timing between events, scroll and interaction shape. A cursor that travels in perfectly straight lines, or with super-human consistency, loses points here.
Fingerprint consistency
Canvas and WebGL coherence, the JA4 TLS class against the claimed browser, Accept-Language against the JS language. A fingerprint that does not agree with itself is the tell.
Network reputation
Datacentre and hosting ASNs, residential-proxy indicators, and IP threat-intelligence. Where the request actually originates, not where it claims to.
Contextual signals
Referrer and UTM coherence, and the session context around the visit. Traffic that arrives without a plausible path costs points here.
Every category begins at full marks and subtracts only when a check fires. A clean session keeps its score, which is the honest default, but it leaves an obvious hole: a beacon with nothing to detect also starts at full marks. The next section is how we close it.
The browser is the thing under test, so we don't take its word
A scorer that subtracts only on detection can be gamed by sending nothing, or by sending a clean, fabricated beacon. The signal an attacker controls is exactly the signal you cannot trust. So a human verdict has to be corroborated by evidence the client cannot forge.
Signed beacons
Each beacon is signed with HMAC-SHA256 and carries a nonce and timestamp. A replayed beacon, an unsigned one, or a forged signature fails verification, so a captured payload cannot be replayed to mint a fake human.
Cross-layer consistency
The User-Agent in the beacon body is checked against the trusted HTTP header UA, the JA4 TLS class, and the Accept-Language header. A residential proxy that sends a clean browser UA still has to make the wire layers agree, and they rarely do.
Client-hint agreement
Sec-CH-UA request headers are scored against the browser family parsed from the trusted UA. Because client hints are a Chromium feature, their absence is never held against Safari or Firefox, near a fifth of real traffic; only their unexpected presence counts.
Server-timing checks
Timing the client reports is corroborated against what the server independently observed. Numbers that could only come from a fabricated timeline are flagged rather than trusted.
A human verdict must be backed by a real fingerprint surface and server-attested evidence, and must not be contradicted by a UA mismatch, a failed signature or a replayed nonce. When that corroboration is missing, the verdict is capped to suspect. A forged or empty beacon can no longer score human.
We attack our own detector
A bot detector that is only ever tested on bots it already catches proves nothing. We run the scorer against datasets built to beat it, and the bar is two-sided: the bots must be caught and the real humans in the same dataset must survive. A detector that catches every bot by flagging a fifth of your customers is worse than useless.
DELBOT
An MIT-licensed dataset of real and bot mouse trajectories. We replay it through the behavioural scorer and require the real trajectories to survive and the bot ones to be caught.
Neural-network trajectories
Mouse paths generated by trained models to mimic human motion. These are the modern evasion, smooth enough to defeat a naive straightness check, so the behavioural rules need corroboration before they condemn.
Residential-proxy and rotation suites
Sessions that route through residential IPs and rotate their fingerprint between requests. The cross-layer and consistency checks exist to catch exactly this, so the suites prove they do.
The detection engine is covered by more than 1,400 automated tests, and the behavioural rules that catch generated trajectories are written to need corroboration before they condemn a session. A smooth, human-looking mouse path is suspicious, never proof on its own.
Accuracy measured against ground truth, daily
Detection is a claim, and a claim needs a number. Precision, recall and F1 are computed every day against verified outcomes: leads your CRM confirms or rejects, disputes you file, honeypot catches and sessions verified by hand. That is the difference between asserting accuracy and measuring it.
Ground truth has precedence
A converting session can never overturn a stronger label. A honeypot catch or a manual verdict outranks any score, so a bot that converts cannot whitewash itself into your ground-truth set.
Regression before release
Every scoring change is replayed against the bank of verified sessions first. A tweak that would reclassify a known human as a bot is caught and rejected before it ships, not discovered in your account.
A new detector ships in shadow mode first
When a new gate goes live, it runs on real traffic and emits its flags, all visible on your dashboard, but it does not move a single verdict or touch a single platform conversion. Only once its false-positive rate has been measured on live traffic does enforcement turn on.
The same measured rollout governs conversion write-back, the restate or retract that ClickLens applies to Google and Microsoft Ads, so those adjustments show on your dashboard before they ever change your platform data. We would rather show you a verdict we are not yet acting on than act on one we have not yet proven.
Every verdict lists its reasons
Because the score is a sum of named deductions, each session on your dashboard shows the flags that produced its verdict. You can read why a click was judged a bot, dispute it if we got it wrong, and watch that dispute become a label that sharpens the next day's measurement. Detection you cannot inspect is detection you have to take on faith. This is the opposite.
Detection methodology FAQ
How is a session scored?
A session scores from 0 to 100 as the weighted sum of five categories: automation detection (25%), behavioural signals (25%), fingerprint consistency (20%), network reputation (15%) and contextual signals (15%). Above 70 the verdict is human, 40 to 70 is suspect, below 40 is a bot. Each category starts at full marks and loses points only when a specific check detects automation, so every deduction has a named reason on your dashboard.
Do you use a machine-learning model to decide the verdict?
No. The verdict is a deduction model: every category begins at its maximum and subtracts points for named, inspectable signals. That means a verdict is exactly recomputable from the stored signals and you can read back the reasons for it. We use a neural-network-generated trajectory dataset to test the detector, but no opaque model decides whether your visitor was a person.
Can a bot score human just by sending a clean User-Agent?
No, and this was a real hole. The base scorer starts every session at full marks, so an empty or forged beacon would have scored as human. A trust gate now requires a human verdict to be corroborated by a genuine browser fingerprint surface and server-attested evidence, and not contradicted by a UA mismatch, a failed signature or a replayed nonce. When corroboration is missing, the verdict is capped to suspect. A forged or empty beacon can no longer score human.
How do you know the detection actually works?
Precision, recall and F1 are computed every day against verified ground truth: CRM-confirmed outcomes, disputes you file, honeypot catches and manually verified sessions. A regression harness re-scores those verified sessions before any scoring change ships, so a tweak that would misclassify a known human is caught before release. The detector is covered by more than 1,400 automated tests.
See the score on your own traffic
Install the tag and every session arrives with a verdict you can open and read back. Start free with 1,000 sessions a month, no credit card required.