Sign in Start free
Install & docs

Install in two minutes.

One async tag protects every ad on the page. No plugin, no SDK, no WordPress integration — PubSentry is the AI Security Engineer for ad publishers, it’s ad-network-agnostic, and it starts scoring traffic the moment the script loads.

Create a site

Sign in to the dashboard and add your domain. You’ll get a site key that looks like st_xxxx — it scopes the tag to your account, and every /v1 endpoint is locked to the sites you own.

Paste one script tag

Drop the snippet below into your site’s <head> (or anywhere before your ads), swapping in your own site key. It’s a single line — no build step, no bundler.

Publish & verify

Deploy. The first beacon lights up the Install screen in your dashboard within seconds — then real verdicts start flowing in the Live Feed.

the one tag · <15 KB gzipped · ad-network-agnostic
<!-- paste before your ads; swap in your own site key -->
<script async src="https://pubsentry.com/t.js" data-site="st_xxxx"></script>
The tag is under 15 KB gzipped, loads async, and fails open: if anything ever goes wrong, the ad serves normally. PubSentry can never delay, block, or break an ad on your page by mistake.
How it works

The verdict happens before the ad fires.

Most tools report fraud after the impression is counted. PubSentry runs a local gate first — the only honest place to stop invalid traffic. Score in the browser, suppress the ad, then beacon the evidence to the server to enrich, re-score and persist.

  • A local gate scores every visitor in under 5 ms — no network round-trip in the critical path
  • Block-before-serve: an invalid verdict suppresses the slot before it paints — no captcha, no reader friction
  • The beacon ships only client-knowable fields; the server enriches, scores again, and persists the evidence
Block before serve — the under-5-millisecond pipeline A left-to-right flow: a visitor reaches a local gate that scores 28 signals across 5 families in under 5 milliseconds, then forks. Allow lets the ad fire (green). Block suppresses the ad slot (red, circle-slash) and sends a beacon to enrich and persist. Block before serve The <5 ms pipeline ● Allow · ad fires ● Block · ad suppressed Visitor Local gate <5 MS Block-before-serve decides before the ad call — no round-trip VERDICT ALLOW BLOCK The gate Score 28 signals 5 families · fail-open collectors AUTOMATION ENV BEHAVIOR TIMING HONEYPOT Allow → ad fires IMPRESSION SERVED Block → suppressed No impression ALLOW BLOCK Enrich + persist beacon → IP / ASN / geo reputation · ClickHouse RAW IP / UA HASHED + DROPPED BEACON · OFF THE HOT PATH FAIL-OPEN EVERYWHERE · A REAL READER IS NEVER BLOCKED · FPR = 0

Score locally in <5 ms

The tag evaluates ~28 signals across five families — automation, environment, behavioral, temporal and honeypot — all fail-open via a safe wrapper. The same engine runs in the tag, at the edge, and on the server, guarded by a parity test.

Block before serve

An invalid verdict suppresses ads across GPT, AdSense, Amazon apstag and Prebid — plus a universal MutationObserver fallback — before the ad ever loads. A blocked impression was never served; a blocked click was never billed.

Beacon → enrich → persist

A lightweight beacon ships only client-knowable fields. The server enriches datacenter / ASN / geo from the request IP (offline iptoasn feed), updates reputation, and persists the event. Raw IP and User-Agent are HMAC-hashed and dropped — never stored.

Edge verdict, cached

An edge worker can return a sub-50 ms cached-reputation verdict for known entities — and an entity flagged on any PubSentry site is pre-flagged across the network. (The reputation network is provisional until it reaches scale.)

Fail-open is the law. The tag must never throw into your page or delay an ad. Any error — a slow store, a missing signal, a network blip — resolves to “serve the ad.” Detection never comes at the cost of your reader’s experience or your revenue. The one number we hold to is FPR = 0 on the human test corpus.
Verify it’s live

Watch the first beacon land.

The Install screen in your dashboard waits for your site’s first real beacon and confirms the connection the moment it arrives. No log-grepping, no guessing — you see “connected” and the verdict feed starts moving.

  • First-beacon verification, live in the dashboard
  • Verdicts appear in the Live Feed as your real traffic is scored
  • “Awaiting traffic” until there’s real data — never a fabricated score
Open the Install screen
The PubSentry dashboard confirming a live tag with the verdict feed flowing
Supported ad networks

One tag suppresses across every major ad stack.

Block-before-serve is wired into the ad libraries publishers actually run — plus a universal fallback that catches the rest.

Google AdSense

Auto-ads and unit slots are suppressed before they render on an invalid verdict — so the spike never reaches your account.

Google Ad Manager / GPT

Google Publisher Tag slots are gated at define / display time across the page, before the ad call goes out.

Amazon apstag

Amazon Publisher Services bid requests are intercepted before they fire, so no invalid request enters the auction.

Prebid

Header-bidding auctions are held back so no invalid impression enters the wrapper or reaches a bidder.

Universal fallback. A MutationObserver watches for any ad element that slips past the known integrations and suppresses it too — so a new, custom, or unrecognized ad setup is still covered out of the box.
FAQ

The questions publishers actually ask.

Will it slow down my site?

No. The tag loads async, is under 15 KB gzipped, and the verdict is decided locally in under 5 ms before the ad loads — no network round-trip in the critical path. It fails open, so even a total failure of PubSentry can’t delay or block an ad. The worst case is that a visitor simply isn’t scored.

Will it block real readers?

Blocking a real human is the worst failure we can make, so it’s the failure we engineer hardest against. Defaults are conservative, a calibration gate asserts zero false-positives on the human test corpus, and every rule shows its retroactive blast radius before it goes live. We catch close to all of the obvious bots (GIVT) at 0% false-positives; sophisticated residential-IP mimicry (SIVT) is caught at roughly 3% today by design, and that gap closes as the reputation network and ML moat scale. We never claim 100%.

I’m on WordPress. Do I need a plugin?

No plugin and no SDK — just paste. Drop the same one-line script tag into your theme’s header (or any header-script field, plugin, or tag manager) and you’re live. PubSentry is ad-network-agnostic — it works the same whether you serve AdSense, GPT, Amazon, Prebid, or a mix.

Which ad networks are supported?

Block-before-serve is wired into Google AdSense, Google Ad Manager / GPT, Amazon apstag and Prebid — the libraries publishers actually run. A universal MutationObserver fallback catches any ad element that slips past the known integrations, so a new or custom setup is covered out of the box.

What about my visitors’ data and privacy?

Raw IP and User-Agent are hashed with HMAC-SHA256 server-side and then dropped — they are never stored raw. Device fingerprints use a non-PII fnv1a hash. The beacon ships only client-knowable fields; the server enriches geo / net from the request and drops the rest. Dashboard sessions are same-origin scrypt cookies, and every endpoint is scoped to your account’s own sites.

How do I remove it?

Delete the one script tag — that’s the whole footprint. There’s no plugin to uninstall, no SDK to unwind, and nothing left behind on the page. Because the tag fails open, even leaving a stale tag in place can never break an ad.

Start in minutes

Paste the tag. Protect your account.

One async script, live verdicts in minutes, and an AI Security Engineer watching your traffic. Free to start — you only see the value once your real traffic is scored.

Start freeTalk to us
0 humans wrongly blocked — that’s the promise