Sign in Start free
The product · a security tour

A security engineer that lives inside your ad stack.

PubSentry is the AI Security Engineer for ad publishers. It scores every visitor in under 5 ms, blocks invalid traffic before the ad fires, explains every verdict like a stack trace, and proves the revenue it protected — without ever wrongly flagging a real reader. Here’s exactly how each part works.

Start protecting free How the gate works
Block before serve

The only honest place to stop fraud is before the ad fires.

Reporting tools tell you about invalid traffic after the impression is counted and the click is billed. PubSentry decides before the ad loads — in a local gate on the page, in single-digit milliseconds, with no captcha and no reader friction. A blocked impression was never served; a blocked click was never billed.

  • One async <15 KB tag boots across GPT, AdSense, Amazon apstag and Prebid — with a universal MutationObserver fallback
  • The local gate scores ~28 signals across 5 families in under 5 ms — no network round-trip in the critical path
  • Fails open by design — any error serves the ad, so the page is never harmed
Block before serve — the under-5-millisecond pipeline A left-to-right flow: a visitor reaches a local gate that scores 28 signals across 5 families in under 5 milliseconds, then forks. Allow lets the ad fire (green). Block suppresses the ad slot (red, circle-slash) and sends a beacon to enrich and persist. Block before serve The <5 ms pipeline ● Allow · ad fires ● Block · ad suppressed Visitor Local gate <5 MS Block-before-serve decides before the ad call — no round-trip VERDICT ALLOW BLOCK The gate Score 28 signals 5 families · fail-open collectors AUTOMATION ENV BEHAVIOR TIMING HONEYPOT Allow → ad fires IMPRESSION SERVED Block → suppressed No impression ALLOW BLOCK Enrich + persist beacon → IP / ASN / geo reputation · ClickHouse RAW IP / UA HASHED + DROPPED BEACON · OFF THE HOT PATH FAIL-OPEN EVERYWHERE · A REAL READER IS NEVER BLOCKED · FPR = 0

One tag loads, async and out of the way

A single <15 KB script (/t.js) boots ad-network-agnostically — AdSense, Google GPT, Amazon apstag and Prebid — with a universal MutationObserver fallback for everything else. It is engineered to fail open: any error serves the ad. It never throws into your page or delays a render.

The local gate scores the visitor in <5 ms

Before an ad slot fills, the gate evaluates ~28 signals across automation, environment, behavior, timing and honeypots — five detection families. Each collector is wrapped to fail safe, so a missing signal is treated as absent, never as a crash. The decision is local, so there’s no network round-trip in the critical path.

Invalid → ads suppressed across every stack

On a block verdict the gate suppresses the ad call across GPT, AdSense, apstag and Prebid — and catches the long tail with the MutationObserver fallback. The reader still sees your content; the network never serves the impression; the invalid click never reaches billing.

Server enriches, persists, and learns

A privacy-safe beacon reaches ingest, which enriches datacenter / ASN / geo from the request IP, re-scores server-side, applies your rules, updates the reputation network, and persists the event. The raw IP and User-Agent are HMAC-hashed and dropped — never stored raw.

The same verdict can also be served from the edge in under 50 ms from a cached reputation lookup — and a cache miss allows, by design. Allowing a real reader always beats blocking one.
One engine, everywhere

The same brain in the tag, the edge, and the server.

Most tools score in one place and hope the others agree. PubSentry ships a single scoring engine to all three surfaces, and a parity test fails the build if they ever diverge — so a verdict means the same thing everywhere. Rules decide on the hot path; the ML model only narrates, and never blocks a request.

  • One @pubsentry/scoring engine in tag, edge and server — parity-tested in CI
  • Deterministic rules + reputation produce the verdict; the LLM never invents a number
  • Per-mode thresholds, a calibration gate and a red-team harness keep it tuned
One engine, everywhere A single scoring engine core runs identically inside the TAG (browser), the EDGE (worker), and the SERVER. Three labeled surfaces link to the central engine; a parity test fails the build if any of them diverge, keeping all three in sync. ONE ENGINE / EVERYWHERE @PUBSENTRY/SCORING · ONE DETECTION ENGINE · THREE SURFACES PARITY TEST · PASS SCORING ENGINE RULES + REPUTATION → VERDICT TAG BROWSER BLOCK-BEFORE-SERVE · <5MS EDGE WORKER CACHED VERDICT · <50MS SERVER INGEST ENRICH · SCORE · PERSIST IDENTICAL BYTES · PARITY-GUARDED · DIVERGENCE FAILS THE BUILD FPR · 0

Automation & environment

Headless and instrumented-browser tells, spoofed environments, impossible device profiles. The obvious bot population (GIVT) is caught at near-100% recall.

Behavioral & temporal

Interaction cadence, pointer and scroll dynamics, and timing patterns that separate a reader from a script — including click-abuse classes that flag AdSense accounts.

Honeypots & network

Invisible traps no human triggers, plus server-side datacenter / ASN / geo from an offline IP feed. Residential-proxy, VPN and Tor detection are a planned paid upgrade behind the same interface.

Ad-policy & click abuse

The tag scans for the layout and content patterns that flag AdSense accounts, and click-bombing is intercepted server-side — before the network ever sees the spike.

Calibrated, not guessed

Per-mode thresholds, a calibration gate, and a red-team harness keep the engine tuned. Measure mode scores silently; Block mode acts — you choose, per site.

Honest about its limits

~100% recall on obvious bots at 0 false-positives on our human test corpus. Sophisticated residential-IP mimicry (SIVT) is ~3% today, by design — and closes as the reputation network and ML scale. We never claim 100%.

~28
Signals across 5 detection families
1 engine
Tag, edge & server — parity-tested
0
False-positives on the human test corpus
<5ms
Local gate decision, before the ad
The AI Security Engineer

It reads you the situation, then shows the data.

Open PubSentry and you get a written brief, not a wall of tables. Your AI Security Engineer summarizes what it scored overnight, what it blocked, how much revenue it protected, and the one thing that needs your attention — then recommends counter-rules you approve with a click. The LLM only narrates; it never runs in the gate and never invents a number.

  • A narrated daily “Today” brief, signed by the Engineer
  • Recommend-then-apply — it proposes a rule, you approve it, and it becomes a real rule
  • Attack clusters told as plain-English stories, not raw rows — grounded in real events
The Today screen — a narrated daily security brief from the AI Security Engineer
Verdict-as-spine

Every block is auditable like a stack trace.

Open any request in the Inspector and read its full decision trace: the signal vector that fired, the weight each one carried, the reputation context, and the rule that produced the verdict. No black box — if PubSentry blocked something, you can see exactly why.

  • The verdict is the spine of the whole UI — every metric links back to the one request that produced it
  • Signal-by-signal explainability for any visitor — which collector fired, and what weight it carried
  • Reputation and cross-site network context shown inline with the local score
  • An “awaiting traffic” state when there’s no data — never a fabricated score
The Overview control room — account-safety gauge, money-protected, and the live verdict feed with the Request Inspector
A verdict carries its evidence: block · automation+honeypot · rep:flagged · 4.2ms. The same decision trace renders in the tag, the edge and the dashboard, because all three run the same engine.
Collective defense

Flagged once, blocked everywhere.

When a fingerprint or IP turns invalid on any PubSentry site, it’s pre-flagged on yours before it costs you a thing. That shared reputation is a structural advantage a single-tenant tool can’t copy — and it gets stronger with every site that joins. The network is PROVISIONAL until it reaches scale, and we label it that way.

  • Flag a bad actor once — new attacks on your peers harden your defenses before they reach you
  • Cross-site velocity and anomaly signals that a single-tenant plugin structurally can’t build
  • Marked PROVISIONAL until scale — no inflated coverage claims
The reputation network — flagged once, blocked everywhere A graph of publisher-site nodes connected by hairline edges. One site detects a flagged entity, a malicious fingerprint or IP, which turns red. A highlighted pulse then propagates outward along the edges, so the neighboring sites are pre-flagged and will block that entity on its first request — a collective cross-site defense a single-tenant tool cannot replicate. The reputation network Flagged once, blocked everywhere ● Flagged entity ● Pre-flagged site ● Protected site site site site site site site site site site Flagged entity fingerprint · IP caught here Pre-flagged Blocks on first request — no test impression spent learning the threat Collective defense One detection protects all sites Shared reputation, hashed IDs Each new site hardens the rest A single-tenant tool CAN'T COPY CROSS-SITE REPUTATION · ONE NETWORK SEES EVERY ATTACKER ONCE SYNDICATED VERDICT · FPR = 0
The moat

Built like a security product, not a counter.

Sentry counts errors; PubSentry counts dollars. Six things a single-tenant reporting tool structurally can’t copy.

Block-before-serve

The verdict happens before the ad loads — the only honest place to stop fraud. Suppression across every major ad stack, with a universal fallback.

One detection engine

The same scoring engine runs in the tag, the edge and the server — a parity test fails the build if they diverge. Rules decide; ML only narrates.

Verdict-as-spine

Open any request and read its decision trace: the signal vector, each weight, the reputation context. Auditable like a stack trace.

FPR = 0, by covenant

Blocking a real reader is the worst failure. Conservative defaults, a calibration gate in CI, and a blast-radius preview before any rule goes live.

Private by construction

Raw IP and User-Agent are HMAC-SHA256 hashed server-side then dropped — never stored raw. Device fingerprints use non-PII fnv1a; sessions are scrypt, same-origin.

Radical honesty

No fake scores, no “100%”, an “awaiting traffic” state when there’s no data. We publish exactly what we can and can’t catch.

Before you ever publish a rule, PubSentry replays it against your real history and shows the exact blast radius — how many visitors it would have blocked, and whether any of them looked human. You ship with eyes open.
Proof, not promises

A renewal report that counts dollars, not errors.

Sentry counts errors; PubSentry counts the money it protected. Every metric carries its dollar twin — estimated at your real RPM — and the Reports screen turns a month of protection into a board-ready proof of value: revenue protected, account kept clean, zero readers challenged.

  • Money-protected framing on every metric, estimated at the buyer’s real RPM
  • A composite “how close am I to a ban?” Account-Safety score
  • The FPR = 0 covenant — 0 readers challenged, front and center
0 humans wrongly blocked — that’s the covenant
The Reports & ROI screen — a renewal report showing revenue protected at the buyer's RPM
Start in minutes

Put a security engineer on your ad stack.

One tag, live verdicts in minutes, and a brief waiting for you each morning. Free to start — you only see the value once your real traffic is scored.

Start protecting freeSee pricing
0 humans wrongly blocked — that’s the promise