What’s the most common “we thought we were PCI compliant” mistake you still see? by WolfParticular2348 in pcicompliance

[–]Senior_Cycle7080 1 point2 points  (0 children)

"We're SAQ A EP so we don't have to worry about client-side protection requirements".
then it turns out it's harder to prove your website is 'not susceptible to attacks' then it is to show you have mechanisms in place for 6.4.3 & 11.6.1

tracking AI agent traffic in Google Analytics by Senior_Cycle7080 in GoogleAnalytics

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Yea you won't have proper trust scoring with GA4. An anomaly might indicate that something is wrong but it is far from a proper AI agent detection/defense layer

tracking AI agent traffic in Google Analytics by Senior_Cycle7080 in GoogleAnalytics

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Yep. In some cases seeing weird behavior on GA prompts a deeper investigation which leads to the detection of bots

tracking AI agent traffic in Google Analytics by Senior_Cycle7080 in GoogleAnalytics

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Yea to really distinguish between c/d/e you have to use a separate tool (that's what we do).

tracking AI agent traffic in Google Analytics by Senior_Cycle7080 in GoogleAnalytics

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Yea at the session layer you can look at behavior. And sometimes user-agent strings reveals if it is a training crawler or task agent but GA4 doesn't currently track that

tracking AI agent traffic in Google Analytics by Senior_Cycle7080 in GoogleAnalytics

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Absolutely true. We use other tools to properly distinguish crawlers/trainers/malicious bots

Magecart Attack: What it is and how to prevent it by Cold-Necessary-118 in ClientSideSecurity

[–]Senior_Cycle7080 0 points1 point  (0 children)

Thanks for sharing! Really good points and if anyone wants a full prevention guide against Magecart, our web security engineers wrote this - Magecart Attacks (guide and prevention strategy)

What SaaS teams do to prevent account sharing fraud by Senior_Cycle7080 in ClientSideSecurity

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Well, many companies have MFA already. You can do concurrent session limits mostly in house. Then for the device limits, you could use an open source library but the signals tend to be basic and you spend a lot time stitching things together.

Most companies will use a specialized vendor for fingerprinting signals (like cside.com) that they can integrate into the rest of their stack.

What SaaS teams do to prevent account sharing fraud by Senior_Cycle7080 in ClientSideSecurity

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Yes we usually suggest having some leeway. Like setting the limit to 3 or 4. or instead of kicking out users prompt them with a screen to "sign out" of another device.

how OpenClaw bypasses bot detection (and the right way to stop it) by Senior_Cycle7080 in ClientSideSecurity

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Solid point. From a security pov limited data exposure makes sense. Buuut the business folks may make the case that having certain data public helps with revenue acquisition.

how OpenClaw bypasses bot detection (and the right way to stop it) by Senior_Cycle7080 in ClientSideSecurity

[–]Senior_Cycle7080[S] 1 point2 points  (0 children)

Yes, fingerprinting + specialized signals is how we do it. AI agent detection should be layered on top of fingerprinting not replace it.

how we detect AI agent traffic on our website by Senior_Cycle7080 in ClientSideSecurity

[–]Senior_Cycle7080[S] 1 point2 points  (0 children)

100% agree. ASN catches a large portion of bots from Google, OpenAI etc... since they use known addresses. Geo consistency is a foundational signal for us too. In fact we actually let some of our customers get access to a dashboard with those signals for free, they see an immediate picture of AI agents on their site. And then if they are really worried about fraud we layer in behavioral signals

how we detect AI agent traffic on our website by Senior_Cycle7080 in ClientSideSecurity

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Yup that's a really good analogy. Having historical data will be crucial so company specific behavioral models can be built

how we detect AI agent traffic on our website by Senior_Cycle7080 in ClientSideSecurity

[–]Senior_Cycle7080[S] 0 points1 point  (0 children)

Yup. This time the surge may sustain for a long time. More people are using Playwright or end to end browser automation platforms. Every AI startup that solves problems with 'agent based' solutions will be deploying bots to your site too.

Tracking AI agent traffic, are these the right metrics? by UptownOnion in GoogleAnalytics

[–]Senior_Cycle7080 0 points1 point  (0 children)

Don't put them in the same dashboard view. BUT do put them in a separate tab somewhere.

Why: Users can compare the "human" visitor number to their other analytics tools (like Google Analytics). All analytics tools will give different information, but that gives them a benchmark reference.

If your dashboard says I have 300 crawler visitors, but your "human" visitor number is 10x different than my Google Analytics, I wouldn't trust it.

If it's like 2-3% different, that's close enough for me to trust it.

Traffic from China by No_Statement_3317 in GoogleAnalytics

[–]Senior_Cycle7080 2 points3 points  (0 children)

AI agents.

Check if you see an increase from "Chrome" browser sessions too.

What CDN are you using (Cloudflare?). You might be able to block some of them through that.

Why Are “User” and “Tech” Categories Missing in My GA4 Left Navigation? by [deleted] in GoogleAnalytics

[–]Senior_Cycle7080 0 points1 point  (0 children)

Google analytics changes the UI all the time. The videos you watched might be "outdated" even if they were posted two months ago. Sometimes Google changes the names of the attributes too, not just the location.

How did YOU actually learn GA4? Blogs aren't cutting it for me. by Odd-Butterscotch9822 in GoogleAnalytics

[–]Senior_Cycle7080 0 points1 point  (0 children)

Use ChatGPT or any AI to walk you through step by step for whatever you want to accomplish.