GuideJuly 20, 202610 min read

Bot Detection for Media Buyers: A Technical Primer

How bot shields work — IP reputation, browser fingerprinting, behavioural analysis. And why you're probably overpaying for fake traffic.

Table of Contents

The scale of the problem Types of bot traffic How bot detection works Xpnsr Bot Shield v2 What you can do

The Scale of the Problem

Industry estimates suggest that 25–40% of all programmatic ad traffic is non-human. For push and native traffic, the number can be even higher — some sources report bot rates exceeding 60% on certain campaigns.

If you're spending $10,000/month on traffic and 30% is bots, that's $3,000/month — $36,000/year — going to fake clicks. And that's before you account for the opportunity cost of optimizing campaigns based on polluted data.

Types of Bot Traffic

Simple scrapers: Basic HTTP clients that fetch pages without executing JavaScript. Easy to detect by checking for JS execution, WebGL support, and canvas fingerprinting.
Headless browsers: Puppeteer, Playwright, Selenium — full browser engines without a visible UI. They execute JS but leave detectable fingerprints (missing navigator.webdriver flag, inconsistent screen resolution).
Residential proxy bots: Bots running on real residential IPs, making them harder to block via IP reputation alone. These require behavioural analysis.
Click farms: Real humans paid to click. Hardest to detect because the traffic is technically "real." Requires pattern analysis (time-of-day clustering, repeat click intervals).

How Bot Detection Works

Layer 1: IP Reputation

The first line of defense. IPs are checked against known datacenter ranges, VPN/proxy lists, and historical abuse databases. Xpnsr Tracker maintains a real-time reputation database updated every 15 minutes.

Layer 2: Browser Fingerprinting

When a click lands, the tracker collects 50+ browser signals: user agent, screen resolution, color depth, installed fonts, WebGL renderer, canvas fingerprint, audio context, timezone, language, and more. Bots almost always fail one or more of these checks.

Layer 3: Behavioural Analysis

This is where Xpnsr's Bot Shield v2 excels. The system analyzes click patterns in real time:

Time between clicks from the same IP
Distribution of click times across the day
Ratio of clicks to conversions
Geographic clustering
Device type consistency

    Bot Shield v2 improvement: 40% fewer false positives compared to v1. The system now uses a probabilistic scoring model instead of hard thresholds, reducing the chance of blocking legitimate traffic.
  

Xpnsr Bot Shield v2

Bot Shield v2 combines all three detection layers into a single scoring engine. Each click receives a bot probability score from 0 (human) to 100 (definitely bot). You can set your own threshold — conservative (block >90) or aggressive (block >50).

The system also provides detailed reports on why each click was flagged, so you can fine-tune your settings without blocking real traffic.

What You Can Do

Audit your traffic: Run a 7-day analysis with Xpnsr Tracker to establish your baseline bot rate.
Set up bot filtering: Enable Bot Shield v2 and start with the recommended threshold (75).
Monitor false positives: Check the "Flagged Traffic" report daily for the first week and adjust as needed.
Optimize based on clean data: Once bot filtering is active, re-analyze your campaign performance. You'll likely find that some "best performing" sources were actually bot-heavy.

Stop paying for fake clicks.

Xpnsr Tracker's Bot Shield v2 filters out bot traffic automatically. See your real campaign performance.

Book a Demo