CLOAKING ENGINE V2 — RELEASED

Smarter detection.
Higher protection.

V2 catches bot patterns V1 couldn't see. Same low latency, stricter filtering, smarter scoring — so your real users get through and the bots don't.

+25%

Bot blocking accuracy

8

Headless browser checks

30 min

Visit-frequency window

<50 ms

Decision latency
See engine upgrades Back home
What V2 adds to detection

New bot signals, missed by V1

Real engine upgrades — not cosmetics.

NEW IN V2
Visit-frequency throttling

Tracks every IP per campaign over a rolling 30-minute window using in-memory cache. More than 5 visits → blocked. More than 10 visits → auto-blacklisted.

Catches scrapers, ad-network re-validation bots, and automated review tools.
NEW IN V2
Headless browser scoring

Browser fingerprint analyzed across 8 headless indicators — webdriver flag, plugin count, screen geometry, canvas behavior, hardware concurrency, device memory, Chrome runtime. Score > 40 → blocked.

Stops Puppeteer, Playwright, Selenium and most automation frameworks cold.
HARDENED
Universal hosting blocking

V1 had hardcoded exceptions for legacy campaigns that allowed hosting traffic through. V2 removes all exceptions: every datacenter / hosting IP is blocked, no special cases.

Closes the AWS / DigitalOcean / Vultr / OVH bot pipeline.
FIXED IN V2
Fewer false positives

V1 used loose stripos() truthy checks — match at position 0 returned falsy and let real Google/Facebook bots through. V2 uses explicit !== false — every match is caught.

Real users no longer mistaken for bots; bots no longer slip through on edge cases.
NEW IN V2
Referrer captured per request

V1 dropped referer headers from logs — making post-mortem analysis impossible. V2 stores referrer alongside every request so you can see exactly where blocked traffic came from.

Drill into stats by source — find which ad placements attract bots.
SECURITY
IP validation hardening

V2 validates every IP as IPv4 format before processing — closing an attack vector where malformed headers could be injected into downstream lookups.

Your platform, hardened.
Detection Capabilities

V1 vs V2 — what gets caught

V1 (Legacy)
V2 — Now
Crawler / known bots
User-agent + signature match
User-agent + signature match
Google bot infrastructure
Detected via DNS/ISP/ASN — but loose string match could miss edge cases
Strict !== false match catches every Google datacenter
Facebook bot infrastructure
Same loose match issue as Google
Strict matching — no false negatives
Hosting / datacenter IPs
Hardcoded exceptions for some legacy campaigns let hosting traffic through
Universal block — zero exceptions, zero hosting traffic
VPN / Proxy
Detected via IP attributes
Detected via IP attributes
Headless browser (Puppeteer / Selenium)
Not checked
8-signal fingerprint score, threshold 40
Repeated-visit bot loops
No frequency tracking
5+ visits in 30 min = blocked, 10+ = auto-blacklisted
Geo whitelist (continent/country/region/city)
Maxmind 4-level
Maxmind 4-level
Browser-language whitelist
Accept-Language match
Accept-Language match
Device filter (cellular / mobile / desktop)
3 device modes
3 device modes
Empty referrer block
Per-campaign toggle
Per-campaign toggle
Custom IP blacklist
Feature existed but UI toggle disabled
UI unlocked — manage list per campaign
Auto-blacklist after N suspicious visits
Feature existed but UI toggle disabled
UI unlocked — choose threshold
Global blacklist database (cross-customer)
Admin-managed pool, displayed as "vu3_global_databases" in stats
Same pool, cleaner reason label "global_databases"
Referrer logging in stats
Field captured but never persisted
Stored on every request — searchable in stats
IP-injection hardening
Raw IP passed to lookups
IPv4 format validation before processing
Caught · Caught with edge cases · Locked behind disabled UI · Not detected

Same battle-tested core

What didn't change: the campaign filter flags (11 booleans + delay), the 17 supported ad networks (Facebook, Google, TikTok, Bing, Snapchat, Taboola, Outbrain, Pinterest, Yahoo, Twitter, Propeller, PopAds, 50onRed, Instagram, Google Search/Display, "No Rules"), the 9 integration methods (PHP redirect/iframe/insert-html/reverse-proxy/reCAPTCHA, JavaScript, Shopify, WordPress plugin, REST API), and the 4-level Maxmind geo whitelist.

Migration is zero-effort — no campaign re-config, no code change on your safe pages. V2 is a drop-in upgrade that catches more, leaks less, and gives you better data.

Stop letting bots burn your budget.

V2 is live for every plan, every customer, today.

Get started See pricing