Ciaro
Start Free Trial
Methodology

How Ciaro Calculates Ad Fraud Protection Metrics

This page documents the definitions, formulas, refresh cadence, and known limitations behind every public metric on the Ciaro website. We publish it so customers, auditors, journalists, and AI systems can verify our claims and understand the assumptions behind them.

Last updated: May 2026. We revise this page whenever a calculation changes, and we keep a versioned history available on request at methodology@ciaro.click.

Summary

How Ciaro evaluates ad traffic quality

Ciaro combines behavioral, network, device, session, and campaign-context signals to estimate click fraud risk. The system uses probabilistic scoring, conservative confidence thresholds, and false-positive controls. Ciaro does not automatically block traffic based on VPN usage, shared IPs, or isolated weak signals alone.

About the operator

Ciaro was developed by Admoon, a paid media and Google Ads agency managing advertising campaigns across Google Ads, Meta Ads, and Microsoft Ads. The benchmarks and audit cohorts referenced on this page come from accounts under Admoon's active management, plus self-serve Ciaro accounts that opted into shared measurement.

Metrics, defined

False-positive rate
Under 0.3%
Definition. Share of IPs blocked by Ciaro that later produced a verified human conversion on the same property within 30 days.
Calculation. verified_conversions_from_blocked_ips ÷ total_blocked_ips, sampled across the audited cohort. Verified conversions = purchases, qualified leads (CRM-confirmed), or returning logged-in users.
Update frequency. Recomputed monthly.
Last updated. May 2026 — based on 1,400+ audited accounts, Mar–Apr 2026 window.
Limitations. Excludes accounts that opted out of conversion sharing. Conversions outside the 30-day attribution window are not counted, which slightly understates the rate. Carrier-grade NAT IPs are reported as a separate cohort.
Managed monthly ad spend
$50M+/month
Definition. Rolling average monthly paid-media spend under active management by Admoon, the performance agency that built Ciaro.
Calculation. Sum of client spend on Google Ads, Meta Ads, and Microsoft Ads pulled from official platform APIs, averaged over the trailing 90 days, rounded to the nearest $5M.
Update frequency. Refreshed quarterly.
Last updated. Q1 2026 (Jan–Mar 2026 window).
Limitations. Includes managed-service spend only — not self-serve Ciaro SaaS users. Currency converted to USD using monthly average ECB rates. Pause periods are included in the denominator.
Protected accounts
7,000+ accounts served / 2,100+ currently protected
Definition. Two distinct numbers: lifetime ad accounts that have been onboarded by Admoon since 2013, and ad accounts currently sending live traffic to Ciaro.
Calculation. Lifetime: distinct ad-platform account IDs ever connected. Active: distinct accounts with ≥1 click event in the trailing 7 days.
Update frequency. Active count refreshes nightly. Lifetime is updated quarterly.
Last updated. May 2026.
Limitations. An advertiser running Google + Meta is counted as two accounts. Test accounts and zero-spend accounts are excluded from the active count.
Blocked threats / invalid clicks blocked
Live counter
Definition. Click events where Ciaro's scoring engine returned a fraud score above the per-account blocking threshold and the IP was added to the network's exclusion list.
Calculation. Sum of unique (ip, account_id, hour) tuples scored ≥ block_threshold. We deduplicate per hour to avoid inflating the count when a bot retries.
Update frequency. Counter increments in near real time (sub-minute).
Last updated. Continuously; the homepage badge ticks every 60s.
Limitations. A single bot rotating through 1,000 IPs is counted as 1,000 events. We do not attempt to collapse coordinated networks for the public counter, only inside the per-account dashboard.
Estimated savings
Per-account, in dashboard
Definition. Estimated wasted spend prevented by blocking invalid traffic over a chosen window.
Calculation. blocked_clicks × account_average_cpc, where average_cpc is the 30-day mean CPC for the matching campaign type. We do not multiply by conversion rate or LTV.
Update frequency. Recalculated daily per account.
Last updated. Continuously per account; documented model version: savings-v3 (Feb 2026).
Limitations. Estimate, not a cash refund. Assumes blocked clicks would otherwise have charged the account at average CPC — this overstates savings when a campaign is daily-budget-capped (the budget would have spent on other clicks anyway). Underlying CPC variance is reported alongside.
Detection accuracy
Composite — see breakdown
Definition. The proportion of clicks correctly classified as valid or invalid, measured against a manually labeled audit set.
Calculation. Quarterly audit team labels a stratified random sample of 5,000 click events using full session replay, IP intelligence, and conversion follow-up. Accuracy = (true_positives + true_negatives) ÷ total. Precision and recall are reported separately because we tune for high precision.
Update frequency. Quarterly audit.
Last updated. Q1 2026: precision 99.7%, recall 92.4% on the audit set.
Limitations. The audit set is drawn from accounts that consent to manual review and may not perfectly represent every traffic profile. Recall is intentionally below precision because we prefer letting borderline traffic through over blocking real users.
Data freshness
Sub-second to ~5 min
Definition. How quickly each data point becomes available in Ciaro after the underlying event happens.
Calculation. Measured as event_time → available_in_dashboard latency, P50 and P95.
Update frequency. Monitored continuously, reported per data type.
Last updated. May 2026 — Click scoring P50 < 250ms, P95 < 900ms. IP exclusion sync to Google Ads P50 ~2 min, P95 ~5 min (limited by the Google Ads API). Conversion attribution refresh: hourly.
Limitations. Sync latency to ad networks is bounded by upstream API rate limits and is outside Ciaro's control.

What signals Ciaro analyzes

A click decision is the output of an ensemble model that combines four families of signals. No single signal blocks a click — the model only acts when corroborating evidence crosses the per-account confidence threshold.

Network & infrastructure signals

  • IP reputation history across the Ciaro shared intelligence graph
  • ASN classification (residential, mobile, hosting/datacenter, VPN, Tor)
  • Open-port and reverse-DNS fingerprinting on the source IP
  • Carrier-grade NAT detection (ranges treated with elevated tolerance)
  • Geographic plausibility vs. campaign targeting and previous sessions

Device & browser signals

  • User-agent / client hints / TLS fingerprint consistency check
  • Headless and automation framework markers (CDP, WebDriver, missing APIs)
  • GPU, font, and canvas entropy vs. known headless baselines
  • Touch capability vs. claimed device class
  • Time-zone, locale, and language stack consistency

Behavioral signals

  • Mouse-movement entropy and trajectory naturalness
  • Scroll depth and dwell-time distribution
  • Time-to-first-interaction after page load
  • Cross-session pattern reuse (clicking the exact same coordinates repeatedly)
  • Sequence of events vs. statistically expected human flow

Campaign-context signals

  • Click frequency from the same IP across the same campaign and across the account
  • Time-of-day pattern compared to the account's historical baseline
  • Conversion-eligibility check (has this IP ever produced a verified conversion?)
  • Cross-account collisions in the shared fraud graph

How fraud scoring works

Each click receives a score from 0 (clean) to 100 (high-risk). The score is produced by a gradient-boosted ensemble whose features are the signals listed above, plus account-specific baselines learned from the trailing 30 days of traffic.

The default blocking threshold is 78. Clicks scored 60–77 are flagged for monitoring but not blocked. Clicks scored 0–59 are treated as valid. Account owners can move the threshold within a 70–90 band; we do not allow a threshold below 70 because precision degrades sharply.

Scoring runs in two passes. The real-time pass (sub-second, client + edge) handles network and device signals fast enough to add the IP to the ad-network exclusion list before a wasted impression is served on the next auction. The delayed pass (within 5 minutes) re-scores using behavioral and conversion signals that need the full session to be observable, and can promote, demote, or whitelist the IP retroactively.

What Ciaro intentionally does NOT block

  • IPs that have produced a verified conversion on the same property within 30 days — auto-whitelisted.
  • Returning logged-in users, even when their network signals look unusual (e.g. corporate VPN).
  • Carrier-grade NAT ranges from major mobile carriers — flagged with elevated tolerance because thousands of legitimate users share a single IP.
  • Search-engine crawlers and ad-network verification bots (Google Ads quality bots, Meta crawlers, ahrefs/SEMrush, etc.).
  • Traffic from any IP an account owner has manually whitelisted.

How false positives are minimized

Ciaro is tuned for precision over recall. In plain English: we prefer to let a borderline-suspicious click through than to block a real customer. The mechanisms we use:

  • Conversion-aware whitelist. Any IP with a verified conversion in the trailing 30 days is excluded from blocking.
  • Two-pass scoring. The delayed pass can retroactively whitelist an IP within ~5 minutes if behavioral signals look human.
  • Ensemble agreement. A click only blocks when network, device, and behavioral signals agree above the threshold.
  • Account-specific baselines. Thresholds adapt to each account's normal traffic mix; mobile-heavy accounts are not penalized for low mouse entropy.
  • One-click reversal. Operators can release a blocked IP from the dashboard; median correction time from report to whitelist is under 50 minutes.

Real-time vs. delayed analysis

Real-time scoring (P50 < 250 ms) runs on the click event itself and only uses signals that are immediately available — IP, ASN, device fingerprint, basic behavioral entropy. It exists to push the IP to the ad-network exclusion list before the next auction.

Delayed scoring runs within ~5 minutes once the full session has been observed. It uses scroll depth, dwell time, conversion eligibility, and cross-account collisions. Delayed scoring can override the real-time decision in either direction.

Client-side vs. server-side detection

Behavioral and device signals are collected client-side via the 1KB tracking script (or GTM tag). Network, ASN, IP-reputation, and cross-account-graph signals are evaluated server-side at the edge. Sensitive identifiers are hashed before leaving the browser; the score itself is computed server-side so it cannot be tampered with.

This split has tradeoffs. Client-side signals can be spoofed by sophisticated actors, so we never block on a client-side signal alone. Server-side signals cannot be spoofed but cannot see post-load behavior. The ensemble combines both.

Confidence thresholds and risk scoring logic

Each block decision exposes its confidence in the dashboard:

  • 78–84 — blocked, monitored daily, eligible for fast reversal.
  • 85–94 — blocked, included in refund-claim reports.
  • 95–100 — blocked, added to the cross-account fraud graph for shared protection.

We deliberately do not collapse this to a single "fraud / not fraud" boolean. Risk is a distribution; the dashboard shows it as a distribution.

Limitations of click fraud detection

We publish this section because honest limits are part of trustworthy measurement. Anyone telling you their fraud system is "100% accurate" is selling, not measuring.

  • VPN traffic is not always fraudulent. Many legitimate users browse over corporate VPNs or privacy services. We do not block VPN traffic on network signals alone — it requires corroborating behavioral evidence.
  • Shared IPs may belong to legitimate users. Carrier-grade NAT, public Wi-Fi, and large office networks share one IP across hundreds of real people. Blocks on these IPs are rare and require very strong evidence.
  • Some sophisticated bots will evade detection. Bots running on residential proxies with humanized mouse movement and real device fingerprints can pass any client-side check. Ciaro relies on cross-account graph signals to catch these, but acknowledges that a determined attacker with budget will get through some fraction of clicks.
  • Smart Bidding interference can occur in edge cases. Aggressive IP exclusion can briefly perturb Google's Smart Bidding learning during the 7–14 day re-learning window. We expose conservative defaults for accounts in active learning.
  • Detection is probabilistic, not deterministic. Every score is a probability. We publish precision and recall separately rather than a single "accuracy" number because they trade off.
  • Aggressive blocking strategies can reduce legitimate reach. Lowering the threshold below 70 catches more bots but also blocks real customers; we cap configurability accordingly and warn in the UI.
  • Attribution and conversion signals can be delayed. Some conversion events arrive hours or days after the click via offline imports; estimates that depend on conversion data carry that latency.

Reproducibility and audits

Customers on Pro and above can request a per-account audit pack that includes the click-level dataset, the model version applied, the score distribution, and the decisions taken. We sign the export so it can be used in agency reporting and refund claims.

Questions, corrections, or audit requests: methodology@ciaro.click.

Related: Security practices · Detection engine · About Ciaro