WW WhoWatches By BotConduct
№ 01 · BotConduct Observatory
A BotConduct Observatory desk · Limited cohort

Agents are reading
your API.
Now you can see who.

Your docs train someone else's model. Your /pricing page feeds a competitor's comparison agent. Your /api reference sits inside RAG indexes you've never heard of. WhoWatches is the access point to the BotConduct Observatory — receiver-side intelligence on who is reading you, what they are after, and whether their declared identity matches their behavior.

Cancel any cycle · Limited cohort
№ 02 · What we see

Four signals your logs
treat as noise.

If you run an AI-native product, you've seen at least three of these already. The BotConduct Observatory names them, characterizes them, and correlates them across the cohort.

01 / Training-data extraction

Declared crawlers, undeclared cadence.

Bots that obey User-Agent norms but ignore robots.txt at scale, sweeping documentation and content surfaces for fine-tune corpora.

Operators · ClaudeBot · GPTBot · Bytespider · PerplexityBot
02 / RAG ingestion

Embedding pipelines reading on a cycle.

Periodic, surface-scoped retrieval consistent with vector-store refresh cycles. Same paths each week. Different identities each week.

Operators · Anonymous · cohort-correlated
03 / Agent traffic

Autonomous agents acting on a user's behalf.

Browser-like fingerprint, agentic request pattern: form discovery, link traversal, structured-data extraction. Not bot — not human.

Operators · Browser agents · MCP clients · operators
04 / Competitive recon

Pricing & model-card harvesting.

Headless, rotating IPs, narrow path scope: /pricing, /models, /api. Coincident with public announcements.

Operators · Residential proxy · RDP-as-a-service
№ 03 · Integration

One script. One webhook.
The rest is yours.

No agent. No DNS change. No proxy in front of your traffic. Receiver-side instrumentation drops in downstream of your WAF and feeds either the Observatory or your own stack.

How it fits your stack

Pick the integration that matches your shape. Observatory membership includes webhook delivery — pipe attribution events straight into your warehouse, your SIEM, or a Slack channel.

  • EdgeDrop-in for Cloudflare Workers, Fastly Compute, Vercel Edge.
  • ServerMiddleware for Node, Python, Go, Ruby, PHP, Elixir.
  • WebhookReceive every attribution event as a signed POST.
  • SinkNative sinks for Snowflake, BigQuery, S3, Datadog, Slack.
  • Cohort APIPull cross-property correlation by domain or operator.

// POST https://yours.io/whowatches/event
// X-Whowatches-Signature: sha256=…
{
  "event": "actor.observed",
  "property": "yourcompany.com",
  "actor": {
    "id":        "anthropic.claudebot",
    "declared":  "ClaudeBot/1.0",
    "category":  "declared_ai_crawler",
    "confidence": 0.94
  },
  "observed": {
    "window":    "7d",
    "requests":  47,
    "sessions":  12,
    "surfaces":  ["/pricing", "/docs", "/api"]
  },
  "classification": "extraction",
  "behavior_consistent": true,
  "cohort_correlated":   false,
  "first_seen": "2026-05-10T08:14:22Z",
  "last_seen":  "2026-05-17T13:51:09Z"
}
№ 04 · Why receiver-side

WAFs see attacks.
We see observation.

Cloudflare, your CDN, your bot manager — they answer "should I block this?". The Observatory answers "who is showing up, on purpose, day after day?". We sit downstream and capture signals those systems do not collect and cannot correlate.

What they say · self-attributed
ClaudeBot
  • User-Agent string
  • Published IP ranges
  • Robots.txt compliance
  • Public crawl schedule
What they do · receiver-side
Extraction pattern
  • Persistent across sessions
  • Targets /pricing first
  • Non-interactive
  • Coincident with cohort
№ 05 · Access

Subscribe to the Observatory.
One desk. One cohort.

The Observatory accepts a limited cohort each quarter so that observations remain interpretive, not industrial. Bulletins are written, not generated. Membership is reviewable; the Desk reserves the right to decline continuation at any cycle.

BotConduct Observatory · Subscription

WhoWatches

Receiver-side intelligence on automated activity directed at your public assets. Weekly bulletins surface new actors and behavioral changes. Monthly deep dives interpret what the cycle means, strategically — written by analysts.

By inquiry
Subscribe directly · Cancel any cycle
  • Weekly bulletin · BotConduct Observatory Desk
  • Monthly strategic interpretation · written by an analyst
  • Analyst on call · 4 consultations/month · by email
  • Cancel any cycle · circulation controlled
Powered by Paddle · Invoiced in USD · Enterprise & counsel — see BotConduct →
№ 06 · Answers

The questions teams ask
before subscribing.

Q · 01 "How is this different from Cloudflare AI Audit / bot-management dashboards?" +

Those answer "should I block this request?". The Observatory answers "who is showing up, on purpose, day after day?". You keep your WAF; we live downstream. Cloudflare tells you bots hit you; we tell you which ones, with what intent, and how their behavior compares across the cohort.

Q · 02 "Can I block crawlers from your data?" +

We don't enforce. We attribute. You take the attribution event and decide — block, rate-limit, serve a watermarked variant, or just log it. Most teams start by logging, run a cycle, and then act with intent instead of reflex.

Q · 03 "What about agent traffic — Claude, Operator, browser-using agents?" +

That's the part conventional bot tools miss entirely. Agents fingerprint as browsers but behave nothing like users — no scroll, no idle, deterministic path traversal, form discovery without form submission. We classify these as agentic and tag them with their declared identity when present (e.g. anthropic.computer-use).

Q · 04 "Do you cover MCP / API extraction patterns?" +

Yes. MCP clients have a distinct request shape we can characterize even without declared identity. API extraction at training-corpus volume produces a behavioral signature that is hard to spoof at scale.

Q · 05 "Why subscribe instead of just running it ourselves?" +

Because the value of receiver-side observation depends on cohort-wide correlation — the same operator hitting your property and ours is a signal that no isolated stack can read. The cohort is what produces interpretation; the subscription is what gets you inside it. The Desk reserves the right to decline continuation at any cycle if cohort fit lapses.

Q · 06 "What does the methodology look like?" +

The Observatory operates as a closed oracle. We disclose findings, not method. This protects the integrity of observations and the long-term value of the cohort. Approved members receive interpretation; they do not receive the playbook.

Q · 07 "Who is BotConduct?" +

BotConduct is a receiver-side investigation outfit. WhoWatches is the public access point to its observatory. The same desk that signs the bulletins runs the cohort. botconduct.org →

Someone is already reading you.
The question is who.

Read the public Observatory bulletin or apply for receiver-side intelligence on your own property.