They arrive at your surface, consume it, and leave. You can describe your AI policy — far fewer can prove how those agents actually behaved.
BotConduct observes what arrives at the receiving side of your property — the third-party agents you don’t control and can’t self-report — and produces an independent, signed record of their conduct.
A record your board, your regulator, and your insurer can act on — independent of any vendor whose product would otherwise grade itself.
Evidence, not enforcement. The independent record is the product.
Research notes, behavioral briefings, and field reports issued by the Observatory. Findings are cryptographically signed and referenced against established frameworks.
Third-party AI agents are acting inside your business logic. The risk isn’t that they exist—it’s that nobody can prove how they behaved.
Read note →The Observatory measures the conduct of automated actors from the receiving side of the public web. Each observation is recorded, characterized, and referenced against named frameworks. The independent record is the product. The Observatory does not sell — and has no commercial interest in — the blocking, gating, or runtime tools whose business depends on that record.
This separation is the source of the Observatory's authority. When the vendor that sells bot management also produces the record of what happened, that record serves the vendor's next renewal — not the operator's need to account for it. The Observatory produces evidence it has no commercial incentive to shade.
Findings are signed with Ed25519 and timestamped in an immutable evidence chain. Reports are verifiable independently of which WAF, CDN, or bot-management stack sits in front of the property. The evidence is intended to be independently verifiable without recourse to the Observatory.
The sensor does not capture form contents, account identifiers, session cookies, or end-user identifiers. It observes all traffic at the property boundary and classifies it. Records of non-automated visitors are retained only as anonymized behavioral metadata.
The Observatory accepts engagements selectively. All terms are quoted on request, after correspondence and review of fit. The Observatory does not operate a checkout surface.
A forensic engagement on a single property. Receiver-side behavioral profiling of automated actors, with ASN-level origin mapping, threat-intelligence cross-reference, and full behavioral mapping. Evidence signed.
Sustained independent telemetry of bot and agent conduct against the property. Periodic signed reports, mapped to public bot registries and framework controls. Findings forensically usable as standalone evidence.
For organizations operating at scale. Custom scope and data-handling arrangements. By introduction only.
BotConduct is an independent behavioral observatory. It measures the conduct of automated actors from the receiving site's perspective and produces diagnostic evidence. It is not a certification body. It does not certify products, brands, or counterparties.
Methodology is informed by, and consistent with, frameworks established in recent academic research — including DeepMind's "Practices for Governing Agentic AI Systems" (2024) and the OWASP Top 10 for Agentic Applications — extended with empirical receiver-side observation across multiple jurisdictions and verticals.
Every observation is signed with Ed25519 and timestamped in an immutable evidence chain. Evidence is referenced against NIST AI RMF, OWASP Top 10 Agentic, MITRE ATLAS, EU AI Act, Colorado AI Act, and RFC 9309. The Observatory's working language is English; correspondence is also accepted in Spanish.
Operated from Buenos Aires, Argentina.
Data processing: EU-region infrastructure (Finland).
Working languages: English, Español.
Custom jurisdictional arrangements (US data residency, GDPR DPA, HIPAA, etc.) established per enterprise engagement during onboarding.
For property operators seeking receiver-side intelligence on a subscription basis, the Observatory operates a public access point under the WhoWatches mark — a curated cohort with monthly bulletins signed by the Desk. Enterprise engagements remain with BotConduct.
For engagement enquiries and correspondence. Replies are by the Desk, in writing, within five working days.
Address correspondence to the Observatory Desk. Indicate jurisdiction, form of engagement, and a brief description of the matter under review. The Desk will respond, by name.
