Forem: BotConductStandard

Static compliance checklists can't measure AI agent behavior. Here's what does.

BotConductStandard — Mon, 20 Apr 2026 16:33:53 +0000

Agent-evaluation products in 2026 fall into two generations. First-generation: static pass/fail checklists. Second-generation: evaluation under changing conditions, where behavior trajectory is measured rather than endpoint state. The first generation can't answer the questions CTOs and CISOs actually ask. The second generation can — and it works the same way across every platform.

The problem with ten checks

Most agent-readiness products shipping today work the same way. Define N rules. Test whether the bot passes each. Aggregate into a score. Ship a certificate.

The appeal is obvious. It's auditable. It maps to how SOC 2 reports look. A CISO understands it without training.

The problem is also obvious once you think about production incidents. The evaluation measures observable state at a single point in time. It tells you nothing about how the agent behaves when conditions around it change — when signals evolve, when server state shifts, when adversarial inputs arrive. These are the situations that cause real production incidents, and they are precisely what static evaluation cannot measure.

The community already said this

On recent threads about agent-readiness tooling, the paraphrased reaction from sophisticated technical commenters has been: "10 static checks is like SEO in 10 static checks. It misses the point."

That critique is correct. The market is already splitting into two camps, and first-generation tools are being read as legacy.

What second-generation looks like

Instead of testing compliance with fixed rules, second-generation evaluation measures behavior trajectory under evolving conditions. The agent is placed in environments where directives can change during the session, where signals can contradict, where adversarial inputs test discipline.

What gets measured is not a state at a single point in time, but the decision trajectory across the scenario — what the agent chose when forced to interpret ambiguous inputs, how it recovered from errors, whether it held scope under pressure.

The specific scenarios, thresholds, and evaluation criteria are not disclosed publicly. This is deliberate: revealing the mechanism would let operators tune agents to pass without demonstrating genuine compliance. The methodology is a closed oracle — reproducible internally, verifiable externally through cryptographically signed observation records, but not publicly described.

What the report looks like

First-generation reports produce checkmarks:

[✓] Identifies as bot
[✓] Respects standard directives
[✗] Publishes declaration URL
Score: 87/100

Second-generation reports produce trajectories:

T+0s   | Session initialized, agent fetched initial directives
...    | Scenario-specific events recorded with timestamps
T+N    | Agent made decision in response to changing conditions
...    | Multiple decision points across the session

Verdict: [PASS|FAIL] per scenario
Reason: Specific agent behaviors in context,
        with cryptographically signed observation IDs
        for each event.

The first shows the state. The second shows the decision. In a production incident, only the decision matters.

Cross-platform by design

The certification is infrastructure-neutral. An agent certified by the methodology is recognized the same way by a site behind Cloudflare, one running DataDome, one with in-house infrastructure, and one with nothing at all. It doesn't compete with bot-management vendors — it's the independent layer they can cite. Like a passport for AI agents: issued once, honored everywhere.

The same principle applies to the regulatory plane. One certification bundles compliance evidence against multiple frameworks simultaneous ly — EU AI Act, GDPR, California SB 1001, RFC 9309, W3C TDMRep, EU DSM Directive. Instead of demonstrating compliance six separate times against six separate auditors, the operator is evaluated once and the result can be cited in any jurisdiction.

Why this distinction is urgent now

Regulatory pressure is specific about conduct. EU AI Act Article 50 requires disclosure during interaction, not at deployment. GDPR rights apply per-request. California SB 1001 demands honest identification in the context of a conversation. These are dynamic obligations, not static attestations.

Enterprise buyers ask operational questions. A CTO doesn't ask "does it pass a 10-check list." They ask how the agent behaves when conditions in the real deployment environment change.

Incidents are documented. Recent disclosures in the infrastructure-vendor space have confirmed AI-accelerated attacks exploiting agent platforms. The evaluation framework appropriate to this threat model is not a checklist.

What BotConduct is building

BotConduct Training Center is designed second-generation from day one. Level 1 is static hygiene (basic sanity is the floor). Level 2 measures behavior under evolving conditions. Level 3 measures conduct integrity under adversarial probing. Each evaluation produces a cryptographically signed trajectory, not a checklist.

Each observation is signed with Ed25519 and recorded in an append-only chain. Public key at botconduct.org/.well-known/bcs-public-key.pem. Anyone can verify any observation via botconduct.org/api/verify-observation/{id} without trusting us.

If Moody's rates bonds and FICO rates people, BotConduct rates how an AI agent behaves when nobody is watching — and the certificate works across every platform.

Landing + pricing: botconduct.org/training-center
Regulatory foundation: RFC 9309, EU AI Act Art. 50, EU DSM Directive Art. 4, California SB 1001, W3C TDMRep, GDPR.

Discussion welcomed. What scenarios would you want to see in a second-generation evaluation of your own agents? What does your team currently use to measure agent behavior under change?

194 IP Addresses. One Fake iPhone. Six Days Undetected. published: true

BotConductStandard — Sat, 18 Apr 2026 14:28:43 +0000

A scraper ran on our network for 6 days using 194 different Tencent Cloud IPs. Every request carried a fake iPhone User-Agent (iOS 13.2.3 from 2019). It never read robots.txt. It never identified itself. It averaged 1.8 requests per IP -- staying below every rate limiter, every WAF rule, every IP-based detection system.

In your analytics, this looks like 194 different people casually browsing on iPhones. No alert. No anomaly. Nothing to investigate.

The numbers:

194 unique IPs (all ASN 132203, Tencent Cloud)
362 requests over 6 days
Fake iPhone UA (iOS 13.2.3 -- released November 2019)
1.8 hits per IP average (evades all IP-based detection)
Never read robots.txt
Hit paths across entire site including /es/, /de/, /fr/, /no/, /zh/
All datacenter IPs -- no real iPhone connects from a datacenter

What this means:
If you run e-commerce, it has your prices. If you run media, it has your content. If you run SaaS, it mapped your app. And you never saw it because every request looked like a real user.

We caught it by measuring behavioral conduct -- not counting IPs.

Full forensic breakdown: https://botconduct.org/report/april-2026/part-2/
Part 2 of the State of Bot Conduct series. Part 1: https://botconduct.org/report/april-2026/part-1/

BotConduct.org -- Behavioral scoring for bots and AI agents.

GPTBot follows content invisible to humans. TwitterBot and ClaudeBot don t.

BotConductStandard — Fri, 17 Apr 2026 19:27:17 +0000

We run a behavioral observation network that scores how bots and AI agents conduct themselves when they visit websites. We scored 172+ operators. The results were eye-opening.

GPTBot: 8 content requests in 14 seconds

On April 17, 2026, OpenAI s GPTBot visited our network from IP 74.7.241.33 -- verified against OpenAI s own published ranges at openai.com/gptbot.json.

In a single session of 51 seconds, it made 39 requests. 8 of those went to content not visible to human visitors. All 8 in a 14-second burst.

GPTBot does not render CSS. It parses raw HTML and follows every anchor tag it finds -- visible or not. It cannot tell the difference between content meant for users and content that is hidden from the rendered page.

A 00B company s flagship crawler, navigating the web blind.

TwitterBot and ClaudeBot: zero

X Corp s TwitterBot and Anthropic s ClaudeBot visited the same pages. Same HTML. Same content -- visible and hidden.

Neither followed any hidden content.

Three crawlers. Three of the biggest tech companies in the world. Same test. Two understood what humans can see. One didn t.

The full leaderboard

This is not a cherry-picked comparison. We scored 172+ bot operators on behavioral conduct. Here is how the named operators rank:

The pattern: the biggest name does not mean the best behavior. Some of the most well-funded AI companies run crawlers less sophisticated than open-source projects with zero budget.

What happens when a crawler can t see

Hidden content exists everywhere on the web: honeypots, bot detection systems, anti-scraping layers, admin panels, internal tooling. A crawler that follows everything blindly will:

Trigger every honeypot it encounters
Get flagged by every bot detection system
Scrape content it was never meant to access
Get blocked, rate-limited, and blacklisted

This is not about ethics. This is about engineering. Rendering CSS is a solved problem. Google s crawler does it. Anthropic s does it. X s does it. OpenAI s does not.

We contacted OpenAI

We emailed opt-out@openai.com on April 17, 2026 with 48 hours notice before publication. No response as of this writing. If they respond, we will update this post.

This is Part 1 of 5

We are publishing one finding per day:

Part 1 (today): GPTBot and hidden content
Part 2: 194 rotating IPs with a fake iPhone User-Agent. Six days. One cloud provider.
Part 3: The crawler that ignored its own standard
Part 4: What bot traffic actually costs you
Part 5: A free tool to see what is hitting YOUR site right now

Full report with research disclaimer: botconduct.org/report/april-2026/part-1

Want to see what bots do on your site? Free sensor, 30 seconds, one line of code: botconduct.org/sensor.html

I watched 145 bots visit my site for two weeks. Here is what I learned.

BotConductStandard — Thu, 16 Apr 2026 04:13:40 +0000

Two weeks ago I put a fresh site online and started logging every request. I wanted to answer a simple question: how much of my traffic is actually human?

Turns out, barely any.

The raw numbers

Across those two weeks I observed 145 distinct bots hitting the site. Some declared themselves honestly. Some pretended to be iPhones from 2019. Some came in through Cloudflare. Some came in through rotating AWS IPs and never stopped.

I was interested in more than just counting them. I wanted to know how each one behaved — not the identity, the conduct. Did it read robots.txt? Did it respect rate limits? Did it avoid obviously private paths? Did it keep a stable user-agent across requests?

I ended up with a scoring system. Each bot got a number between 0 and 100 based on observable behavior.

The distribution was surprising.

The well-behaved majority

The bots at the top of the ranking are exactly the ones you would expect. Major search engines. AI crawlers from the big labs. A few SEO tools. Social preview bots.

GPTBot (OpenAI), ClaudeBot (Anthropic), Bingbot (Microsoft), Bytespider (ByteDance), Baiduspider, YandexBot, Meta's scraper, redditbot — all landing at 100 out of 100.

It makes sense once you think about it. These companies operate massive crawling infrastructure. They know every site they hit is watching. They have compliance teams. Their crawlers are boring in the best way — they announce themselves, stay within limits, and leave.

The hostile minority

The bottom of the ranking was where it got interesting.

About 27% of bots scored below 50. A few of them were recognizable — L9Explore, the crawler operated by LeakIX, probing sensitive paths aggressively. Keydrop Scanner doing credential probing. A stream of anonymous WordPress scanners hammering /wp-admin on every domain they find.

The worst offender was a single IP on AWS that sent 2,562 requests in one day. No user-agent. No interest in robots.txt. Just walking through every endpoint it could find.

Another favorite: a bot presenting itself as iPhone; iPhone OS 13_2_3 — an iOS version from late 2019. Nobody real is running that in 2026. The user-agent is a lie and the behavior matches. Distributed across dozens of residential IPs.

The middle is the interesting part

The polar ends of the distribution are easy. Known good bots are good. Obvious scanners are obviously malicious.

The middle third is where real decisions live. Crawlers from cloud providers like Tencent sat around 36. Not malicious per se, but also not identifying themselves well and using rotating IPs. If I were running a site that mattered, would I let those through? Block? Rate-limit?

This is the category where block everything automated destroys legitimate use cases (partners, vendors, research tools) and allow everything destroys your servers. It's where the real work is.

What I built

I stopped logging and started building. The passive observations became an API — you send it a suspicious request, it sends you back a score and a recommended action.

The action is one of four: allow, throttle, challenge, block. Anything my middleware can handle in three lines.

verdict = bcs.score(
    user_agent=request.headers["User-Agent"],
    path=request.path,
    headers=dict(request.headers),
)

if verdict["action"] == "block":
    return 403

The rubric that produces the score is proprietary, but the verdicts are public. Every bot I scored shows up in a public registry with its current rating. Operators can claim their entries and upgrade to a cryptographically signed identity if they want higher trust.

What it changed for me

Before this experiment, I treated automated traffic as a nuisance. Something to filter, block, ignore.

After two weeks of looking closely, I think about it differently. The web is becoming a conversation between automated agents — and most of them are trying to do their jobs well. The bad ones are loud, and they get all the attention, but they are the minority.

Giving the well-behaved agents a way to prove it — and the sites a way to verify it — seems like a better answer than the status quo of blocking everything automated.

If you want to try it

If you run a bot or agent: there is a public certification flow. It takes 30 seconds for basic certification, a few minutes for something more serious.
If you run a site: the API has a free tier (5,000 scores per month) if you want to experiment.

Everything is at botconduct.org. The first production site running this end-to-end is importsignals.com — their bot policy page is a reasonable reference if you want to see what it looks like in the wild.

Would love to hear from other people who have measured their bot traffic seriously. I suspect the 27% hostile number is conservative.

Follow-up thread and registry updates at @botconduct.
Rafa Mizrahi