IPScanner
Agent Detection

Humans, good bots, and AI agents, told apart in one request.

Agentic traffic is exploding and robots.txt is a suggestion. Agentscan classifies every request as human, verified known bot, AI agent or malicious automation by fusing IP origin with headless tells, JA4 fingerprints and a verified allowlist, so you can allow the crawlers you want and block the ones you do not.

4
verdict classes
< 50ms
cached verdict latency
JA4
TLS client fingerprint
rDNS
forward-confirmed allowlist
POST/v1/agentscan/check

request

{
  "ip": "198.51.100.7",
  "user_agent": "Mozilla/5.0 HeadlessChrome/120",
  "ja4": "t13d1516h2_8daaf6152771_...",
  "headless_flags": { "webdriver": true },
  "headers": { "Accept": "*/*" }
}

response

{
  "class": "malicious_automation",
  "confidence": 0.9,
  "action": "block",
  "signals": { "network_origin": "datacenter", "headless": true }
}
Why now

Manage agentic traffic, do not just block it

AI crawlers and headless scrapers now make up a huge slice of traffic. Some you want, such as your content in the right answer engines, and some you do not, such as training scrapers and credential-stuffers. A single blocklist cannot tell them apart, and a wall hurts SEO when it catches Googlebot.

  • AI agents fetch on behalf of users, so blanket blocking costs you reach and revenue.
  • Headless Chrome, Playwright and Puppeteer impersonate real browsers convincingly.
  • robots.txt is advisory, so well-behaved bots obey it while scrapers ignore it.
  • You need to allow verified Googlebot and chosen AI crawlers while blocking the rest.
How it works

Identity from the network up to the request

Agentscan fuses the shared IP engine with request-level fingerprints and a verified allowlist.

IP origin class

Starts from the engine verdict of datacenter, VPN, proxy or clean residential, because masked origin changes everything.

Headless and automation tells

Detects HeadlessChrome, Playwright, Puppeteer, Selenium and scripted clients from the User-Agent plus client-side signals like webdriver.

JA4 TLS fingerprint

A TLS client fingerprint that survives a spoofed User-Agent, separating real browsers from impostors.

Header consistency

Scores how browser-like the header set is, since real browsers send Accept, Accept-Language and Accept-Encoding together.

Verified allowlist

Googlebot, Bingbot and friends are confirmed by forward-confirmed reverse DNS rather than by a spoofable User-Agent string.

AI-crawler awareness

Knows GPTBot, ClaudeBot, PerplexityBot, Google-Extended and more, so you can allow or block them by name.

Verdicts

Four classes, one action each

Every request lands in exactly one class with a confidence and a recommended action.

Human

A real person in a real browser, so the request is allowed.

Known Bot

A verified good bot such as Googlebot or Bingbot that is allowed and never accidentally blocked.

AI Agent

An identified AI fetcher such as GPTBot or ClaudeBot that you flag and decide on per policy.

Malicious Automation

Headless automation with no good identity, often from a masked origin, so the request is blocked.

API

Send the request signals, get a class and an action.

Call it from the edge with signals collected by the snippet. Verdicts are Redis-cached for low latency.

POST/v1/agentscan/check

request

{
  "ip": "198.51.100.7",
  "user_agent": "Mozilla/5.0 HeadlessChrome/120",
  "ja4": "t13d1516h2_8daaf6152771_...",
  "headless_flags": { "webdriver": true },
  "headers": { "Accept": "*/*" }
}

response

{
  "class": "malicious_automation",
  "confidence": 0.9,
  "action": "block",
  "signals": { "network_origin": "datacenter", "headless": true }
}
Use cases

Where Agentscan earns its keep

Content and SEO protection

Allow the answer engines you want indexed and block training scrapers, without nuking Googlebot.

Anti-scraping and scalping

Stop headless automation hammering pricing, inventory and ticket endpoints.

Account security

Add friction to credential-stuffing and signup abuse driven by automation from masked IPs.

AI-traffic policy

Decide per crawler whether to monetise, allow or deny GPTBot, ClaudeBot, Perplexity and others by name.

FAQ

Questions, answered

Agentscan does forward-confirmed reverse DNS. It looks up the IP's PTR record, checks it ends in an official domain such as googlebot.com, then resolves that hostname back and confirms it matches the IP. A spoofed Googlebot User-Agent from the wrong network fails this and is not treated as a known bot.

Ship Agentscan this week

One REST call, a free tier to start, and the same engine behind every IPScanner lookup.

No credit card to start