Everyone quotes the same stat: "51% of all internet traffic is bots." It comes from Imperva's annual report, and every marketing blog regurgitates it.
But that number is useless if you buy pop traffic. It mixes search engine crawlers, API calls, and social media scrapers into one bucket. It tells you nothing about what happens when you spend $500 on a PopAds campaign.
So we decided to answer the real question: How much of the traffic that media buyers actually purchase is bots?
We analyzed 12,758,513 real traffic events — RTB bid streams, popunder clicks, and push notifications — processed through a 22-layer detection engine running on live production servers. Not a sample. Not an estimate. Every single event was scored across 184 pattern rules, 22 configurable detection layers, and real-time threat intelligence feeds.
Here is what we found.
The Short Answer: It Depends on Where You Buy
Bot rates in pop traffic are not a single number. They range from 1.5% to 66% depending on which network you buy from. That is a 44x difference.
Here is the accept rate (percentage of traffic that passes all 22 detection layers) for every source in our dataset:
| Network | Events | Accept Rate | Bot Rate | Avg Trust |
|---|---|---|---|---|
| ClickAdilla RTB | 11,520,974 | 98.5% | 1.5% | 9.72 |
| HilltopAds | 100,000+ | 90.1% | 9.9% | 7.1 |
| AdOperator | 50,161 | 88.2% | 11.8% | 6.9 |
| RollerAds | 114,000+ | 90.5% | 9.5% | 6.8 |
| PopAds | 1,466 | 59.6% | 40.4% | 5.2 |
| GALA (Galaksion) | 56,853 | 34.0% | 66.0% | 3.8 |
The same $100 spent on ClickAdilla delivers 98 real humans. On Galaksion, it delivers 34. Your choice of network is the single biggest factor determining how much of your budget goes to bots.
The 22 Signals That Catch Bots (Ranked by Detection Volume)
Most bot detection tools check one or two things: the user agent string and maybe an IP blocklist. We check 22 independent signals on every single event. Here is what each signal actually catches in production, ranked by how many bots it identifies:
1. Zone Win Cap Enforcement (202,650 blocks)
This is not a bot signal — it is a budget protection mechanism. When a single ad zone accumulates too many wins in a day, we stop bidding on it. This prevents any single placement from consuming your entire daily budget. In our dataset, this was the #1 reason for rejecting bid requests.
Why it matters: Without win caps, a single high-volume zone can eat $8 of your $10 daily budget by noon. You would never discover the other profitable zones.
2. UA Cluster Analysis (124,818 blocks)
Real traffic comes from thousands of different user agent strings — different Chrome versions, different devices, different operating systems. Bot farms often send traffic from a small cluster of identical user agents.
When we see 90%+ of traffic from a single zone arriving with the same user agent string, that is a statistical impossibility for real human traffic. We flag it.
What it catches: Click farms running multiple browser tabs on the same machine, and automated scripts that do not bother randomizing their fingerprint.
3. Geo Mismatch Detection (105,361 blocks)
The ad network says the user is in Germany. The IP address resolves to Indonesia. This happens more often than you would expect — 14.1% of all RTB bid requests in our dataset had a geo mismatch.
We cross-reference the declared geo against MaxMind GeoIP2 databases. A mismatch between declared country and actual IP country is a strong fraud signal — it means someone is misrepresenting the traffic origin to earn higher CPMs.
4. Android WebView Detection (48,228 blocks)
This was our biggest single discovery. 6.5% of all bid requests came from Android WebView — an embedded browser component that cannot be used for normal web browsing.
The signature is unmistakable: Version/4.0 in the user agent string combined with an Android device. Real users browse with Chrome or Samsung Internet. WebView traffic means an app is loading web pages in the background — classic ad fraud.
5. Known Bot User Agents (21,722 blocks)
The most basic check, but still catches thousands. We maintain a database of 43 bot user agent patterns including:
- Headless browsers: HeadlessChrome, PhantomJS, Selenium, Puppeteer
- Crawlers: Googlebot, Applebot, Google-Read-Aloud, Bingbot
- Ad fraud tools: Criteo, DoubleVerify, Pixalate scanners
- Scraping tools: curl, wget, python-requests, Go-http-client
You would think ad networks would filter these before selling the traffic. They do not. We catch 21,722 known bot UAs in RTB bid streams alone — traffic that networks are actively trying to sell as human.
6. Datacenter and Hosting ASN Detection (6,319 blocks)
Real humans browse from residential ISPs and mobile carriers. Bots run on servers in datacenters. We maintain databases of 24 known datacenter ASNs (AWS, Google Cloud, Azure, DigitalOcean, OVH, Hetzner, and 18 more) plus MaxMind's hosting ASN classification.
3.5% of pop traffic in our dataset came from hosting providers — not residential IPs. That traffic is overwhelmingly automated.
7. Sec-Fetch Header Physics (Key Signal)
This is our highest-confidence human verification signal. Modern browsers (Chrome 76+, Firefox 90+, Edge 79+) send Sec-Fetch-Dest, Sec-Fetch-Mode, and Sec-Fetch-Site headers on every request. These headers are:
- Browser-enforced: JavaScript cannot set or modify them
- Unforgeable: Only the browser engine can generate them
- Consistent: Real browsers always send them with correct values
In our dataset, 98.5% of accepted traffic had valid Sec-Fetch headers. When these headers are missing or invalid, it is strong evidence of automated traffic. Bots using raw HTTP libraries (curl, python-requests, Go-http-client) cannot generate valid Sec-Fetch headers without embedding an actual browser engine.
8. Chrome Build Analysis
Chrome 110+ (released October 2022) implements User-Agent Reduction — a W3C privacy feature that sends Chrome/131.0.0.0 instead of the full build number. This is normal and expected for modern browsers.
But Chrome versions before 110 with .0.0.0 build numbers? That is suspicious. Pre-110 Chrome always sent real build numbers like Chrome/109.0.5414.87. A pre-110 version with zeros means someone is using a fake user agent string.
We also catch impossible Chrome versions (anything above 160 in April 2026 is fake), Chrome on dead operating systems (Windows XP, Vista, 7 with Chrome 110+), and the Andr0id typo that appears in certain bot frameworks.
9. Burst Rate Detection (3,862 blocks)
When the same IP sends 5+ requests within 60 seconds, that is not human browsing. We track request frequency per IP using in-memory counters (APCu) and apply escalating penalties:
- 5 requests/minute: Soft penalty (-1.0 trust)
- 10 requests/minute: Medium penalty (-1.5 trust)
- 20+ requests/minute: Hard lockout (trust = 0)
Burst detection caught 3,862 automated scripts in our RTB data and 320 in click traffic.
10. Threat Intelligence Feeds
We ingest two real-time threat intelligence feeds:
- FireHOL Level 1: Aggregated IP blocklist from 30+ threat sources, updated every 6 hours. Contains known botnet C&C servers, scanning infrastructure, and attack IPs.
- CrowdSec Community: Crowdsourced attack intelligence from 200,000+ deployed sensors worldwide. Catches IPs actively attacking web infrastructure.
These feeds caught 530 events in our pop traffic dataset — a small number, but every single one was a confirmed malicious IP. The overlap between these feeds and our behavioral detection is minimal, which means they catch threats that behavioral analysis alone would miss.
What About the Other 51%?
Remember that Imperva stat? Here is what it actually means for pop traffic:
| Traffic Type | Typical Bot Rate | Source |
|---|---|---|
| All internet traffic | 51% | Imperva 2024 report |
| PPC / Google Ads | 5-15% | Spider AF white paper (4.15B clicks) |
| Display / Programmatic | 20% | CHEQ research (2026) |
| Pop traffic (best network) | 1.5% | PureGuard data (12.7M events) |
| Pop traffic (worst network) | 66% | PureGuard data (12.7M events) |
| Pop traffic (weighted avg) | ~15% | PureGuard data (12.7M events) |
Pop traffic bot rates are not uniformly 51%. With the right network and proper filtering, you can achieve bot rates as low as 1.5%. With the wrong network and no filtering, you are burning two-thirds of your budget.
The Zone Problem: 26.7% of Zones Are Bot Farms
Networks do not control individual placements (zones). A single ad network might have 10,000 active zones. Some are legitimate publisher websites. Some are parked domains running automated traffic generators.
We scored 21,440 unique zones with our Zone Quality Engine (14 block rules + 3 whitelist rules). The results:
The distribution is stark. More than 1 in 4 zones are confirmed bot operations. Only 51 zones — 0.2% — earned trusted status by consistently delivering high-quality human traffic.
Zone-level intelligence is the difference between a profitable campaign and a money pit. Blocking the worst 27% of zones does not reduce your traffic volume by 27% — it eliminates the 27% that was never going to convert anyway.
Bot Zone Rates by Network
| Network | Zones Analyzed | Bot Zones | Bot Zone Rate |
|---|---|---|---|
| HilltopAds | 864 | 73 | 8.4% |
| RollerAds | 2,426 | 381 | 15.7% |
| ZeroPark | 13,812 | 3,334 | 24.1% |
| PopCash | 530 | 202 | 38.1% |
| TrafficNomads | 252 | 125 | 49.6% |
| PopAds | 2,837 | 1,457 | 51.4% |
HilltopAds has the cleanest zone inventory — only 8.4% of zones are bots. PopAds has the dirtiest — more than half of all zones are confirmed bot operations. But PopAds is also one of the cheapest networks at $0.50 CPM. If you can identify and block the bad 51%, the remaining 49% can be profitable.
The 5 Bot Types We See Most in Pop Traffic
Not all bots are the same. Understanding the types helps you understand what your detection tool needs to catch:
Type 1: Headless Browser Bots (7.6% of RTB rejects)
These use automation frameworks like Puppeteer, Playwright, or Selenium to control a real Chrome browser. They generate realistic-looking traffic but often leak signals: missing Sec-Fetch headers, impossible Chrome versions, or known bot UA strings.
Type 2: WebView Ad Fraud (6.5% of RTB rejects)
Mobile apps that load ad impressions in embedded WebView components. The user never sees the ad — it loads in the background while they use the app. The telltale Version/4.0 string in the user agent identifies these instantly.
Type 3: Datacenter Proxies (3.5% of pop traffic)
Traffic originating from cloud servers (AWS, GCP, OVH, Hetzner) rather than residential ISPs. Sometimes these are VPN users, but in pop traffic, datacenter IPs are overwhelmingly automated. We verify using MaxMind ASN databases and a curated list of 24 hosting ASNs.
Type 4: Geo Spoofing (14.1% of RTB rejects)
Traffic claiming to be from a high-CPM country (US, UK, Germany) but actually originating from a low-cost region. The economic incentive is clear: US pop traffic pays 5-10x more than Southeast Asian traffic. We cross-reference declared geo with actual IP geolocation to catch this.
Type 5: Chrome Masquerade (0.3% of blocks)
Bots that forge Chrome user agent strings but get the details wrong. Chrome on Windows XP (impossible since Chrome dropped XP support in 2016). Chrome 109 with .0.0.0 build numbers (UA Reduction only started in Chrome 110). Chrome 165 (latest stable is 131 as of April 2026). These are easy catches individually, but they add up.
Why Server-Side Detection Matters for Pop Traffic
Most ad fraud tools (ClickCease, Lunio, FraudBlocker) work by injecting JavaScript into your landing page. The bot loads your page, executes the JavaScript, and then gets flagged.
The problem: With pop traffic, the bot has already consumed your impression, triggered your redirect, and cost you money by the time any client-side JavaScript can execute. You cannot un-spend that click.
Server-side detection works differently. Every click is analyzed before any redirect happens. The bot never reaches your money URL. Your budget is never consumed. The entire analysis takes under 5 milliseconds — faster than a page load.
This is not a theoretical difference. In our dataset, server-side filtering saved the equivalent of $0.15 per dollar spent on an average pop traffic campaign. On bad networks, it saved $0.40+ per dollar.
The Real Numbers: What This Means for Your Budget
Let us run the math on a $1,000/month pop traffic campaign:
| Scenario | Monthly Spend | Bot Rate | Wasted | Real Humans |
|---|---|---|---|---|
| No filtering, bad network | $1,000 | 66% | $660 | $340 worth |
| No filtering, avg network | $1,000 | 15% | $150 | $850 worth |
| With zone blocklist, avg network | $1,000 | 8% | $80 | $920 worth |
| Best network + full filtering | $1,000 | 1.5% | $15 | $985 worth |
The difference between the worst case and best case is $645 per month. Over a year, that is $7,740 on a $1,000/month budget. Scale to $10,000/month and you are looking at $77,400 in annual savings.
How to Reduce Your Bot Rate Today
Based on our analysis of 12.7 million events, here are the three highest-impact actions:
1. Choose Your Network Carefully
This is the single biggest lever. Moving from a 66% bot rate network to a 1.5% bot rate network is a 44x improvement — no tool can match that impact. ClickAdilla RTB, HilltopAds, and AdOperator consistently deliver the cleanest traffic in our data.
2. Implement Zone-Level Blocking
Even on good networks, 8-15% of zones are bot operations. Building and maintaining a zone blocklist based on real detection data (not just conversion rates) eliminates the worst offenders without reducing your overall volume significantly.
3. Use Server-Side Detection
Client-side JavaScript cannot protect pop traffic. By the time JS executes, the impression is consumed. Server-side detection filters bots before they cost you anything — and runs in under 5ms per check.
Methodology
All data in this study comes from live production servers processing real traffic between February and April 2026. The detection engine uses 22 configurable layers with 184 pattern rules, cross-referenced against MaxMind GeoIP2 databases, FireHOL Level 1 blocklist, and CrowdSec community intelligence.
Trust scores range from 0 (confirmed bot) to 10 (confirmed human). The acceptance threshold is 5.5 — traffic scoring below this is blocked. Each event is scored independently across all 22 layers, and the final trust score is a composite of all bonuses and penalties.
No synthetic traffic was used. No test data was included. Every number in this article reflects real ad impressions, real bid requests, and real clicks from real advertising campaigns.
See Your Real Bot Rate
Connect your pop or push campaign to PureGuard and see exactly how much of your traffic is bots — signal by signal, zone by zone. Shadow mode shows you the data without blocking anything.
Start Free — 100K ChecksNo credit card. Shadow mode available. See your data before committing.