An independent observatory for receiver-side behavioral measurement of automated activity directed at the public web. Evidence, not enforcement.
Research notes, behavioral briefings, and field reports issued by the Observatory. Findings are cryptographically signed and referenced against established frameworks.
Between April 2 and May 26, 2026, nine independent institutional events documented the same structural condition. None coordinated. Eight identify the gap. The ninth remains unspecified.
Read note →The Observatory measures the conduct of automated actors from the receiving side of the public web. Each observation is recorded, characterized, and referenced against named frameworks. The classification is the product. The Observatory does not sell — and has no commercial interest in — the blocking, gating, or runtime tools whose business depends on that classification.
This separation is the source of the Observatory's authority. When the vendor that sells bot management is also the one classifying traffic, the vendor decides what counts as malicious — and that decision shapes their next renewal. The Observatory operates outside that circuit.
Findings are signed with Ed25519 and timestamped in an immutable evidence chain. Reports are verifiable independently of which WAF, CDN, or bot-management stack sits in front of the property. The evidence is intended to be independently verifiable without recourse to the Observatory.
The Observatory accepts engagements selectively. All terms are quoted on request, after correspondence and review of fit. The Observatory does not operate a checkout surface.
A forensic engagement on a single property. Receiver-side behavioral profiling of automated actors, with ASN attribution, threat-intelligence cross-reference, and full behavioral mapping. Evidence signed.
Sustained independent telemetry of bot and agent conduct against the property. Periodic signed reports, mapped to public bot registries and framework controls. Findings forensically usable as standalone evidence.
For organizations operating at scale. Custom scope and data-handling arrangements. By introduction only.
BotConduct is an independent behavioral observatory. It measures the conduct of automated actors from the receiving site's perspective and produces diagnostic evidence. It is not a certification body. It does not certify products, brands, or counterparties.
Methodology is informed by, and consistent with, frameworks established in recent academic research — including DeepMind's "Practices for Governing Agentic AI Systems" (2024) and the OWASP Top 10 for Agentic Applications — extended with empirical receiver-side observation across multiple jurisdictions and verticals.
Every observation is signed with Ed25519 and timestamped in an immutable evidence chain. Evidence is referenced against NIST AI RMF, OWASP Top 10 Agentic, MITRE ATLAS, EU AI Act, Colorado AI Act, and RFC 9309. The Observatory's working language is English; correspondence is also accepted in Spanish.
Operated from Buenos Aires, Argentina.
Data processing: EU-region infrastructure (Finland).
Working languages: English, Español.
Custom jurisdictional arrangements (US data residency, GDPR DPA, HIPAA, etc.) established per enterprise engagement during onboarding.
For property operators seeking receiver-side intelligence on a subscription basis, the Observatory operates a public access point under the WhoWatches mark — a curated cohort with monthly bulletins signed by the Desk. Enterprise engagements remain with BotConduct.
For engagement enquiries and correspondence. Replies are by the Desk, in writing, within five working days.
Address correspondence to the Observatory Desk. Indicate jurisdiction, form of engagement, and a brief description of the matter under review. The Desk will respond, by name.
