How BCS works, where it fits in your stack, and what it's not.
BCS is a behavioral governance layer for automated web traffic. It sits on top of existing bot management stacks (Cloudflare, DataDome, in-house rules) and adds granular classification per operator: a Fast Pass for certified good actors, fall-through to existing security for everyone else. BCS is not an anti-bot firewall and does not replace any security vendor.
BCS does not compete with Cloudflare or DataDome — it complements them. Those products detect and block threats. BCS classifies and governs the automated traffic they correctly let through. You keep your existing security stack; you add one API call per suspect request that returns a behavioral score. Sites decide policy based on the score.
BCS is a network-effect product. Production use began April 2026 with ImportSignals as the first integration. Adoption compounds with each new site and operator. The registry currently includes 170+ scored bots, including GPTBot, ClaudeBot, Googlebot, Bingbot, Applebot, and others.
No, and that is intentional. Measuring the cognitive capability of autonomous software is subjective and unauditable. BCS measures observable conduct across ten behavioral dimensions — identity stability, respect for site signals, consistency across sessions, and several others. Observable conduct is what sites need to make governance decisions; intelligence is not.
BCS is designed for operators who want portable reputation across the web. The scoring engine runs server-side and the rubric is proprietary; specific signals are not disclosed publicly. Operators who actively want to avoid reputation carry legitimate automation to other tools (proxy services, fingerprint rotation) — they are not BCS's target users. BCS does not claim to stop evasion; it claims to provide trust signals for legitimate operators.
Three to five lines of middleware in any backend language. One HTTP POST to the BCS verdict API per suspect request. The API returns a score, rating, and recommended action. The site decides the policy. No CDN changes, no browser fingerprinting library, no mandatory SDK. Existing security stack is untouched.
Yes, at all three identity levels (self-declared, email-verified, cryptographic). Operators are the network asset, not the revenue source. Revenue comes from sites consuming the verdict API via paid tiers. The more operators certify, the more valuable the API becomes for sites.
Level 3 operators generate an Ed25519 keypair, upload the public key to BCS, and sign every production request with the private key. Sites integrating BCS verify the signature against the stored public key, giving cryptographic proof that the request comes from the certified operator. This is the Fast Pass — certified operators are recognized at every BCS-integrated site without bilateral setup. Full spec →
BCS receives only request signals (User-Agent, headers, behavioral markers) — never request bodies, end-user PII, or credentials. Raw logs rotate at 90 days. Enterprise Zero Retention Mode retains no per-request data at all; scoring happens in memory only. GDPR-aligned: data minimization, purpose limitation, right to deletion.
ImportSignals is the first production site integrating BCS in enforcement mode. The public registry includes 170+ observed bots including GPTBot (OpenAI), ClaudeBot (Anthropic), Googlebot (Google), Bingbot (Microsoft), Applebot (Apple), Bytespider (ByteDance), YandexBot, Baiduspider, redditbot, AhrefsBot, and others. Outreach to additional operators and sites is ongoing.
Can't find your question? hello@botconduct.org · @botconduct