🛡 A PrivacyHash Security product

Invisible armour for
modern website threats

GhostGuard silently analyses every session and email connection — blocking bots, scrapers, credential stuffers, and mail abusers before they reach your application. Zero friction for real users.

Start 14-day free trial See how it works
No credit card required 14-day full-feature trial Cancel anytime
24
Detection signals
<2ms
Scoring latency
99.9%
Pro uptime SLA
0
CAPTCHA friction
Web + Mail
Protection layers
35+
Policy keys
Platform capabilities

Everything between your platform and the threats

GhostGuard covers the full attack surface — not just form spam, but scrapers, session hijackers, credential stuffers, and mail abusers.

🧠
Behavioural biometrics
Analyses typing rhythm, key hold timing, mouse trajectory curvature, and scroll inertia. Humans have natural variance bots cannot replicate — even with sophisticated headless emulation.
Typing cadenceMouse curvesIdle patterns
🔎
Browser fingerprinting
Silent probes across Canvas, WebGL renderer, AudioContext, font enumeration, hardware concurrency, and the navigator.webdriver flag. Headless Chromium and Playwright leave distinct, detectable signatures.
WebGLCanvasAudioHeadless detect
Email threat intelligence
Scores SMTP connections on handshake timing, header integrity, SPF/DKIM/DMARC chain, subject entropy, HTML/text ratio, link density, and burst patterns — before the message body is accepted.
SMTP timingAuth chainEntropy scoring
🚫
Instant silent banning
Sessions scoring below your threshold are banned silently — no error page that reveals detection. The attacker receives a normal-looking response while your application never processes their request.
IP banSession banSilent 403
📊
Real-time threat dashboard
Live activity feed, hourly charts, per-domain breakdown, and full ban-list management. Every blocked session shows its score, verdict, and the exact signals that triggered detection.
Live feedChartsPer-domain
🔗
PHP library + Webhook API
Three-line PHP integration for any existing application. Webhooks push scored events to your CRMs, SIEMs, and logging pipelines in real time. Full REST API on Pro and Enterprise.
PHP libraryWebhooksREST API
🛠
Tunable rule engine
16 detection rules, each independently togglable with per-rule weight multipliers. Raise or lower the global block threshold. Create domain-specific overrides to match your exact threat model.
16 rulesWeight tuningPer-domain config
🔒
Privacy-first by design
No key values, passwords, or form content ever collected. Session IDs are random tokens with no identity link. GDPR-compliant under Recital 47. Visitors informed via optional protection badge.
No PIIGDPR Rec.47Transparent
All 24 detection signals
Typing cadence Key hold duration Bigram latency Paste detection Mouse trajectory Click velocity Scroll inertia Focus rhythm Event jitter WebGL renderer Canvas probe Audio fingerprint Webdriver flag TZ/locale mismatch Idle gap analysis Time on page SMTP handshake timing Header chain integrity SPF / DKIM / DMARC Subject entropy HTML/text ratio Link density Message-ID entropy Send burst rate
Web protection Email protection
Technical overview

How GhostGuard works

Scoring happens entirely server-side. The client never sees a score, a threshold, or any detection logic — there is nothing to reverse-engineer from the browser.

1

Collector loads silently

A <2KB async script loads with your page. It gathers timing signals and browser probes — no key values, no form content, no PII.

2

Signals beacon to your server

Every 30 seconds a JSON bundle posts to your private endpoint. Async, non-blocking, and completely invisible to visitors.

3

Scoring engine runs server-side

The Python scoring brain analyses all signals with weighted algorithms — typing variance, mouse curvature, fingerprint checks, event jitter. Produces a score of 0–100.

4

Your PHP enforces the verdict

Three lines at the top of any sensitive page. The GhostGuard client silently exits with 403 if the session is a bot. Real users never notice.

5

Dashboard shows everything

Every blocked session, every mail connection scored, every ban logged — with score, verdict, reasons, and full timestamp.

// Add 3 lines to any PHP page you want to protect
require_once '/gg-client.php';
$gg = new GhostGuard('GG-your-key');
$gg->protect();

// Verdicts
score: 91 verdict: human → allow
score: 48 verdict: suspicious → flag
score: 12 verdict: bot → silent ban

// Email verdicts
score: 87 verdict: clean
score: 31 verdict: spam
score: 06 verdict: abuse
🛡 Visitor transparency
Owners display a simple badge near protected forms. No puzzles, no friction — just a quiet notice that bots are not welcome.
🛡 Protected by GhostGuard   |   ghostguard.privacyhash.com
Technical architecture

Three layers. Zero friction. Nothing to reverse-engineer.

GhostGuard's architecture separates collection, scoring, and enforcement into isolated layers. The customer website never touches scoring logic — it only calls a remote decision endpoint.

1
JS Signal Collector
The GhostGuard JS collector loads asynchronously on the customer's site. Over 2–10 seconds it gathers 24 behavioural and fingerprint signals, sets a a session cookie, and sends the bundle to the GhostGuard collection endpoint. No key values, no form content, no PII — ever.
Async <2KB CORS-validated Origin whitelist
2
Customer PHP Client
The GhostGuard PHP client lives on the customer's own server. It sends a remote decision request with the session ID, IP, user-agent, and host to the GhostGuard guard API. No GhostGuard internals are present on the customer server — nothing to steal, nothing to tamper with.
Fail-open 2s timeout Downloadable
3
Server-side Decision
GhostGuard validates the API key and domain, reads the stored score from the database, and returns a JSON verdict. The customer PHP client exits 403 silently on block. The attacker sees a normal response. Real users are never interrupted.
Score never exposed Silent ban Fail-open
Scoring pipeline — what happens after signals arrive
RECEIVE

Signal ingestion

The collection endpoint validates the API key and origin. Writes session and signal data to the database. Fires the scoring engine asynchronously — zero blocking for the visitor.

ANALYSE

Python scoring engine

730-line scoring brain runs 6 weighted analysers: typing cadence, mouse dynamics, session timing, browser fingerprint, event jitter, and cross-tenant reputation.

VERDICT

Score 0–100 written

Score and verdict stored in sessions table. Full explanation JSON saved to session_verdicts with per-signal confidence values.

ENFORCE

Decision returned

Guard check reads verdict, checks ban list, applies threshold. Returns allow/block. Auto-bans bot sessions to ban_list for future requests.

Score interpretation — 0 to 100 (higher = more human)
Default thresholds are admin-configurable at the platform, account, and domain level independently.
0 — Bot → Silent ban (score < 35) Suspicious → Monitored (35–65) Human → Allow (score ≥ 65)
Email protection

The same intelligence applied to your inbox

GhostGuard extends its scoring engine to SMTP connections — catching spam campaigns, phishing, and mail-bombing before they reach your users or your contact forms.

SMTP handshake timing

Legitimate mail servers have natural variance across EHLO, MAIL FROM, RCPT TO, and DATA phases. Bots complete the entire handshake in under 100ms with zero variation.

Header integrity scoring

Checks Received chain length, Date header skew, Message-ID entropy, MIME boundary randomness, and the full SPF/DKIM/DMARC authentication chain.

Content entropy analysis

Subject line entropy detects obfuscated spam subjects. HTML-to-text ratio near 1.0 is a bulk-template signal. Excessive unique link domains indicate phishing campaigns.

Burst rate detection

Tracks per-sender rate in real time. More than 20 messages per minute from a single source triggers immediate suspicious scoring regardless of other signals.

PHP contact form integration

Drop MailSensor into your PHP mail handler. Record signals from any inbound message in four lines and get a scored verdict before you process it.

Live mail scoring — sample verdicts
newsletter@acme.com
89Clean
noreply@promo-x.tk
34Spam
bounce-8821@xvf.ru
8Abuse
info@supplier.co.uk
91Clean
bulk-001@mass-x.net
14Abuse
client@agency.com
94Clean
Scored in real time — before the message body is accepted by your MTA.
Network intelligence

Every blocked session makes the next one easier to catch

GhostGuard builds a cross-tenant reputation graph from anonymised observations. IPs, /24 networks, and browser fingerprints seen across multiple accounts carry compounding risk weight — without ever sharing identifiable data between subscribers.

🔐
HMAC-SHA256
All entity hashes — IP, network, fingerprint. Raw values never stored in reputation tables.
🌐
/24 networks
IPv4 /24 and IPv6 /48 network blocks tracked independently from individual IPs for broader signal coverage.
📈
Confidence-weighted
Risk score confidence grows with observation volume and tenant diversity — conservative by design, not reactive.
🔒
Opt-in sharing
reputation_share_enabled policy key. Off = you benefit from the network but don't contribute observations.
Risk formula
// Reputation risk score (0.0 – 1.0)
risk = (bad * 1.0 + suspicious * 0.45)
      / total_observations

// Confidence grows with volume + diversity
conf = min(1.0, log1p(seen) / 4.0
       * (0.65 + min(0.35, tenants / 10)))

// Applied to session score at weight 1.6
influence = reputation_weight * reputation_influence
Policy & privacy controls
Platform
Platform defaults
Admin sets baseline weights, thresholds, and global lock. Can prevent subscriber override.
Account
Account flags
Subscriber tunes 35+ policy keys: signal weights, ban duration, retention, reputation influence.
Domain
Domain overrides
Per-domain threshold overrides. One domain can block at 40, another at 25, from the same account.
Why GhostGuard

Built differently from day one

Capability GhostGuard reCAPTCHA v3 Turnstile Generic WAF
Score never exposed to client Server-only JS-exposed
Self-hosted / your data Your server Google Cloudflare~ Varies
Email threat scoring~ Limited
Behavioural biometrics 16 signals~ Google-only
Tunable per-domain rules~
PHP 3-line integration
No third-party data sharing Google Cloudflare~
Transparent visitor badge Built-in
Simple pricing

No surprises. No overage penalties.

Every plan includes the full 24-signal engine and both web and email protection. You only pay for scale.

Starter
$19
per month  ·  $190/year
  • 100,000 sessions / month
  • 3 protected domains
  • Web & email protection
  • Full 24-signal engine
  • Threat dashboard
  • Community support
  • Custom rules
  • Webhooks & API
  • SLA guarantee
Get started
Enterprise
$299
per month  ·  $2,990/year
  • Unlimited sessions
  • Unlimited domains
  • Web & email protection
  • Full 24-signal engine
  • Threat dashboard
  • Dedicated engineer
  • Custom rules & weights
  • Webhooks & REST API
  • 99.99% uptime SLA
Contact us

All plans include a 14-day free trial. Billed in USD. Cancel anytime.

Adaptive intelligence

The platform learns and recommends — you decide

GhostGuard continuously analyses your traffic and generates threshold and weight recommendations with confidence scores. You approve, simulate, or dismiss — nothing changes in production without your action.

Tighten block threshold
Triggered when bot rate ≥ 22% in the last 24h. Recommends raising the block threshold by a configurable step. Confidence ≥ 0.72 required before surfacing.
Widen suspect band
Triggered when suspect rate ≥ 30%. More traffic in the monitored zone improves observation before hard blocking. Prevents false-positive pressure.
Downweight noisy signals
When a signal fires frequently but with low average confidence, it's contributing noise. The engine recommends reducing its weight multiplier to 0.85×.
Monitor-only fallback
When average score drops below 42 with ≥ 35% combined threat rate, the engine recommends entering monitor-only mode while collecting action previews.
🛡
Safety model — no surprises
Monitor-only is ON by default. Auto-apply is OFF. Max 3 actions per hour. Every threshold change stores a rollback payload for one-click revert. Full audit trail in the mitigation_audit table. You are always in control.
Privacy & compliance

Built on the same principles as PrivacyHash

We teach cryptographic best practices at PrivacyHash. GhostGuard is held to the same standard — no third-party data sharing, no surveillance, no hidden tracking.

🔒
No PII collected
Timing values and boolean flags only. Key characters, form values, and passwords are never touched.
🌏
GDPR compliant
Legitimate interest basis (Recital 47). Transparent badge for visitors. No consent popup required.
🏠
Your server, your data
All signals, scores, and logs stay on your infrastructure. Nothing is sent to third parties.
👀
Transparent to visitors
A simple protection badge informs visitors their session is guarded — no puzzles, no friction.

Start protecting your platform today

14-day free trial. Full Pro features. No credit card required.

Create free account Read the docs
Setup in under 10 minutes 3-line PHP integration Delete any time