Bots, VPNs and Datacenter Traffic: How Cloackit Decides

Not every blocked visitor is a "bot" in the obvious sense. Cloackit scores each visitor across several independent signals and combines them into a verdict: allow, flag, challenge or block. IP intelligence. The visitor's IP is checked against public threat-intelligence feeds (millions of known-bad addresses) and tagged as datacenter, VPN or bot-network where applicable. Datacenter and hosting IPs are where most crawlers and ad-review bots live. Headers and user-agent. Real browsers send a consistent set of headers — Accept, Accept-Language, Accept-Encoding and client-hints. A "Chrome" user-agent with no client-hints, or missing headers, is a strong bot signal. Known crawlers. Googlebot, Bingbot, Ahrefs, headless Chrome, Puppeteer, curl and friends are matched directly by user-agent. The key design choice in Cloackit is that these controls are independent. You can allow real people on a VPN to reach your offer while still blocking raw datacenter traffic, blacklisted IPs and bot networks — because a real person on a VPN still passes the header and behavior checks, while a datacenter scraper does not.