How Inspector Works

By deploying synthetic users, disguised as honeypot customers, Inspector autonomously simulates real user behavior. Inspector’s synthetic users are able to complete real user tasks and are able to identify malicious scripts and unauthorized actions on JavaScript web assets.

Collecting Real-Time
Information On What Your
End Users Experience

Feroot Security Inspector uses headless browsers to navigate through all of your JavaScript website and web application pages in order to gather real-time information about how your website works from your end users perspective.

During scans, Inspector’s synthetic users act precisely the same way as regular users do. These synthetic users can complete a variety of activities, including but not limited to:

  • Scrolling through pages
  • Submitting forms
  • Solving Captchas
  • Entering financial information
  • Clicking active links
  • Watching embedded videos
  • Waiting for pages to load
  • Navigating between pages
  • Clicking on, opening, and closing pop-up messages
  • Visiting the webpage from any geographic location
  • Following custom instructions provided

Each interaction a synthetic user has with your web application is logged and monitored from the security perspective. Inspector undertakes a behavioral analysis and injects logic into each page to gather information that is difficult to collect manually, including:

  • The type of data collected by forms.
  • The type of data third-party scripts have access to.
  • Any first- and third-party scripts that are fingerprinting users and their browsers.
  • The types of trackers that are deployed on the page and their activities.
  • The existence of any forms or third-party scripts transferring data across national boundaries or to unauthorized entities.
  • Any first- and third-party scripts which are being loaded directly into the user’s browser.
  • Any first- and third-party scripts that are being sideloaded or chainloaded into the user’s browser.
  • The presence of any malicious hosts exfiltrating data.
  • Whether any data is being exfiltrated via websockets and the location where it is being exfiltrated.

Inspector scans support GEO IP fencing mechanisms to replicate user interactions with your website from any geographic location. This way you are able to understand if your website behaves differently if loaded in any country, from Australia to Zimbabwe.

Web Application
Behavioral Analysis,
Machine Learning and
Reporting to Drive Security

Feroot Security Inspector doesn’t just evaluate your web applications for security issues. It also performs a post-scan informational analysis to arm you with synthesized intelligence to secure your web application from harm.

Inspector analyzes all information synthetic users collect and enumerates client-side threat intelligence for you and your team to act on quickly and effectively. Built-in machine learning capabilities also identify and classify data to detect and report on a variety of client-side security challenges. Intelligence in our reports includes:

  • Active malware
  • Live marketing or other tracking software
  • Geographic IP information
  • Obfuscated scripts
  • Data assets collected (financial, PII, etc.)
  • Historical overview of your client-side attack surface
  • Client-side security trends
  • Types of webpages (login, billing, etc.)
  • SSL issues
  • Known JavaScript vulnerabilities

Finally, all of the client-side security intelligence that Inspector collects and distills is presented to you in our UI or can be ingested into your security technologies via our REST API.

Want to see
Inspector in action?

Security Outcomes

Identify Your Web Asset Inventory

Reveal and protect your entire client-side attack surface.

Stay Ahead
of Client-side Threats

Patch hidden and exploited code vulnerabilities immediately.

Significantly Reduce
Cyber Risk

Uncover abnormal web application behaviors and threats.

Ensure Effectiveness of Your Client-side Security Controls

Make sure to get the most out of your Content Security Policy (CSP) and Web Application Firewall (WAF).

Continuously Test and Protect Your Web Applications

Thrive by continuously testing and protecting your web applications, websites, and your entire attack surface.

Maintain Compliance Indefinitely

Stay ahead of current and future data privacy regulations.

Stop Client-side Threats Immediately

Discover and utilize mitigation advice to stop e-skimming, cross-site scripting, formjacking, and other client-side attacks.

Protect Your Business and Your Customers

Uncover and address JavaScript security issues in real-time, all the time.

Still unsure? Learn how the team at Quickbase uses Inspector to secure their client-side web applications.

Integrate Client-Side
Security With Your Existing
Technologies and Processes


Inspector’s OpenAPI can integrate with cybersecurity products, application development technologies and ticketing systems, so that Inspector scans results, alerts, and telemetry can be further operationalized. Current integrations include:

Embed Feroot Security
Into Your Existing Workflows

Inspector was designed to complement your current security workflows. Not only is our platform easy to use on its own, it is also easy to integrate with your current technologies and processes. Here’s a quick summary of how our customers integrate Inspector into their workflows to build world-class client-side security capabilities.

Want to see
Inspector in action?