Skip to content

PerimeterX to HUMAN: the rebrand and what changed under the hood

· 19 min read
Copyright: MIT
perimeterx human-security anti-bot history
PerimeterX above HUMAN in monospace type, with an orange arrow pointing from the old name to the new one

If you maintain an HTTP client that touches retail, travel, or ticketing sites, you have run into a _px3 cookie and a JavaScript sensor that scores your session before the origin ever sees your request. For years that was PerimeterX. Then sometime in 2022 the block pages, the documentation, and the company behind them started saying HUMAN instead. The cookie names did not change. The CDN hostnames did not change. So what actually happened?

The short version: PerimeterX did not disappear and it was not bought by an unrelated giant. It merged with a company called HUMAN Security, which itself had been called White Ops until a year earlier. Two anti-bot companies that grew up solving different halves of the same problem fused into one. The interesting question for an engineer is not the press-release version. It is which parts of the detection stack genuinely combined and which parts kept running exactly as they had, under a new logo.

This post walks the chronology. First PerimeterX, where it came from and what it was built to stop. Then White Ops, the ad-fraud company that became HUMAN. Then the July 2022 merger, the money behind it, and how the two technologies were pitched as complementary. Finally the part that matters most if you are reverse-engineering traffic today: what changed under the hood versus what is branding, and how to read a HUMAN-era block page that still smells like PerimeterX.

2014 to 2021: PerimeterX, the client-side half

PerimeterX was founded in 2014 by Omri Iluz, Ido Safruti, and Ophir Ashkenazi. The three came out of Cotendo, a content delivery network that Akamai bought in 2012, so they arrived already steeped in how traffic actually moves between browsers and edge servers. The company set up in San Mateo with an Israeli R&D footprint, the usual shape for that generation of security startups.

The original product was Bot Defender. The premise was behavioral: instead of matching requests against a blocklist of known-bad IPs or signatures, watch how the client behaves and decide whether a human is driving. That meant putting JavaScript on the page. A small loader script pulls down a larger sensor module from PerimeterX infrastructure, the module instruments the browser, and it ships a telemetry payload back to a collector. The server-side enforcer then decides whether to serve, challenge, or block. The signals it collected were the ones you would expect from a client-side approach: properties of the JavaScript engine, the presence or absence of objects that a real browser exposes, mouse movement and timing, input cadence, local storage, and a pile of environment checks. A browser that sends a Chrome user-agent but has no window.chrome object is the canonical example of the kind of contradiction that scores badly.

That decision lives in a signed token. PerimeterX issues a cryptographically signed object carrying a score plus the pass/fail status of the tests it ran, and the enforcement module validates that signature before granting access. The visible surface of all this is a handful of cookies. The _px3 token is the short-lived risk verdict; a _pxhd value persists longer and ties a browser to its history; a _pxvid identifies the visitor. The exact internal layout of these tokens is not publicly documented, and anything claiming byte-level field names should be read with suspicion. What is observable from traffic is the lifecycle: a loader, a sensor fetch, a payload POST to a collector, a signed cookie, and an enforcement check on every subsequent request. We cover the cookie and sensor mechanics in more depth in the _px3 and PXHD writeup and the VID and bello-challenge piece.

Bot Defender: the client-side loop page loader small inline JS sensor module env + behavior collector scores payload signed verdict cookie _px3 / _pxhd / _pxvid *The PerimeterX client-side path: loader pulls the sensor, the sensor reports to a collector, the collector returns a signed verdict that lives in the _px3 family of cookies. None of this changed names at the merger.*

By the time it was acquired, PerimeterX had widened past pure bot blocking. Bot Defender stayed the flagship, but the company added Code Defender for client-side supply-chain threats (Magecart-style skimmers injected into checkout pages) and Page Defender for content manipulation. The money tracked the ambition. A Series C opened in February 2019 at $43 million led by Scale Venture Partners, then extended to $57 million that September with Deutsche Telekom Capital Partners and Salesforce Ventures topping it up. The customer base skewed hard toward e-commerce, travel, hospitality, and financial services. These are sites where the threat is account takeover, credential stuffing, scraping of pricing and inventory, and checkout fraud. The defense is application-layer and client-side, which is exactly where PerimeterX had built.

Code Defender deserves a note of its own, because it tells you how PerimeterX thought about the problem. Bot Defender watches the client to decide if a human is driving. Code Defender watches the client to decide if the page itself has been tampered with, specifically whether third-party scripts on a checkout page are exfiltrating card data to a domain they have no business talking to. That is the Magecart threat, named after the loose set of groups who inject skimmers into e-commerce front ends. The two products share a worldview. Both assume the browser is the place where the truth lives and the server cannot see it directly, so you put instrumentation in the page and report back. This is the deep difference between PerimeterX and a pure network-layer defense, and it is worth holding onto, because it is exactly the half of the merged company that kept its architecture afterward.

There is a reason the client-side approach is sticky. Once you have a sensor on the page, adding a new check is a backend deployment, not a customer integration. The same JavaScript that fingerprints the browser for Bot Defender can be asked to watch for skimmers for Code Defender, and a customer who installs one tag gets the option of the other without touching their stack again. That economy is what makes a client-side vendor hard to displace once it is embedded, and it is part of what made PerimeterX worth merging with rather than competing against.

Hold that shape in mind. Client-side sensor, application-layer enforcement, e-commerce customers, account-abuse threat model. The company it merged with had the mirror image of all four.

2012 to 2021: White Ops, the ad-fraud half, and where the name HUMAN came from

White Ops started in 2012 in New York, by most accounts literally in the back of a science-fiction bookstore in Brooklyn. The founding group was Tamer Hassan, Michael Tiffany, Ash Kalb, and Dan Kaminsky, the security researcher best known for the 2008 DNS cache-poisoning flaw that quietly got patched across the entire internet before he disclosed it. Kaminsky was chief scientist until his death in April 2021, at 42, from diabetic ketoacidosis. His fingerprints are on the company’s early posture: treat bot detection as an adversarial measurement problem, not a checkbox.

White Ops solved a different problem than PerimeterX. Its world was advertising fraud. When an advertiser pays for an impression or a click, the open question is whether a person was actually on the other end or whether a botnet farmed the event for money. That is a “bot or not” verdict made at the scale of the programmatic ad ecosystem, billions of events a day, and it has to be made server-side and after the fact as much as in real time, because the fraud hides inside legitimate-looking traffic.

The work that made the company’s name was a series of takedowns rather than a product launch. In 2016 White Ops disclosed Methbot, an operation running fake video-ad views off a datacenter farm of spoofed traffic. The bigger one was 3ve, pronounced “Eve,” a botnet that White Ops first spotted in 2016 and that had been running since at least 2013. At its peak 3ve controlled more than a million residential and corporate IP addresses, generated over three billion fraudulent ad bid requests a day, and skimmed roughly $30 million before it was dismantled. The takedown in late 2018 was a joint operation with Google, the FBI, the Department of Homeland Security, and a long list of ad-tech and antivirus firms. The Justice Department unsealed indictments against eight people. White Ops and Google co-published a technical paper on how 3ve worked and how it was killed, and that paper is still one of the better primary-source reads on industrial-scale ad fraud.

Two halves of one problem PerimeterX client-side sensor application-layer enforcement e-commerce, travel, finance account takeover, scraping White Ops / HUMAN server-side verdicts ad-impression integrity advertising and media ad fraud, fake views *Before 2022 the two companies barely competed. One watched browsers on retail sites; the other audited ad impressions across the programmatic ecosystem. The merger was an attempt to point both lenses at the same traffic.*

Then the corporate machinery turned. In December 2020 White Ops was acquired by Goldman Sachs’ merchant banking division, partnered with ClearSky Security and NightDragon. Terms were not disclosed. Around the same time the company verified something on the order of 10 trillion interactions a week, the figure it used to describe its visibility into traffic.

The rebrand came a few months after the acquisition closed. Hassan signaled in October 2020 that a new identity was coming, on the explicit ground that the name “White Ops” carried a “toxic association of good and bad with colour and race.” On March 30, 2021, White Ops reintroduced itself as HUMAN. The chosen name pointed at the product thesis: the job is to tell humans from bots and keep digital experiences human. The detection engine got a name too, the Human Verification Engine, and the company leaned on a phrase it would repeat for years, “collective protection,” the idea that watching enough of the internet at once lets you defend each customer with signal drawn from all of them. So when you saw block pages flip from White Ops to HUMAN through 2021, that was a rename of one company, before PerimeterX was anywhere in the picture. The two-step is the thing people conflate. White Ops to HUMAN was 2021 and was just a rebrand. HUMAN plus PerimeterX was 2022 and was an actual merger.

July 2022: the merger

On July 27, 2022, HUMAN and PerimeterX announced they were combining. The language was “merger,” not acquisition, and the financial terms of the combination itself were not disclosed. What was disclosed is the scaffolding around it. The combined company kept the HUMAN name and crossed $100 million in annual recurring revenue, with more than 450 employees and over 500 customers. Earlier in 2022 HUMAN had closed a $100 million growth round led by WestCap and NightDragon, and alongside the merger it took on a $100 million debt facility from Blackstone Credit. So the deal was financed, not a stock-swap-and-pray.

The leadership split tells you who was steering what. Tamer Hassan, the White Ops co-founder, stayed CEO of the combined company. Omri Iluz, PerimeterX’s co-founder and CEO, became president and general manager of Enterprise Security and joined the board. Ido Safruti, PerimeterX’s CTO, also took a board seat. The HUMAN brand and the HUMAN CEO sat on top; the PerimeterX founders ran the enterprise-security half and held board influence. The application-security business that PerimeterX had built did not get absorbed and dissolved. It became a named division with its founders in charge of it.

A two-step, not a single event 2012 White Ops 2014 PerimeterX Dec 2020 Goldman buys White Ops Mar 2021 rebrand to HUMAN Jul 2022 merger *The rename and the merger are different events fifteen months apart. White Ops became HUMAN in March 2021. PerimeterX joined HUMAN in July 2022.*

The strategic pitch was complementarity, and for once the pitch held up. HUMAN watched advertising and media traffic at enormous scale and made bot-or-not verdicts server-side; the number it quoted at the time was around 15 trillion interactions verified per week. PerimeterX watched browsers on retail and finance sites and made application-layer enforcement decisions client-side. The threat models barely overlapped, which is unusual for a merger in this space, where companies more often buy a direct competitor to remove it. The argument was that bot operators do not respect the boundary between ad fraud and account abuse. The same residential-proxy infrastructure that farms fake ad views can be repointed at a login endpoint to stuff credentials. If you can see both, you can connect telemetry across the two and catch operators that either side alone would miss. HUMAN had a name for that argument already, from the White Ops days: the network effect, or collective protection. The merger doubled the surface that effect could draw from. The supporting figures the company used to describe the combined platform were on the order of 3,000 signals across 600-plus detection algorithms, feeding decisions for 500-plus customers.

HUMAN had a name for the whole approach by then, “Modern Defense Strategy,” and it rested on three claims. The first is internet visibility: see enough traffic and you have a reference distribution of what normal looks like, against which anomalies stand out. The second is the network effect, the cross-customer correlation already described. The third is disruption, the idea that you do not just block bad traffic at your customers’ edges but actively dismantle the operations behind it, which is what the Satori takedowns are for. Read cynically, that third claim is the marketing department turning a research team into a product differentiator. Read generously, it is true and unusual. Most anti-bot vendors stop at blocking. Very few have a named team that gets the FBI to unseal indictments. The merger gave that team more to look at, which is the part of the pitch that survives scrutiny.

It is worth being precise about what “merger” meant financially, because the word gets used loosely. This was not two roughly equal companies pooling stock. HUMAN was the surviving brand, HUMAN’s CEO ran the combination, and the deal was wrapped in fresh capital, a $100 million growth round and a $100 million debt facility, that points to HUMAN as the acquiring center of gravity even though nobody published a purchase price. The PerimeterX founders got senior operating roles and board seats, which is the structure you use when you want the acquired team to stay and keep building rather than vest and leave. For an outside observer the cleanest read is: HUMAN absorbed PerimeterX’s product and people, kept them intact and named, and called it a merger because that framed the application-security half as a partner rather than a trophy.

What actually changed under the hood

Here is the part that matters if you are looking at traffic in 2026. For the people running the systems, the merger was real and consequential. For the bytes on the wire, much less changed than the new logo suggests, and the parts that did change happened on a slower clock than the announcement.

Start with the PerimeterX stack, because that is the one most scrapers hit. The _px3 cookie family kept its names. The loader-sensor-collector flow kept its shape. The signed-token enforcement model kept working the way it had. A site that deployed Bot Defender in 2021 did not wake up to a different cookie scheme in August 2022 because the lawyers signed a merger. The most visible rename was at the product layer, not the protocol layer: Bot Defender spent a stretch marketed as “BotGuard for Applications,” with an attached “Bot Insights Services” consulting offering announced in February 2022, before the naming settled back toward Bot Defender under the unified Human Defense Platform. If you read old integration docs and new ones side by side, the product names move around more than the mechanism does. The sensor still instruments the same browser surfaces. The verdict still rides in the same cookies.

What did change, and this is the substantive part, is what happens after the verdict on the server side. The merger’s actual technical content is on the data and detection side, not the wire format. HUMAN’s whole thesis was that more visibility plus a shared model beats any single-vantage detector. Folding PerimeterX’s client-side telemetry into the same backend that already audited trillions of ad events means a session that looks clean to the client-side sensor can still be marked suspect because the device, the IP range, or the behavioral pattern showed up in fraud HUMAN observed somewhere else entirely. That cross-customer, cross-domain correlation is the thing the merger bought, and it does not show up as a new header. It shows up as a verdict that is harder to predict from the request in front of you, because the inputs to that verdict now include traffic you never sent. We go deeper on that mechanism in the collective signal network piece.

Where the change actually landed on the wire — unchanged _px3 / _pxhd / _pxvid loader -> sensor -> collector signed verdict token same cookie names, same flow in the backend — merged ad-fraud + app telemetry cross-customer correlation shared signal network verdict draws on traffic you never sent *The merger's technical content sits on the right. The cookie you can inspect on the left looks the same as it did in 2021; the decision behind it is computed from a larger pool.*

The Satori team is the other piece that carried straight through and got more capable. Satori is HUMAN’s threat-intelligence and research group, the descendants of the people who took apart 3ve. Post-merger they kept doing the same work with a wider aperture. The clearest public demonstration was VASTFLUX, an ad-fraud scheme Satori disclosed in January 2023 that injected malicious JavaScript into ad slots to spoof huge volumes of in-app video impressions across thousands of apps. At its peak it was generating north of 12 billion bid requests a day. That is a 3ve-shaped operation taken down by a 3ve-shaped team, with the difference that the team now sits inside a company that also instruments retail and finance sessions client-side. The disruption capability the merger advertised was not vaporware. The same outfit that killed 3ve in 2018 killed VASTFLUX in 2023, with more data behind it.

So the honest summary, if you are diffing a scraper against a live target: do not expect the merger to have changed the handshake. The PerimeterX mechanism you reverse-engineered before 2022 is still the mechanism. What you cannot see from the request is that the verdict on the back end is now informed by a much larger and more cross-pollinated signal pool, which is exactly the kind of change that does not announce itself in a header and is hard to attribute to any single feature. A block that you cannot explain from the obvious client-side signals may be coming from correlation you have no visibility into. That is the deliberate design goal of collective protection, and it is the genuine technical difference between PerimeterX-the-standalone and Bot Defender-inside-HUMAN.

Where it stands in 2026

The company today markets the Human Defense Platform, an umbrella over what used to be separate products. Bot Defender and Code Defender came in from PerimeterX; the ad-integrity and media-fraud lineage came in from White Ops, alongside newer offerings around account integrity, fraud, and, more recently, governance of AI agents and scraping. The figure the company now quotes for its visibility is more than 20 trillion interactions verified per week, up from the 10 trillion it cited at the 2021 rebrand and the 15 trillion around the 2022 merger. The Satori team still publishes takedowns. The _px3 cookie still shows up in your network tab on a retail checkout, fifteen years of corporate history compressed into a name that no longer matches the company that issues it.

For an engineer the practical lesson is to keep the two layers separate in your head. The branding layer moved fast and twice: White Ops to HUMAN in 2021, then PerimeterX into HUMAN in 2022, with at least one product rename (BotGuard) in between that has since been walked back. The mechanism layer moved slowly and mostly kept its observable surface. When you read a HUMAN-era block page that sets a _px3 cookie, you are looking at PerimeterX’s 2014 architecture wearing a 2022 logo, with a 2018-vintage ad-fraud research team and a much larger signal pool sitting behind the verdict where you cannot see them. The name on the door changed. The lock did not. Whoever is behind the door now knows a lot more about who has been knocking.

Sources & further reading

Further reading