Ki-Ki

Web foundations for SMEs

Fingerprinting and Edge Tracker

Quick translation before we go any further. This is not a “criminal fingerprints” thing. In web terms, fingerprinting means building a stable device signature from technical signals when someone connects to your site.

Think of it like a quiet security camera for your website. It does not identify a person by name. It identifies recurring devices and behaviour patterns, even when someone tries to hide behind new IPs or VPNs.

If a device connects to your site, it gets fingerprinted at the Cloudflare edge. No cookie theatre, no front end scripts you can dodge, no hoping the browser plays along.

Talk to Kieron What you get Examples How pricing works
Edge first Fingerprinting lives in Cloudflare Workers, not a fragile browser script
Security profiles Device and behaviour correlation across visits, pages, and networks
Evidence grade Screenshots and exports built for boards, trustees, regulators, and disputes

What you actually get

Stable device fingerprinting

Every connecting device is assigned a fingerprint ID, visitor ID, and session ID. This lets us link repeat behaviour over time, even when users rotate VPNs or clear cookies.

Organisation and network context

We enrich each hit with ASN, network owner, country, and PoP. Where an organisation owns its own ASN, we can show traffic from within their internal network. Where an ASN is shared, we log it as an institutional group and rely on patterns to narrow the picture.

Hardware and entropy traits

WebGL renderer, screen size, platform, cores, RAM, browser family, and other metrics give a stable signature. When someone tries to hide behind new IPs or browsers, the device still shows its hand.

Suspicious activity alerts

The Worker flags patterns like bypass attempts, repeated visits to sensitive paths, sudden interest spikes, or recurring devices that keep reappearing after blocks. You get a heads up early, not after the mess lands.

Behavioural profiling

Fingerprint counts, session counts, referrer trails, and page sequences build a lawful behaviour profile for any recurring actor. This is how you separate random noise from invested attention.

Exports you can use

Redacted screenshots and structured exports that can be attached to internal reviews, safeguarding write ups, complaint responses, or legal letters.

Real redacted examples

These are cropped and redacted from live Ki-Ki stacks. The point is the structure and signal, not naming individuals.

Redacted Ki-Ki basic fingerprint example showing device IDs, ASN, and referrer context

Baseline fingerprint record

Stable IDs, ASN, device profile, and referrer trail. Enough to link repeat behaviour across weeks.

Redacted Edge Tracker example showing council ASN and bypass fallback detection

Bypass detection on an institutional network

The system flags attempts to avoid normal fingerprint routing. That avoidance becomes part of the profile.

Redacted Edge Tracker example identifying a UK county council ASN and device entropy traits

Organisation owned ASN traffic

Direct organisational attribution where the ASN is uniquely held by a public body.

Redacted Edge Tracker example identifying a US education ASN and Linux device traits

Overseas institutional interest

Not just “an IP in the US”. A specific institutional network, plus a stable device signature.

Redacted Edge Tracker example identifying Florida State University ASN and MacIntel device profile

Repeat actor profiling

Fingerprint and session counts show recurrence, while hardware traits confirm it is the same device.

Redacted Ki-Ki standard fingerprint example with full device, ASN, and referrer context

Full standard view

The default evidence block clients receive, including context for boards and governance teams.

Understanding ASN attribution

  • Single organisation ASNs: many councils, universities, government departments, and large institutions own their own ASN. In these cases, attribution to that organisation’s internal network is direct.
  • Shared or federated ASNs: some ASNs contain multiple institutions (for example regional public sector networks). We log these neutrally as an institutional group and use device traits and behaviour patterns to build the evidence file.
  • ISP and cloud ASNs: when traffic comes via BT, Virgin, Sky, AWS, Azure, or similar, attribution is given at network level. This is still useful for distinguishing residential traffic from automated or hosted activity.

The goal is accuracy you can defend, not guesswork you have to apologise for later.

Security profiles and evasion monitoring

When an invested party keeps returning, changing IPs rarely helps them. Devices are stubborn. Patterns are louder than people think.

  • VPN rotation, same device: if someone hops VPNs or networks but the fingerprint, WebGL, and hardware entropy stay consistent, we link the visits into one profile.
  • Browser swaps, same signature: switching browsers changes the user agent, but not the GPU renderer, screen, or cores. The profile holds.
  • Recurring after blocks: repeat fingerprints reappearing after security blocks are logged as a single actor with an evasion pattern.
  • Bypass signals: fallback or bypass events indicate deliberate avoidance. That becomes part of the evidence trail.

This is useful for harassment patterns, targeted probing, quiet monitoring by public bodies, and competitors that want to look without being seen.

Who this helps

  • Content creators and journalists

    Early warning when a post starts attracting obsessive checking, harassment waves, or quiet institutional monitoring. See Content creator safety.

  • Charities and community organisations

    Evidence for governance, safeguarding, and disputes with funders or commissioners. Not guesswork, receipts.

  • SMEs in conflict or under scrutiny

    Track probing, competitor interest, or recurring actors who keep circling sensitive pages.

  • Public bodies and trustees

    Defensive logs that help you answer complaints properly, spot abuse, and show your board what is actually happening.

How pricing works

Fingerprinting is not a one size widget. Price depends on what you need and how deep the monitoring has to go.

  • How many sites or domains: one site is simple, multi domain estates need stitching and separation.
  • Depth of enrichment: baseline fingerprinting versus institutional attribution, bypass detection, and higher entropy capture.
  • Retention period: short term monitoring or long running evidence files across months.
  • Alerting and analysis: quiet logging only, or ongoing Worker alerts with quarterly summaries.
  • Traffic volume and risk: higher volume or high risk cases need tighter rules and more tuning.

Baseline Edge Fingerprinting

One site, stable IDs, ASN enrichment, and clean evidence views. Good for most SMEs and charities.

  • Edge fingerprinting layer
  • ASN enrichment
  • Discord or email log stream
  • Agreed retention
Enquire

Edge Tracker plus alerts

For disputes, harassment patterns, or institutional monitoring. Adds evasion flags and suspicious activity alerts.

  • Bypass detection
  • Higher entropy capture
  • Suspicious pattern alerts
  • Board ready summaries
Enquire

If you are unsure which level fits, start with a quick intake. I will tell you if you are overbuying.

How this usually runs

1. Intake and scope

You tell me what you are seeing and what outcome you need. We agree the depth of monitoring and retention.

2. Edge deployment

I deploy the Worker and ruleset at Cloudflare, then validate signals and alert thresholds.

3. Monitoring window

Traffic is fingerprinted, enriched, and streamed to your chosen channel. We watch for patterns that matter.

4. Evidence and next steps

You get a clean evidence pack, plus options if you want to escalate, harden, or keep monitoring.

Common questions

Is this legal to use on my own site?

Yes. We only fingerprint devices that connect to your site, for security and evidence purposes. Data is minimised, scoped to your domain, and retained for an agreed period.

Does this identify individuals?

No. Fingerprinting builds a device and behaviour signature, not a real world identity. It is about recurrence and patterns, not naming people.

Can people evade it by changing VPNs?

They can change IPs all day. Hardware traits and entropy patterns stay consistent, so repeat actors still show up.

What if the ASN covers more than one organisation?

Some ASNs are shared. In those cases we log attribution neutrally at ASN level, and use device and behaviour correlation to build a defensible evidence file without overclaiming certainty.

Start the conversation

Tell me what feels off. Odd repeat visitors, suspected monitoring, harassment patterns, bots adapting to blocks, or a dispute you need receipts for.

[email protected] See public portfolio

Replies usually within 1 working day. No mailing lists. NDA available on request.