-1.png?width=150&height=60&name=pixalate-full-logo%20(1)-1.png)
High Risk Domains (Version 2.0)
Overview
The High Risk Domain 2.0 is a pre-bid blocking data feed that identifies domains and subdomains associated with structural, persistent invalid traffic (IVT) and confirmed fraudulent sources verified by Pixalate. The list enables buyers and platforms to exclude high-risk inventory before a bid is placed, reducing exposure to IVT and protecting inventory quality.
Domains are evaluated using ad intelligence data collected by Pixalate for SIVT and GIVT behavior separately, and included on the list only when they display persistent IVT exceeding industry-accepted standards with sufficient impression volume to ensure statistical confidence. Each domain on the list is tagged with one or more risk reason codes that indicate which signals triggered inclusion.
Risk Types
|
Risk Type |
Code |
Description |
|
High GIVT |
highGIVT |
Domains or subdomains with General Invalid Traffic rates exceeding 5% over a 2-month rolling window |
|
High SIVT |
highSIVT |
Domains or subdomains with Sophisticated Invalid Traffic rates exceeding 15% over a 2-month rolling window |
|
Known Threat Actor |
knownThreatActor |
Domains or subdomains confirmed as fraudulent sources through Pixalate’s internal fraud investigations. |
File Format and Delivery
|
Attribute |
Value |
|
File Format |
CSV |
|
Delivery Method |
FTP or S3 Bucket |
|
Naming Convention |
HighRiskDomain_YYYYMMDD.csv |
|
Update Frequency |
Daily |
Schema
IVT is assessed at the subdomain level. A domain or subdomain may be flagged for more than one risk type simultaneously, in which case all applicable risk types are listed as comma-separated values in the riskType field.
|
Column |
Type |
Description |
|
adDomain |
STRING |
The domain or subdomain where the traffic originates (e.g., a.example.com, example.com) |
|
rootDomain |
STRING |
The registered root domain associated with the adDomain (e.g., if adDomain is a.example.com, rootDomain is example.com) |
|
riskType |
STRING |
Comma-separated list of all applicable risk types |
Integration Recommendations
Blocking key: Block on adDomain. The adDomain field reflects the exact domain or subdomain where the risk signal was measured — this is the value you should block. The rootDomain column is provided for reference.
Risk-based filtering: Use the riskType field to implement selective blocking based on your risk tolerance. For example, you may choose to block all entries flagged for knownThreatActor unconditionally while applying separate thresholds for highGivt and highSivt.
Pre-bid integration: The feed is designed for pre-bid use. Ingest the daily file into your DSP, SSP, or ad server blocklist ahead of each bidding session to ensure you are working with the latest data.
Frequently Asked Questions
Why is IVT measured at the subdomain level?
Different subdomains on the same root domain can have significantly different traffic quality profiles. Measuring at the subdomain level allows for more precise identification of high-risk inventory without penalizing the entire root domain. For example, cdn.example.com may have clean traffic while ad.example.com exhibits high SIVT — subdomain-level measurement allows you to block only the problematic subdomain.
Which field should I use as my blocking key — adDomain or rootDomain?
Use adDomain. This is the specific domain or subdomain where IVT was measured and where blocking should be applied. rootDomain is provided for reference only to help you understand the ownership structure of the inventory.
If a subdomain is flagged, does that mean the entire root domain is high-risk?
Not necessarily. A subdomain entry indicates that traffic from that specific subdomain was measured as high-risk. Other subdomains or the root domain itself may not exhibit the same risk signals. Review each adDomain entry independently and apply blocking at the level at which the signal was observed.
How often is the list updated?
The feed is updated daily. Entries age off the list when the domain or subdomain no longer meets inclusion thresholds over the rolling lookback window. Entries may also be re-added if risk signals resurface.
How can an entry be removed from the list?
Entries are removed automatically when IVT rates fall below thresholds over the rolling lookback window, or when a knownThreatActor designation is resolved through Pixalate's internal review process. If you believe an entry has been included in error, contact your Customer Success representative.
Does appearing on this list mean all traffic from the domain is IVT?
No. Inclusion on the list indicates that the domain or subdomain has exceeded IVT thresholds or has been flagged through Pixalate's fraud investigation process. IVT classification is assessed at the impression level separately and is distinct from domain-level risk assessment. The list is designed for pre-bid exclusion to reduce risk exposure — it is not a definitive statement that every impression from a listed entry is invalid.
I work directly with a publisher whose domain appears on this list. What should I do?
The list reflects observed traffic quality signals across the ecosystem. If you have a direct relationship with a publisher and independent visibility into their traffic quality, you may use the riskType field to make informed decisions about which signals to act on based on your risk tolerance and business requirements.
What data sources are used to compile this list?
The list is compiled using Pixalate's measured ad traffic data, internal fraud investigations, and threat intelligence signals. IVT classification follows Pixalate's MRC-accredited methodology.