This article takes an honest look at the features of Reflectiz.
Since you’re on the cside website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please navigate to their product pages.
Criteria | cside | Reflectiz | Why It Matters | What the Consequences Are |
---|---|---|---|---|
Approaches used | Proxy | Crawler | Hybrid visibility provides deeper, layered insight into browser behavior. | Crawler-only setups may miss real-time attacks and script changes post-load. |
Real-time Protection | Live response to runtime threats is essential for client-side safety. | No real-time block means data exfiltration can succeed before alerts even trigger. | ||
Full Payload Analysis | Lets you see exactly what a script does, not just where it comes from. | Without this, threats can look benign and bypass controls. | ||
Dynamic Threat Detection | Adapts to new threats by analyzing behavior, not just signatures. | Static systems fall behind as attacker methods evolve. | ||
DOM-Level Threat Detection | Identifies script behaviors within the DOM that other tools miss. | DOM manipulations can leak PII or change app flow silently. | ||
100% Historical Tracking & Forensics | Full history allows you to trace incidents with precision. | Without forensics, root cause analysis is incomplete or impossible. | ||
Bypass Protection | Blocks evasion techniques used by attackers to avoid detection. | Attackers can hide from security tools and act undetected. | ||
Certainty the Script Seen by User is Monitored | Ensures visibility over every user session and active script. | Blind spots allow malicious code to execute without a trace. | ||
AI-driven Script Analysis | Flags malicious logic even when obfuscated or disguised. | Manual reviews miss hidden or polymorphic malware. | ||
QSA validated PCI dash | Gives clear PCI audit trails and status for compliance teams. | Makes PCI validation harder, slower, and riskier. | ||
SOC 2 Type II | Shows rigorous operational maturity and trustworthiness. | Lack of it can affect vendor evaluations and client confidence. | ||
PCI specific UI | Reduces compliance time with dashboards made for PCI goals. | Generic tools require more manual work to extract evidence. |
What is Reflectiz?
Reflectiz is a cybersecurity company that focuses on securing web dependencies like third-party scripts and open-source tools. It uses agentless monitoring to detect threats, prevent data leaks, and ensure compliance on websites.
How Reflectiz works
Reflectiz uses a “proprietary browser” which crawls the website. This maps the most important pages and simulates real user activity.
There are a few problems with this approach.
A crawler can indeed mimic user activity, but it isn’t user activity by definition. Nor does it get the exact payload of what all users receive.
Many dependencies use a dynamic system that serves different code based on various parameters. Reflectiz does mention that you can set the chosen geo-location and device settings, but we do not have insight into how comprehensive this is.
Other parameters Reflectiz doesn’t seem able to mimic are:
- Referrer
- Unique cookies and session data
- A/B testing or feature flags
- Browser fingerprinting details
- Network conditions
After these crawling sessions, Reflectiz will do behavior analysis, data analysis and finally alerts based on what they found.
Finally they use the words “most important pages” which likely refers to mostly payment pages, which is required by the PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1.
Regardless of the vendor, any crawler based solution is unlikely to spot any advanced attacks first hand. The bad actor will simply serve a clean script, or not script, to the bot. Therefore the threat intel has to come from another source. A vendor that only offers a crawler by design would have to purchase this intelligence. cside offers a crawler for cases where a customer can not make any changes to their code but the big difference is that we use the threat intelligence we see from all other websites that use our proxy service. While this approach is still not going to eliminate an attack, it sure is a lot more capable at detecting attacks than buying threat intel on the open market.
How cside goes further
cside primarily offers a hybrid proxy approach which sits in between the user session and the 3rd party service. It analyzes the served dependencies code in real-time before serving it to the user.
This allows us to not only spot advanced highly targeted attacks and alert on them, cside also makes it possible to block attacks before they touch the user's browser. It also checks the box for multiple compliance frameworks, including PCI DSS 4.0.1. We even provide deep forensics, including if an attacker bypasses our detections. Allowing you to more tightly scope the size of the incident us to make our detection capabilities better every day. No other vendor has this capability.
We believe this is the most secure way to monitor and protect your dependencies across your entire website. We've spent years in the client-side security space before we started cside, we've seen it all, this is the only way you can actually spot an attack.
Sign up or book a demo to get started.
FAQ
Q: How does cside's hybrid proxy differ from Reflectiz's crawler-based approach?
A: The fundamental difference is real-time versus periodic protection. Reflectiz uses external crawlers that periodically scan your website from data center IPs, missing time-gated, geo-targeted, or user-specific attacks. cside's hybrid proxy handles every real visitor request in real-time, catching edge-case payloads the moment they're delivered. We provide continuous protection, while Reflectiz offers periodic snapshots that miss dynamic threats.
Q: Can attackers bypass cside's protection like they can with Reflectiz's crawler detection?
A: No, because cside's core analysis happens on our proxy, completely invisible to attackers. attackers can easily detect Reflectiz's crawlers because they come from predictable data center IP ranges and can serve them clean versions of compromised scripts. Since cside processes every real user request through our proxy, attackers cannot distinguish our analysis from legitimate traffic. Our protection is invisible to attackers, while crawler-based approaches are easily identified and deceived.
Q: What forensic evidence does cside provide compared to Reflectiz's crawler reports?
A: Reflectiz provides periodic scan reports showing what their crawlers observed during scheduled visits, but cside captures and archives every script payload served to real users. This gives you complete forensic evidence of actual attacks rather than just snapshots of what crawlers saw. Our approach provides immutable proof of threats that were blocked from reaching users, not just what was visible during scanning.
Q: How do compliance capabilities compare between cside and Reflectiz?
A: cside provides superior PCI DSS compliance with continuous monitoring and immutable payload archives covering both requirements 6.4.3 and 11.6.1. Reflectiz's crawler approach provides periodic inventory reports but lacks the real-time monitoring and comprehensive forensic evidence that regulators require. Our continuous protection creates the complete audit trail that compliance officers need for thorough documentation.
Q: Why is cside's real-time protection better than Reflectiz's periodic scanning?
A: Real-time protection catches attacks the moment they're delivered to users, while periodic scanning misses threats that appear between scans or target specific user segments. Modern attackers use conditional logic to avoid detection by crawlers, serving malicious code only to real users. cside's continuous monitoring ensures no attack goes undetected, while crawler-based approaches have inherent blind spots that sophisticated attackers exploit.