This article takes an honest look at the features of Feroot.
Since you’re on the cside website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, objective technology analysis and our own or our customers' experiences.
If you want to verify their claims yourself, please navigate to their product page.
| Criteria | cside | Feroot | Why It Matters | What the Consequences Are |
|---|---|---|---|---|
| Approaches used | Proxy & Agent Detection + Crawler + Free CSP Endpoint | JS-Based Detection | ||
| Real-time Protection | Attacks can occur between scans or in excluded sampled data; on-page active analysis is required. | Delayed detection leads to active data breaches. | ||
| Full Payload Analysis | Ensures deep visibility into malicious behaviors within script code. | Threats go unnoticed unless already known via threat feeds. | ||
| Dynamic Threat Detection | Identifies attacks that change based on user, time, or location. | Missed detection of targeted attacks. | ||
| DOM-Level Threat Detection | Tracks DOM changes and observes runtime script behavior. | Sophisticated DOM-based attacks remain undetected. | ||
| 100% Historical Tracking & Forensics | Required for incident response, auditing, and compliance. | Incomplete root cause analysis and compliance gaps. | ||
| Bypass Protection | Prevents evasion via DOM obfuscation or bypass techniques. | Stealthy threats continue undetected. | ||
| Certainty the Script Seen by User is Monitored | Ensures analysis matches what actually executes in the browser. | Gaps between reviewed scripts and executed scripts. | ||
| AI-driven Script Analysis | Detects novel or evolving threats using behavior modeling. | Manual rules and feeds cause slow and error-prone detection. | ||
| QSA validated PCI DSS | Independent QSA audits are the most reliable way to ensure PCI compliance. | Reliance on marketing claims can result in audit failure. | ||
| SOC 2 Type II | Demonstrates consistent security controls over time. | Lack of verified controls increases vendor risk. | ||
| QSA validated PCI dashboard | Enables fast script review and justification via one-click or AI. | Manual research is time-consuming and inefficient. | ||
| Pricing | Predictable and public pricing improves budget planning. | Hidden pricing causes uncertainty and unexpected costs. | ||
| Implementation Speed | Fast | Fast | Both deploy via a simple on-page script. | Fast implementation enables immediate protection. |
User Reviews: Feroot vs cside
Here's how real users rated cside and Feroot based on their experience with detection accuracy, support quality, and overall reliability.
| Platform | cside | Feroot |
|---|---|---|
| Google Maps | ★★★★★ (5/5) | ★★☆☆☆ (2.3/5) |
| G2 | ★★★★★ (4.9/5) | ★★★★☆ (4.6/5) |
| SourceForge | ★★★★★ (5/5) - 23 reviews | No reviews |
You can see the user reviews for cside on Sourceforge or G2.
"I'm glad we found their product and it's helped us in meeting PCI compliance goals that previously seemed a bit overwhelming. cside's product was exactly what we were looking for at a fraction of the price that other competitors were offering." - Anonymized Review, Sourceforge (Quote from Sourceforge Review of cside)
What is Feroot?
Feroot solely competes with cside's Client-side security solution and PCI Shield. Other services like VPN detection, AI agent detection and Privacy Watch are not in their scope.
Feroot was founded to create a client-side security solution protecting dependencies, similar to cside but founded back in 2017. They combine two approaches to deliver their security claims.
How Feroot works
Feroot's offering is split into two products: “PageGuard” and “Inspector”.
Feroot PageGuard
Their PageGuard page reads:
“PageGuard deploys security permissions and policies to JavaScript-based web applications to continuously protect them from malicious client-side activities, malware, and third-party scripts.”
And:
“PageGuard overwrites certain main and core JavaScript code to protect your web application from client-side cyber threats.”
It’s clear they largely follow the same approach as most of our competitors. They use permissions and a form on an allow-list where you pre-approve which scripts are allowed to run on which pages.
There are a few problems with this approach.
If only the source of the script is checked using an allow-list, it has no clue which code get's served.
PageGuard would not have caught the biggest client-side attack of 2024, the Polyfill attack. Here a domain changed ownership and suddenly the script code changed. If only the source of the script is checked using an allow-list, it has no clue which code gets served. Solely relying on this is not safe.
Feroot Inspector
Their "Inspector" deploys synthetic users disguised as honeypot customers, to simulate real user behavior. Inspector's synthetic users are able to complete real user tasks and are able to identify malicious scripts and unauthorized actions on JavaScript web assets. This is a somewhat similar approach to Reflectiz.
This is effectively a scanner/crawler that does periodic checks on pages. A crawler can easily be avoided by only serving malicious scripts to residential IP adressess. Based on various parameters, like different user agents, different client-side scripts are served.
A crawler on its own can not meet PCI DSS requirements since one of the requirements is implementing 'a mechanism to prevent unauthorized scripts'.
How cside goes further
cside offers a highly flexible approach to client-side security. Whether we monitor script behaviors client-side and check the scripts more deeply on our end through client-side reporting on our engine, cside gets the full picture. It analyzes the served dependencies code in real-time helping you prevent unwanted behaviours from causing major business impact.
Our approach allows us to not only spot advanced highly targeted attacks and alert on them, cside also makes it possible to block attacks before they touch the user's browser. It also checks the box for multiple compliance frameworks, including PCI DSS 4.0.1, HIPAA, GDPR, CPRA...
We even provide deep forensics, including if an attacker attempts to bypass our detections. We even store data on missed attacks allowing us to make detections better. Giving you the control you need in an easy to use format.
Dealing with the limitations of browsers, we know this is the most secure way to monitor and protect your dependencies across your entire website. We've spent years in the client-side security space before we started cside. We know the limitations on browsers and invest time contributing to standards bodies to natively supported make security capabilities better and more easy to use.
Sign up or book a demo to get started.
