This article takes an honest look at the features of otto-js (formerly DEVCON).
Since you're on the cside website, we acknowledge our bias. That said, we've built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please go to their product page.
otto-js is one of the closest products to cside on the market: a client-side JavaScript security tool built around PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1, with a one-line integration and transparent, low pricing aimed at SMB and mid-market e-commerce. We think it's a legitimate tool. This page is about where the two products differ once you look past the compliance checkbox.
| Criteria | cside | otto-js | Why It Matters | What the Consequences Are |
|---|---|---|---|---|
| Approach | Client-side monitoring + AI-driven payload analysis | Client-side JavaScript agent | Both run in the browser; the difference is depth of analysis | |
| PCI DSS 6.4.3 & 11.6.1 | Full support |
Full support |
Both products are built to meet the requirement | Compliance is the floor, not the differentiator |
| AI-driven script analysis | Full support |
No support |
Detects novel or evolving threats by analysing script content, not just listing it | Reliance on manual review and rules = slower, error-prone detection |
| Device fingerprinting + bot / AI agent detection | Full support |
No support |
One vendor for client-side security and visitor identity | A separate vendor is needed for fraud and agent traffic |
| Forensic payload archive & historical tracking | Full support |
Not documented | Needed for incident response, auditing, and proving what an attack did | Without a payload record you have alerts, not evidence |
| Independent peer reviews (G2 / Gartner / Capterra) | Full support |
Sparse public reviews | Enterprise procurement checks third-party validation | A thin review profile is a question mark in security reviews |
| QSA-validated PCI dashboard | Full support |
Not found | An independent QSA audit is the most reliable proof a tool is PCI compliant | Without it you rely on marketing claims, which could result in failing an audit |
| Public status page & uptime SLA | Full support |
Not found | You can independently verify reliability and incident history before you buy | No independent view of availability |
| Transparent public pricing | Full support |
Full support |
Both vendors publish pricing — a genuine strength of otto-js | Predictable cost before procurement |
What is otto-js?
otto-js, formerly DEVCON, is a client-side JavaScript security platform focused on PCI DSS v4 compliance and malvertising protection. It monitors first-, third-, and Nth-party script behaviour at runtime and markets a one-line integration to automate PCI DSS 6.4.3 and 11.6.1 evidence, alongside SOC 2 and third-party-risk reporting. It targets SMB and mid-market e-commerce teams that need a fast, affordable PCI solution without a dedicated application-security team, and it integrates with GitHub Advanced Security and common e-commerce platforms.
Credit where it's due: otto-js publishes its pricing openly (starting around $30/month), which is rare in this space, and it is genuinely a like-for-like client-side tool rather than a checkbox feature bolted onto a larger platform. We don't think price is the right axis to compete on here.
How otto-js works
otto-js deploys a client-side JavaScript agent that observes and analyses scripts as they load and execute in the visitor's browser, surfaces them in a dashboard for review, and offers features marketed as real-time mitigation. It generates Content Security Policy and access-control configurations and integrates runtime vulnerability scanning through GitHub Advanced Security.
The honest open question, and the one we'd encourage any buyer to put to both vendors, is about depth and coverage: how complete is each tool's view of what a script actually does across real user sessions, and what can it show you afterwards? That is the question that separates a compliance dashboard from a security tool.
How cside goes further
otto-js is built to satisfy PCI DSS 6.4.3 and 11.6.1. cside is built to stop client-side attacks, with compliance as a by-product of real security.
cside monitors every script executing in the real browser and performs AI-driven analysis on the script's actual content, not just a list of which scripts are present. That catches novel and evolving threats, including targeted attacks that only activate under specific conditions such as certain geographies, time windows, or device types.
For forensics, cside keeps immutable archives of every script payload with full version history. When an auditor or an incident-response team asks what happened, you have the actual code and a complete timeline, not a behavioural change log.
cside also goes beyond client-side script security with a dedicated fingerprinting product: device fingerprinting, bot detection, and AI agent detection, so you can cover both client-side security and visitor identity from one vendor. And cside publishes a public status page at status.cside.com, a public trust portal at trust.cside.com, and a QSA-validated PCI dashboard, so you can verify our claims for yourself.
Sign up or book a demo to get started.
Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.
