This article takes an honest look at Sift and where it overlaps with cside.
Since you're on the cside website, we acknowledge our bias. That said, we've built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please go to their product page.
Let's be clear up front: Sift and cside are not the same product. Sift is a well-established fraud-decisioning platform with strong reviews, and it does plenty cside doesn't — workflow decisioning, dispute automation, content moderation. This page is about the one layer where they meet — client-side device signals — and why collecting those signals from your own first-party code is more durable.
| Criteria | cside | Sift | Why It Matters | What the Consequences Are |
|---|---|---|---|---|
| Category | Client-side security + first-party device signals | Fraud decisioning (0–100 risk score) | Different jobs that meet at the signal layer | |
| Signal collection | First-party JavaScript on your own domain | Third-party JS collector (cdn.sift.com/s.js) | Signal integrity and ownership | |
| Survives privacy extensions / ad blockers | Full support first-party, no third-party origin to block |
Collector on EasyPrivacy — blocked by default in uBlock Origin / AdBlock Plus (server-side Events API still flows) | Device intelligence degrades for privacy-tool users | False positives on privacy-conscious legitimate customers |
| Script policing & PCI DSS 6.4.3 / 11.6.1 | Full support inventories and monitors every script, including collectors like Sift's |
No support not a script-security product |
A merchant must inventory third-party scripts under 6.4.3 | Sift's own collector is in your PCI scope |
| Device fingerprinting + bot / AI agent detection | Full support |
No shipped AI-agent product | Emerging agentic-commerce traffic | |
| Evidence ownership | You own device + behavioural evidence | Returns a score; you own the decision and the loss (no chargeback guarantee) | A wrong score is the merchant's liability | Own your evidence vs. rent a number |
| Public pricing & self-serve | Full support published pricing, free tier, trial |
Contact sales; no self-serve | Evaluate without a sales cycle | Procurement friction and repricing risk at renewal |
What is Sift?
Sift is an AI-powered, score-based fraud-decisioning platform covering payment fraud, account takeover, content abuse, and dispute management, founded in 2011 in San Francisco. It consumes client-side signals through a third-party JavaScript collector and business events through a server-side API, then returns a 0–100 risk score per abuse type; the customer owns the decision and the loss. It's a mature product with strong, well-established G2 ratings and a large customer base in marketplaces, fintech, and on-demand commerce.
How Sift works
Sift's browser snippet (cdn.sift.com/s.js, a global window._sift object, and a long-lived __ssid cookie) plus mobile SDKs collect device and behavioural signals; your backend posts events to Sift's Events API; machine learning returns a score, and Workflows route accept / block / review decisions that you feed back for training.
Two things follow from that design that matter for a client-side security buyer. First, the collector is a third-party script with a fixed, well-known origin — it sits on the EasyPrivacy filter list and is blocked by default in common ad blockers, so the browser-collected signal degrades for privacy-conscious users (the server-side Events API signal still flows). Second, that collector is itself an unmonitored third-party script on your pages — precisely what PCI DSS 6.4.3 asks merchants to inventory and watch.
How cside fits
cside isn't a replacement for Sift's fraud decisioning, and we won't pretend otherwise. What cside does is the layer underneath and around it.
cside collects device and behavioural signals from your own first-party JavaScript, so there's no third-party origin for a filter list to block and no fixed collector for a fraudster to detect and feed. It produces device fingerprinting with bot and AI agent detection, and it gives you evidence you own — usable in chargeback disputes through our Chargebacks911 integration.
And cside does the thing Sift doesn't: it inventories, justifies, and tamper-monitors every script on your payment pages — including collectors like Sift's — to satisfy PCI DSS 6.4.3 and 11.6.1, with a QSA-validated dashboard and immutable payload archives. Many teams run a decisioning platform and cside together; if the device-signal layer or PCI script coverage is your gap, that's where cside fits.
Sign up or book a demo to get started.
Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.
