What AI models does cside use?

We use open source LLMs that we host and maintain on our own cloud infrastructure. This gives us control over the model's behavior, training, and data handling. We don't rely on third-party APIs.

Can cside's AI be bypassed by obfuscated JavaScript?

No. The AI analyzes both the original script and its deobfuscated version. Obfuscation techniques that fool static analyzers don't work against contextual language models. The LLM understands what the code does, not just what it looks like.

Does using AI in cside create compliance issues for regulated industries?

No. Our self-hosted architecture means no customer data leaves our controlled infrastructure. We don't send script contents to external AI vendors. For organizations with strict AI policies, all AI features can be disabled while retaining full security functionality. Check our Trust Center for our compliance certifications.

How often does the AI analyze scripts?

Every time a script loads. We capture and analyze the full payload on each request. This allows us to detect changes immediately and track behavior over time with complete historical visibility.

What happens if the AI produces a false positive?

You get notified with a detailed explanation of why the script was flagged. Our dashboard includes the full script payload, contextual analysis, and historical comparisons so your team can review the decision. False positives are rare, but when they happen, the transparency helps you resolve them quickly.

Can I use cside without AI features enabled?

Yes. All AI capabilities can be disabled. You'll still get real-time blocking, full payload visibility, historical tracking, compliance reporting, and all other core security features. AI is an enhancement, not a requirement.

What are the different cside modes and how do they work?

cside offers three modes to fit different needs. Direct Mode is the easiest: we check script behaviors in the browser and fetch scripts on our side to verify consistency, without placing ourselves in the script path. Gatekeeper Mode is the safest: cside sits between untrusted third-parties and end users, but only for scripts you haven't already trusted. Scan Mode is the fastest: if you can't add a script to your site, we'll scan it using threat intel from thousands of websites. You can mix modes for the best coverage.

Does Gatekeeper Mode slow down my site?

No, it often makes script delivery faster. Most client-side scripts allow caching through their cache-control headers, so Gatekeeper mode can actually improve performance. We maintain a 99.99% SLA with a fail-open design, so there's no impact to your uptime.

Will my data be used to train cside's AI models?

No. We don't use customer data to train our models. Your script contents, analysis results, and compliance data stay within your isolated environment. This is a core part of our architecture.

How is this different from using ChatGPT or Claude API for script analysis?

Third-party APIs introduce data sharing risks. When you send JavaScript to an external provider, you're trusting their data retention and training policies. With cside, the model runs on our infrastructure, meaning your data never leaves our control. There's no third-party involvement at any point in the analysis pipeline.

How does cside compare to other client-side security solutions?

We've written a detailed breakdown on our Compare page. The short version: CSP-only solutions don't analyze payloads, crawlers miss targeted attacks, and agent-based products can be bypassed. cside sees exactly what your users see.

Does cside contribute to AI safety research or share findings with the security community?

We actively contribute to the W3C and the broader web security community. However, we never share customer-specific data. Our research contributions focus on methodologies, detection patterns, and architectural approaches, not individual scripts or incidents.

How cside brought AI to Client-Side Security

TL;DR

In May 2024, cside launched as the first client-side security solution to integrate AI into its product.

We use self-hosted open source models on our own infrastructure to analyze JavaScript for malicious intent. Explain script behavior in plain language, track changes over time, and automate PCI DSS 4.0.1 script compliance reviews.

Unlike solutions that leverage third-party AI APIs our architecture prevents data spillage and protects end-user privacy by using self hosted open source LLMs. For organizations with AI restrictions, these features can be disabled. AI is an overlay, not a requirement but it has proven incredibly valuable to GRC and security teams.

Client-side security in an AI era

When we launched cside in May 2024, we wanted to catch attacks others didn't. So we made a decision that set us apart from every other player in the client-side security space: we built AI into the core of our product from day one.

At the time, we were the only solution provider using LLMs to tackle client-side JavaScript security. Later the rest of the market followed our lead, but how you implement AI matters just as much as the functionality it provides.

Why AI matters for JavaScript security

JavaScript is uniquely difficult to analyze. SAST solution providers use LLMs to analyze code too. But client-side scripts change constantly, get obfuscated on purpose, and can behave differently based on who's viewing them, where they're located, or what time it is.

Traditional pattern-matching falls apart when attackers randomize their code or target specific users.

Unlike operating systems, browsers weren't built for security. That's why cside offers multiple approaches to cover the gaps:

Direct Mode (Easiest): We check script behaviors in the browser and fetch the scripts on our side, then verify we got the same script. We don't place ourselves in the path of a script unless you explicitly ask us to.
Gatekeeper Mode (Safest): We check script behaviors and place cside in the middle between untrusted third-parties and the end user, but only for scripts you haven't already trusted.
Scan Mode (Fastest): If you can't add a script to the site, cside will scan it using threat intel gathered from thousands of other websites with billions of combined visitors.

The mix of these modes brings us closest to full coverage that's technically possible today. And because most client-side scripts allow caching through their cache-control headers, Gatekeeper mode often makes script delivery faster and removes visibility into detections that would otherwise be semi exposed in the browser.

LLMs are really good at contextualizing JavaScript even when it's been mangled beyond recognition. An LLM can look at obfuscated code, understand its intent, and flag behavior that static analysis would miss entirely. That capability is incredibly valuable for JavaScript security. But only if it's implemented responsibly.

Responsible AI Architecture: Why We Self-Host

cside runs open source LLMs on our own cloud infrastructure. We maintain complete control over the data that flows through our models.

Often when companies ship AI enabled features they default to using APIs of well known AI companies. While those companies have features data from being used in training without consent, the data is provided to a 3rd party. In an ideal world, data never leaves your area of control.

By running open source models ourself, there is no risk of script contents leaking to external vendors. There's no chance of customer data showing up in a training set.

When you send JavaScript to a third-party API, you're trusting that vendor's data handling policies which change actively over time.

Cside understands the security requirements and what it takes to keep your data safe. You can verify our security posture yourself on our Trust Center, where we publish our SOC 2 Type II, pen-tests and PCI DSS AOC documentation.

How cside Uses AI: 4 Core Applications

Here's where the AI actually runs in our product.

1. Analyzing Scripts for Malicious Intent

Every script that loads on your site gets analyzed in its original form and after deobfuscation both. The LLM looks for patterns that indicate malicious behaviors:

Theft of session tokens
Unauthorized data interception and exfiltration
Credential harvesting
Tampering with payment forms

This applies to clean-looking scripts just as much as more alarming ones. Whether in the primary JavaScript chunk or a small sub-request.

The AI catches both. It understands context in a way that regex-based detections simply can't. And unlike scanners, CSP or agent-based products, we're analyzing the actual payload your users receives, we know it is exactly what the user got. We're not just checking against threat-feed intel or waiting for client-side traps to trigger although we ofcourse also use those methods as layers in our detection engine.

The AI layer in our detection engine is only one of many different layers, but AI can be highly effective at detecting hidden malicious behaviors.

2. Script Business Reasoning

Should this chat widget have access to form data?
Why is this analytics script on your payment page?
Does this marketing tool need to run as part of the checkout process?

We provide an LLM generated business reason, which is a compliance requirement for some frameworks.

Saving teams hours of investigation. Instead of reviewing every script hash change or trying to find who added it, you get a plain-language explanation of what each script is doing.

3. Explaining Changes Over Time

Scripts don't stay static. Many update constantly. Last week, script X performed actions related to analytics. This week, it's also accessing localStorage and making requests to a new registered domain pointing at a resident IP address.

What changed, and does it matter?

cside's AI generates human readable explanations for script changes. You don't need to be a security researcher to understand what happened between changes. The platform tells you exactly what is different and whether it raises concerns.

This is highly useful for compliance audits. When an auditor asks about script behavior over the past six months, you have documented, timestamped explanations ready to go. Our 100% historical tracking means nothing gets lost.

4. AI for PCI DSS 4.0.1 Compliance Automation

PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 mandate ongoing review of scripts on payment pages. Most teams handle this manually: loading the page, inspecting the scripts, documenting everything, and repeating the process weekly or monthly.

With PCI Shield, the AI handles the review automatically. Every script change on payment pages gets analyzed. If the change looks benign, no action is required. If it shows signs of malicious behavior, you get an alert with a full breakdown of what happened.

This approach has been validated by VikingCloud, who confirmed that cside meets PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 when deployed correctly. You can read the full report or download it from our Trust Center.
This isn't just convenience. It's the difference between reactive incident response and proactive threat prevention.

Flexibility Is The Answer

We understand that not every organization is ready to adopt AI across their entire tech stack. Some have internal policies against AI use. Others want to evaluate it on a case by case basis.

That's why all of our AI features can be disabled. The overlay is there if you want it, but it's not mandatory to run cside.

You still get full payload visibility, real-time blocking, historical tracking, and compliance reporting without AI.

Whether you're using Direct Mode, Gatekeeper Mode, or Scan Mode, the platform delivers complete script visibility and fail-open design. AI is an enhancement and for teams that can use it, the AI layer makes everything faster and more accurate.

Why This Matters Now

Client-side attacks are getting more sophisticated. Attackers know that the server-side and your static open source dependencies are closely being monitored. So they've adjusted their attack surface and are:

Using dynamic client-side scripts that change based on user context, avoiding detection by static scans.
Heavily obfuscating scripts to avoid static analysis.
Exploiting the gap between what the browser spec allows and how the browser is actually built.

Check-box tools can't keep up. CSP violations do not tell you what's inside a script and are tough to manage. Crawlers get served clean payloads while real users see malicious ones. Behavioral monitoring only catches attacks after they've already executed and are prone to bypassing methods.

AI based detections and an approach that combines methods has the best chance. Analyzing behavior in real time, understands obfuscated code even when deobfuscation fails, and flag anomalies that pattern-matching would miss.

Self-hosted models, isolated infrastructure, and no data sharing with third parties. That's how you get the benefits of AI without introducing new risks or facing internal pushback.

Ready to check cside out? Start for free or book a demo to have a chat with our team.