Weekly active users

How Weekly active users Works

  User Clicks Ad    →   [ Data Collection Point ]   →   +-----------------------+
      (Action)          (IP, User Agent, Time)        │  Traffic Analysis Core  │
                                                      +-----------------------+
                                                                  │
                                                                  ↓
                                                  +------------------------------+
                                                  │ WAU Calculation & Baselining │
                                                  │ (Count unique users over 7 days) │
                                                  +------------------------------+
                                                                  │
                                                                  ↓
+-----------------------+      +-------------------------+      +----------------------+
│ Heuristic Rule Engine │ ←─── │ Anomaly Detection Logic │ ───> │ Behavioral Profiling │
│ (e.g., IP velocity)   │      │ (Spike in WAU?)         │      │ (Human vs. Bot)      │
+-----------------------+      +-------------------------+      +----------------------+
           │                                 │                              │
           └─────────────────┐               │               ┌──────────────┘
                             ↓               ↓               ↓
                       +-------------------------------------------+
                       │            Fraud Decisioning            │
                       │ (Flag, Block, or Score Traffic)           │
                       +-------------------------------------------+
                                             │
                                             ↓
                                   +-------------------+
                                   │   Action & Report │
                                   └───────────────────┘

In digital ad fraud protection, the concept of Weekly Active Users (WAU) functions as a critical component of a multi-layered security system. Its primary role is not just to count users, but to establish a rhythm of normal user engagement over a seven-day window. This rhythm becomes a benchmark against which all incoming traffic can be compared to spot irregularities that often signal automated or fraudulent activity. By understanding the typical volume and flow of legitimate users, systems can more effectively identify and challenge suspicious traffic spikes that deviate from the norm.

Data Collection and Aggregation

The process begins the moment a user clicks on an ad. The system captures key data points associated with this click, such as the user’s IP address, device type (user agent), browser fingerprints, and the precise timestamp. This raw data is fed into a central analysis engine. Over a rolling seven-day period, the system aggregates this information, identifying and counting each unique user. This count, which is the WAU, provides a clear picture of the typical weekly traffic volume, forming the foundation for all subsequent analysis.

Baselining and Anomaly Detection

Once enough data is collected, the system establishes a “baseline” WAU. This baseline represents the expected number of unique users for any given week. The fraud detection system then continuously monitors incoming traffic against this baseline in near real-time. If the system detects a sudden, dramatic spike in the WAU that cannot be explained by a new marketing campaign or other known factors, it flags this as an anomaly. Such spikes are a classic indicator of a bot-driven click fraud attack, where thousands of automated scripts are deployed to overwhelm an ad campaign.

Heuristic and Behavioral Analysis

Anomalous traffic is subjected to deeper scrutiny. Heuristic rule engines analyze the traffic against a set of predefined rules, such as checking for an unusually high number of clicks from a single IP address (high velocity) or traffic from known data centers instead of residential areas. Simultaneously, behavioral analysis systems assess whether the user’s on-site behavior—like mouse movements, scroll patterns, and time spent on the page—matches that of a genuine human visitor or a predictable, automated script. The combination of WAU anomaly detection with these granular checks allows the system to accurately distinguish between legitimate users and sophisticated bots.

Breakdown of the ASCII Diagram

User Clicks Ad → Data Collection Point

This represents the initial user interaction. When a user clicks an advertisement, it triggers the collection of essential data points like their IP address, user agent, and timestamp. This is the raw input for the fraud detection pipeline.

Traffic Analysis Core

This is the central processing unit where all collected click data is sent. It acts as the brain of the operation, preparing the data for further analysis.

WAU Calculation & Baselining

Here, the system counts the number of unique users over a seven-day period to establish the Weekly Active Users metric. This creates a historical benchmark, or “baseline,” of what normal traffic volume looks like.

Anomaly Detection Logic

This is the first line of defense. The system compares the current WAU against the established baseline. A significant, unexplained spike triggers an alert, suggesting a potential bot attack.

Heuristic Rule Engine & Behavioral Profiling

Flagged traffic is passed to these modules for deeper inspection. The heuristic engine checks against known fraud patterns (e.g., too many clicks from one IP). Behavioral profiling analyzes on-site actions to differentiate human-like interaction from robotic scripts.

Fraud Decisioning

Based on the combined inputs from anomaly detection, heuristics, and behavioral analysis, this component makes a final judgment. It decides whether to flag the traffic as suspicious, block it outright, or assign it a fraud score for further review.

Action & Report

The final step involves executing the decision—blocking the fraudulent IP, for instance—and generating a report for advertisers. This provides transparency and data for refining future ad campaigns.

🧠 Core Detection Logic

Example 1: WAU Spike and IP Velocity

This logic identifies sudden increases in weekly active users that coincide with a high frequency of clicks from new IP addresses. It’s effective at catching botnet attacks where traffic comes from a wide distribution of sources in a short period.

FUNCTION on_new_click(click_data):
  // Get WAU from the last 7 days
  current_wau = get_weekly_active_users()

  // Establish a baseline (e.g., 4-week average WAU)
  baseline_wau = get_baseline_wau(last_4_weeks)

  // Check for abnormal spike (e.g., > 50% increase)
  IF current_wau > (baseline_wau * 1.5):
    // If spike detected, check click velocity from the source IP
    ip_address = click_data.ip
    click_count_last_hour = get_click_count_for_ip(ip_address, last_hour)

    IF click_count_last_hour > 20:
      FLAG_AS_FRAUD(ip_address, "WAU Spike + High IP Velocity")
    END IF
  END IF
END FUNCTION

Example 2: Geo-Mismatch Heuristics

This rule flags users when a campaign’s WAU shows a significant increase from geographic locations that are not targeted by the ad campaign. This is useful for identifying proxy or VPN-based fraud designed to mimic traffic from high-value regions.

FUNCTION analyze_wau_by_geo(campaign):
  // Get user counts by country for the last 7 days
  wau_geo_distribution = get_wau_by_country(last_7_days)

  // Get the campaign's targeted countries
  targeted_countries = campaign.targeted_locations

  FOR country, user_count IN wau_geo_distribution:
    // Check if the country of traffic is outside the target list
    IF country NOT IN targeted_countries:
      // Calculate the percentage of total WAU from this non-targeted country
      percentage_of_total = (user_count / campaign.total_wau) * 100

      // Flag if a significant portion of traffic is from an untargeted geo
      IF percentage_of_total > 10:
        FLAG_AS_SUSPICIOUS(country, "High WAU from Non-Targeted Geo")
      END IF
    END IF
  END FOR
END FUNCTION

Example 3: Session Duration Anomaly

This logic correlates the WAU metric with user engagement. If the number of weekly active users increases but the average session duration plummets, it suggests the new “users” are not genuinely engaging with the content, a common trait of fraudulent bots.

FUNCTION check_session_behavior():
  // Get WAU and average session duration for this week and last week
  current_wau = get_weekly_active_users(this_week)
  previous_wau = get_weekly_active_users(last_week)

  current_avg_session = get_avg_session_duration(this_week)
  previous_avg_session = get_avg_session_duration(last_week)

  // Check if WAU increased significantly while engagement dropped
  wau_increased = current_wau > (previous_wau * 1.3) // 30% increase in users
  session_decreased = current_avg_session < (previous_avg_session * 0.5) // 50% drop in duration

  IF wau_increased AND session_decreased:
    TRIGGER_ALERT("WAU increased but session duration collapsed. Possible bot traffic.")
  END IF
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Businesses use WAU baselines to automatically detect and block sudden traffic surges from botnets. This prevents ad budgets from being wasted on fraudulent clicks at the start of a campaign.
• Analytics Purification – By identifying periods of anomalous WAU, companies can filter out fraudulent data from their analytics. This ensures that key business decisions are based on genuine user engagement, not skewed metrics from bot traffic.
• ROAS Optimization – Monitoring WAU helps ensure that ad spend is reaching real, unique users each week. By preventing bots from draining the budget, the return on ad spend (ROAS) is protected and can be measured more accurately.
• Geographic Targeting Enforcement – Businesses can analyze the geographic distribution of their weekly active users. If a significant portion of WAU comes from non-targeted countries, it indicates fraudulent activity, allowing the company to block those regions and refine its ad targeting.

Example 1: IP Blocking Rule

This pseudocode shows a practical rule where if a new, unseen IP address contributes to a WAU spike and performs an excessive number of clicks in its first hour, it gets automatically added to a blocklist.

PROCEDURE monitor_new_ips(click):
  IP = click.ip_address
  TIMESTAMP = click.timestamp

  // Check if IP is new within the last 7 days
  is_new_user = NOT is_in_wau_history(IP, last_7_days)

  IF is_new_user:
    // Monitor clicks for the first hour
    clicks_in_first_hour = count_clicks_from_ip(IP, start=TIMESTAMP, end=TIMESTAMP + 1_hour)

    IF clicks_in_first_hour > 15:
      // Add to dynamic blocklist to prevent further ad spend waste
      ADD_TO_BLOCKLIST(IP)
      LOG_EVENT("New IP exceeded click threshold and was blocked.")
    END IF
  END IF
END PROCEDURE

Example 2: Session Scoring Logic

This logic assesses the quality of traffic that contributes to WAU. If a user's session is extremely short (e.g., under 2 seconds) and involves no interaction like scrolling or mouse movement, it is assigned a high fraud score, marking it as likely non-human.

FUNCTION score_user_session(session_data):
  session_duration = session_data.duration_seconds
  mouse_events = session_data.mouse_move_count
  scroll_events = session_data.scroll_event_count

  fraud_score = 0

  IF session_duration < 2:
    fraud_score += 40
  END IF

  IF mouse_events == 0 AND scroll_events == 0:
    fraud_score += 50
  END IF

  IF fraud_score > 80:
    RETURN "High-Risk Fraud"
  ELSE:
    RETURN "Low-Risk"
  END IF
END FUNCTION

🐍 Python Code Examples

This Python function simulates checking for WAU anomalies. It defines a baseline for weekly users and flags any week where the number of unique users dramatically exceeds this normal level, which could indicate a bot attack.

import numpy as np

def detect_wau_anomaly(weekly_user_data, sensitivity=2.0):
    """
    Detects anomalies in Weekly Active Users (WAU) data.

    Args:
        weekly_user_data (dict): A dictionary with week numbers as keys and user counts as values.
        sensitivity (float): Standard deviation multiplier to set anomaly threshold.
    """
    user_counts = list(weekly_user_data.values())
    if len(user_counts) < 4:
        print("Not enough data for baseline.")
        return

    # Establish baseline from historical data (excluding current week)
    baseline_data = user_counts[:-1]
    mean_wau = np.mean(baseline_data)
    std_dev_wau = np.std(baseline_data)
    
    # Define anomaly threshold
    threshold = mean_wau + (std_dev_wau * sensitivity)
    
    # Check the most recent week
    current_week_users = user_counts[-1]
    if current_week_users > threshold:
        print(f"Anomaly Detected: WAU of {current_week_users} exceeds threshold of {threshold:.0f}")

# Example Usage:
# Week 5 shows a suspicious spike
traffic_data = {'Week 1': 1020, 'Week 2': 1100, 'Week 3': 1050, 'Week 4': 980, 'Week 5': 3500}
detect_wau_anomaly(traffic_data)

This script filters incoming ad clicks based on frequency. It tracks the number of clicks from each IP address within a short time window and prints a warning if an IP exceeds a set threshold, a common technique to block basic bot activity.

from collections import defaultdict
from time import time

# Store IP clicks with timestamps
CLICK_LOG = defaultdict(list)
FRAUD_THRESHOLD = 15  # Clicks
TIME_WINDOW = 60  # Seconds

def process_ad_click(ip_address):
    """
    Processes an ad click and checks for fraudulent frequency.
    """
    current_time = time()
    
    # Remove old timestamps outside the time window
    CLICK_LOG[ip_address] = [t for t in CLICK_LOG[ip_address] if current_time - t < TIME_WINDOW]
    
    # Add the new click
    CLICK_LOG[ip_address].append(current_time)
    
    # Check if click count exceeds the threshold
    if len(CLICK_LOG[ip_address]) > FRAUD_THRESHOLD:
        print(f"Fraud Alert: IP {ip_address} exceeded click threshold.")
        # In a real system, you would add this IP to a blocklist
        
# Simulate incoming clicks
process_ad_click("192.168.1.100") # Legitimate click
# Simulate a bot attack from another IP
for _ in range(20):
    process_ad_click("10.0.0.55")

Types of Weekly active users

• New vs. Returning WAU – This method separates weekly active users into two groups: those visiting for the first time within the week (New) and those who have visited before (Returning). A sudden, massive spike in "New" WAU with low engagement is a strong indicator of a botnet attack, as bots often use fresh IP addresses.
• Geographically Segmented WAU – This approach breaks down the WAU metric by country or region. It is used to quickly identify fraud when a campaign's traffic suddenly comes from unexpected locations outside the target market, often originating from data centers or proxy networks in specific countries.
• Device-Type WAU – Here, weekly active users are categorized by their device (e.g., mobile, desktop, tablet) and operating system. A disproportionate increase in WAU from a single, specific device profile, like an old version of an operating system, can reveal a bot farm using identical hardware and software setups.
• Campaign-Specific WAU – This type measures the unique users interacting with a specific ad campaign. It helps advertisers isolate problems by showing if a spike in fraudulent traffic is affecting all campaigns or is concentrated on a single one, which might be targeted by a competitor or fraudster.

🛡️ Common Detection Techniques

• IP Address Monitoring – This involves tracking the IP addresses of users who click on ads. A large number of clicks originating from a single IP address in a short time is a primary indicator of fraudulent activity.
• Behavioral Analysis – This technique analyzes a user's post-click behavior, such as mouse movements, scrolling, and time spent on a page. Bots often exhibit non-human patterns, like no movement or instantaneous clicks, which helps distinguish them from legitimate users.
• Heuristic Rule-Based Detection – This method uses predefined rules to identify suspicious patterns. For example, a rule might flag traffic from outdated browsers or known data center IP ranges, which are commonly used by bots.
• Click Timestamp Analysis – This technique examines the timing of clicks. Clicks that occur in rapid succession or at unusual hours (e.g., 3 AM local time) can indicate automated scripts rather than genuine human interest.
• Geographic Mismatch Detection – This involves comparing the geographic location of the click with the campaign's target audience. A sudden surge of traffic from a non-targeted country is a strong signal of click fraud, often routed through proxies.

🧰 Popular Tools & Services

Tool	Description	Pros	Cons
TrafficGuard	A comprehensive ad fraud prevention solution that offers real-time detection and blocking across various channels, including Google Ads and mobile apps. It helps protect advertising budgets by validating traffic quality.	Real-time analysis, broad platform support, detailed reporting.	Can be complex to configure for beginners, pricing may be high for small businesses.
ClickCease	Specializes in click fraud detection and blocking for PPC campaigns on platforms like Google and Facebook. It automatically adds fraudulent IPs to an exclusion list to stop budget waste.	Easy setup, effective automated IP blocking, user-friendly dashboard.	Primarily focused on click fraud, may not cover all forms of ad fraud like impression fraud.
CHEQ	An ad verification and fraud prevention platform that uses AI and machine learning to identify and mitigate risks from invalid traffic. It offers protection across the entire marketing funnel.	Advanced AI detection, comprehensive funnel protection, good for enterprise-level security.	Can be resource-intensive, may require technical expertise for full customization.
Anura	A real-time ad fraud solution that analyzes traffic to identify bots, malware, and human fraud. It provides a definitive "fraud" or "not fraud" decision to eliminate ambiguity.	High accuracy, minimizes false positives, provides clear results for quick action.	May be more expensive than simpler tools, integration can require developer support.

📊 KPI & Metrics

When deploying systems that analyze weekly active users for fraud, it's vital to track metrics that measure both the accuracy of the detection and its impact on business goals. Monitoring these KPIs helps ensure that the system effectively blocks fraud without harming legitimate user traffic, thereby protecting ad spend and preserving data integrity.

Metric Name	Description	Business Relevance
Invalid Traffic (IVT) Rate	The percentage of total traffic identified as fraudulent or invalid by the detection system.	A primary indicator of the overall health of ad traffic and the effectiveness of fraud filters.
False Positive Rate	The percentage of legitimate user interactions that are incorrectly flagged as fraudulent.	Crucial for ensuring that fraud prevention efforts do not block real customers and harm revenue.
Fraud Detection Rate (FDR)	The percentage of total fraudulent activities that the system successfully detects and blocks.	Measures the accuracy and effectiveness of the fraud detection logic in catching real threats.
Cost Per Acquisition (CPA)	The average cost to acquire one converting customer from an ad campaign.	Effective fraud filtering should lower the CPA by eliminating wasted spend on non-converting bot traffic.
Conversion Rate Fluctuation	Monitoring abnormal drops in conversion rates despite high click volume, which can indicate fraud.	Helps identify campaigns targeted by sophisticated bots that generate clicks but no conversions.

These metrics are typically tracked through real-time dashboards that visualize traffic patterns, flag anomalies, and send automated alerts. The feedback from this monitoring is essential for continuously tuning the fraud detection rules, such as adjusting the sensitivity of WAU spike detection or refining behavioral heuristics to better distinguish between human and bot activity. This iterative process optimizes the system for both high accuracy and minimal disruption to genuine users.

🆚 Comparison with Other Detection Methods

Accuracy and Real-Time Suitability

Analyzing Weekly Active Users is a strong method for detecting large-scale, anomalous traffic spikes, making it highly effective against sudden botnet attacks. However, its accuracy depends on having a stable historical baseline. For real-time blocking, it serves as a powerful initial filter but must be combined with more granular methods. In contrast, signature-based detection, which relies on known bot fingerprints, is very fast and precise for recognized threats but fails against new or evolving bots. Behavioral analysis is more adaptive, excelling at identifying sophisticated bots that mimic human actions, but it often requires more processing time and may not be suitable for immediate, pre-bid blocking.

Scalability and Maintenance

WAU analysis is highly scalable as it involves simple counting and comparison, making it efficient for handling massive traffic volumes. However, its effectiveness relies on regularly updating baselines to account for organic growth or seasonality. Signature-based systems are also scalable but demand constant maintenance to keep their signature databases current. Behavioral analytics can be more resource-intensive to scale, as it requires complex processing for every user session, though modern machine learning models have improved its efficiency.

Effectiveness Against Different Fraud Types

The WAU method is most effective against impression and click fraud attacks characterized by high volume and automation. It is less effective at detecting low-and-slow attacks or sophisticated invalid traffic (SIVT) that blends in with legitimate users. CAPTCHAs are a direct challenge method effective at stopping basic bots but can be overcome by advanced bots and create friction for real users. Behavioral analysis is generally the most robust method for detecting sophisticated bots that WAU analysis and signature-based filters might miss, as it focuses on the quality and nature of the interaction itself.

⚠️ Limitations & Drawbacks

While analyzing weekly active users is a valuable technique in fraud detection, it has limitations, particularly when used in isolation. It is most effective as part of a multi-layered security approach, as it primarily identifies large-scale anomalies rather than subtle, sophisticated threats.

• Inability to Detect Sophisticated Bots – Bots programmed to mimic human behavior over extended periods can blend into the normal WAU baseline, rendering this metric ineffective.
• Delayed Reaction Time – Since WAU is a seven-day metric, it may not catch and block a sudden, short-lived fraud attack until after significant budget has already been wasted.
• Vulnerability to Organic Spikes – A legitimate viral marketing campaign can cause a sudden spike in WAU, potentially triggering false positives if not properly contextualized.
• Lack of Granularity – WAU is a high-level metric; it indicates a problem exists but does not provide details on the nature of the fraud, requiring other tools for investigation.
• Baseline Dependency – The entire method relies on having a clean, stable, and accurate historical baseline, which can be difficult to establish for new websites or volatile markets.
• Ineffective Against Low-Volume Attacks – It cannot effectively detect "low-and-slow" fraud attacks, where a small number of fraudulent clicks are spread out over time to avoid detection.

For these reasons, WAU analysis should be supplemented with real-time detection methods like behavioral analysis and heuristic rule-based filtering.

❓ Frequently Asked Questions

How does WAU analysis differ from just blocking suspicious IPs?

Blocking suspicious IPs is a reactive tactic, whereas WAU analysis is a proactive monitoring strategy. WAU helps establish a normal traffic baseline to detect large-scale anomalies that might involve thousands of "clean" IPs, which wouldn't otherwise be on a blocklist. It identifies the attack pattern, not just the individual actors.

Can WAU be manipulated by sophisticated fraudsters?

Yes. Sophisticated bots can spread their activity over a week to avoid creating a sudden spike, thereby blending in with legitimate traffic. This is why WAU analysis should be combined with other methods like behavioral analysis, which can identify non-human interaction patterns regardless of the timing.

Is WAU more important than Daily Active Users (DAU) for fraud detection?

It depends on the context. WAU provides a more stable view of user engagement, smoothing out daily fluctuations and making large-scale anomalies easier to spot. DAU is more sensitive to immediate, short-term attacks but can also be noisier. Many fraud detection systems use both metrics to get a comprehensive view.

What is a good WAU-to-MAU (Monthly Active Users) ratio for indicating healthy traffic?

A high WAU-to-MAU ratio suggests good user retention and "stickiness." While not a direct fraud indicator, a sudden drop in this ratio alongside a traffic spike can be a red flag. It might suggest an influx of low-quality, non-returning users, which is characteristic of certain types of bot traffic.

How long does it take to establish a reliable WAU baseline for fraud detection?

Typically, a reliable baseline requires at least four to six weeks of consistent traffic data. This allows the system to account for normal weekly variations and establish a statistically sound average. For new sites or products, this initial period is critical for calibrating the anomaly detection thresholds accurately.

🧾 Summary

Weekly Active Users (WAU) is a key metric in digital ad fraud protection that measures the number of unique users interacting with a platform over a seven-day period. Its primary role is to establish a baseline of normal traffic volume. By monitoring for sudden, unexplained spikes in WAU, advertisers can detect large-scale bot attacks and other fraudulent activities, helping to protect ad budgets and ensure analytics data remains clean and reliable.

🔗 Related Articles

• The Ultimate Guide to Click Fraud - How to Detect Click Fraud. – https://www.ppchero.com/the-ultimate-guide-to-click-fraud-how-to-detect-click-fraud/
• Click Fraud in Social Media Ads: How Platforms Like Meta and LinkedIn Are at Risk – https://clix.co/blog/click-fraud-in-social-media-ads/
• The Best Guide To Click Fraud Detection - ClickPatrol – https://clickpatrol.com/the-best-guide-to-click-fraud-detection/
• What is Ad Fraud? Understanding, Detecting, and Preventing Digital Deception – https://www.clickguard.com/what-is-ad-fraud/
• Click fraud: Understanding the impact on digital advertising - HUMAN Security – https://humansecurity.com/learn/blog/click-fraud-understanding-the-impact-on-digital-advertising
• Click Fraud Strategy: Boost ROAS and Combat Invalid Traffic - TrafficGuard – https://www.trafficguard.ai/blog/click-fraud-strategy