At a glance: The Protect360 dashboard provides insights about fraudulent traffic and installs blocked due to the application of validation rules.
Related reading: Overview | Raw data | Validation rules
About Protect360 dashboard
The Protect360 dashboard:
- Displays aggregate fraud data at the account level.
- Has three dashboard views:
- Installs (CPI)
- In-app events (CPA)
- Anomalies
- Organizes fraud based on categories, including:
- Fake versus hijacked installs
- Fraud blocked in real-time versus fraud identified post-attribution
- Fraud from UA versus retargeting campaigns
- Allows you to drill down to further examine fraud events by using the filtering and grouping options.
To view the Protect360 dashboard, in AppsFlyer, go to Dashboard > Protect360.
Filters and groupings
Filter and groupings window
The following filtering and grouping options are available:
- Basic filters:
- App name. Note: Apps with only organic installs can't be selected.
- Source type: Non-organic and/or organic
- Media source
- Geo
- Date range (see time zone support)
- Attribution type: Installs, re-attributions, and/or re-engagements
- Payable events (available in the In-app events dashboard)
- Expanded filters - click on the blue arrow, to the right of the date picker:
- Agencies
- Campaigns
- Channels
- Grouping options - choose different dimensions to group the fraud data by to get the specific insights you need:
- Application: Compare the total amount of fraud per each of your apps.
- Media Source (default): Compare the identified fraud from each of the media sources used by your apps
- Media Source + Campaign: Compare the identified fraud from all your campaigns across all media sources used by your apps
- Media Source + Site ID: Compare the identified fraud from all publishers (site IDs) across all media sources used by your apps
- Media Source + Site ID + Campaign: Compare the identified fraud from all publishers (site IDs) across all media sources used by your apps, associated with the relevant campaign names
- Media source + Geo: (available in the In-app events dashboard): compare the identified fraud from each of the media sources used by your apps associated with the relevant countries
- Media source + Attribution type: Compare the identified fraud from each of your media sources, associated with the selected attribution type (installs, re-attributions, and/or re-engagements)
- Geo: compare the identified fraud from all countries
Installs dashboard
The installs dashboard displays LTV-based data, meaning data relating to installs, re-attributions, and re-engagements that occurred during your selected date range.
Dashboard features are described in the sections that follow.
Installs—headline metrics
The headline metrics enable you to see:
- Estimated savings
- Total number of fraudulent installs,
- Number of fraudulent (in-app) events
- Anomalies
For each KPI, there is a percentage value. This value shows how the presented KPI is in relation to the parallel date range before it. For example, this week compared to last week, or any days selected in the date range compared to the same number of days that came before: if it shows an X% increase in estimated savings, it means the previous parallel date range had X% fewer fraudulent installs, re-attributions, and re-engagements.
Estimated savings
Estimated savings metrics:
- Displays the value of fraud blocked in real-time or identified post-attribution, to be settled by you with the ad networks.
- Uses the formula: Estimated Savings = number of blocked installs X app average eCPI.
- Are not relevant for organic traffic.
For more details on how this amount is calculated read this FAQ.
Identified fraudulent attributions
Total identified fraud metrics display the amounts of:
- Fraudulent installs, re-attributions, and re-engagements blocked in real-time for all the various fraud-blocking reasons.
- Installs, re-attributions, and re-engagements identified as fraud post-attribution.
Blocked in-app events
Blocked in-app events metrics display the amount of in-app events blocked by AppsFlyer. The events may have been blocked due to belonging to blocked installs, or due to being marked as suspicious post-attribution events.
Installs—charts
Identified fraud trend chart
The identified fraud trend chart displays the number of fraudulent installs, re-attributions, and re-engagements per day, broken down by either:
- Detection type: Installs blocked in real-time and installs identified as fraud post-attribution.
- Attribution type: Installs, re-attributions, and re-engagements
- Source type: Non-organic and organic
The display can be either a line graph or a bar chart.
Hijacked installs attribution correction chart
The hijacked installs attribution correction chart displays media sources that attempted to take credit for installs, re-attributions, and re-engagements, as well as the last valid contributor sources.
You can:
- Filter by hijacked attributions identified in real-time, post-attribution, or attributions identified via validation rules.
- Set to which valid sources attribution is corrected or from which hijacked sources attribution was corrected.
- Change the chart view to a table format, and download the data as a CSV.
Note:
- This chart is only accessible to advertisers. Agencies and ad networks do not have access.
- When the hijackings are blocked in real-time, the correct attributions display in AppsFlyer dashboards and reports (not just Protect360). When hijackings are identified post-attribution, the correct attributions are displayed only in Protect360 raw data.
- This chart can display correction to organic, but not from organic.
Identified fraud chart
The identified fraud chart displays the types of fraud you experience, by percentage. Fraud breakdown can be by:
- Block reason
- Blocked sub-reason
- Media source
- Campaign
- Geo
- App
Installs—table
Identified fraud breakdown
The Identified fraud breakdown table displays the following data:
- Fraud blocked in real-time
- Fraud identified and marked post-attribution
- Other indications of fraud per media source
The table is presented in a general overview format, as shown in the image that follows.
The dynamic table structure:
- Lets you click the table settings button to add or remove columns to the table.
If you make any changes to the table, make sure to click the Save button afterward. - Is per user, so every account user with access to Protect360 can personally customize their own table structure. See more table options.
Content of the identified fraud breakdown table
Table Column | Description |
---|---|
Groupings |
|
Attributions | Headline breakdown of blocked and post-attribution fraudulent installs. |
Total (A) |
|
Blocked (B) |
|
Blocked % (B/A) | Blocked installs / Total installs |
Post-attribution (C) | Installs identified as fraud post-attribution. |
Post-attribution % (C/A) | Post-attribution installs / Total number of installs |
Total fraudulent installs (D) | Fraudulent installs, blocked in real-time or identified as fraudulent post-attribution. |
Fraudulent installs % (D/A) | Fraudulent installs / Total number of installs |
Fraud attribution type breakdown | The attribution types of the fraudulent installs, broken down into installs, re-attributions, and re-engagements. |
Installs | Fraud originated from a UA campaign. |
Re-attributions | Fraud originated from a retargeting campaign that led to an install. |
Re-engagements | Fraud originated from a retargeting campaign that led to a re-engagement. |
Fake | Fraudulent installs or re-attributions simulating real user activity - divided by real-time blocks and post-attribution. |
Real-time block | Fake installs blocked in real-time. |
Post-attribution fraud | Fake installs identified as fraud post-attribution. |
Hijacked | Fraudulent last clicks stealing attribution of real user installs - divided by real-time blocks and post-attribution. |
Real-time block | Hijacked installs blocked in real-time. |
Post-attribution fraud | Hijacked installs identified as fraud post-attribution. |
Validation rules | Installs meeting validation rules conditions. |
Blocked installs | Installs blocked by validation rules. |
Blocked attribution | Attribution changes of installs due to validation rules. |
Fake installs block breakdown | Breakdown of blocked and post-attribution fraudulent fake installs usually performed programmatically. |
Blocked site ID denylist | Installs blocked due to Protect360 denylisting the SiteID. |
Post-attribution site ID denylist | Installs marked as fraud due to Protect360 post-attribution denylisting of the SiteID. |
Blocked bots | Blocked installation attempts made by automatic bots. |
Post-attribution bots | Installs marked as fraud due to identified automatic bots activities post-attribution |
Blocked behavioral anomalies | Installs blocked due to behavioral anomalies, meaning, abnormal session and in-app event performance of users. |
Post-attribution behavioral anomalies | Installs marked as fraud due to behavioral anomalies post-attribution. |
Blocked install validation | Total installs blocked due to negative store validation. |
Hijacked installs block breakdown | Breakdown of fraudulent last clicks aimed to steal attribution of real user app installs. |
Blocked install hijacking | Blocked install hijacking of the source. |
Post-attribution install hijacking | Install hijacking marked as fraud in post-attribution. |
Blocked CTIT anomalies | Installs blocked due to CTIT anomalies. |
Post-attribution CTIT anomalies | CTIT anomalies marked as fraud in post-attribution. |
Blocked click flooding | Installs blocked due to click flooding (fraud attempts to send large numbers of clicks hoping to deliver the last clicks prior to random installs.) |
Post-attribution click flooding | Click flooding installs marked as fraud in post-attribution. |
Clicks |
Clicks from the source Note: Click data displays as NA if one of re-engagement or re-attribution is selected as the attribution type without the other. Fix your filter/grouping settings to view the data correctly. |
Total (E) | Total number of legitimate and fraudulent clicks received from the source |
Blocked | Clicks blocked due to fraud (including capped) |
Capped | Clicks blocked due to click capping |
Impressions |
Impressions from the source Note: Impression data displays as NA if one of re-engagement or re-attribution is selected as the attribution type without the other. Fix your filter/grouping settings to view the data correctly. |
Total | Total number of legitimate and fraudulent impressions received from the source |
Blocked | Impressions blocked due to fraud (including capped) |
Capped | Impressions blocked due to impressions capping |
In-App Events |
In-app events from the source Note: This includes in-app events from installs; not re-attributions or re-engagements. |
Total (G) | Total in-app events |
Blocked (H) | Blocked in-app events |
% (H/G) | Blocked in-app events / total in-app events |
Device farm indicators |
Indicators of fraudulent device farm activity, using Device ID Reset and Limited Ad Tracking (LAT) fraud. Note: This includes installs and re-attributions; not re-enagements. |
Installs (I) | Installs having a new device ID not known to AppsFlyer. |
Installs % (I/A) | New device installs / Total number of installs |
Loyal user % | General KPI indicating if users are real or fake. |
Click flooding indicators | Indications of click flooding fraud based on abnormal conversion or assist rates, or CTIT time. |
Conversion rate (%) |
Low percentage compared with the general app conversion rate indicates click flooding fraud. Note: Conversion rate displays as NA if one of re-engagement or re-attribution is selected as the attribution type without the other. Fix your filter/grouping settings to view the data correctly. |
Assists % | High percentage compared with other media sources (in the Assists widget on the overview page) indicates click flooding fraud. |
Over 60 minutes | Normally ~30% of first app launches occur more than 60 minutes after download. |
Over 5 hours | Normally ~20% of first app launches occur more than 5 hours after download. |
Additional table options
- Click Export CSV to download the table to your desktop in CSV format
- Click the gear icon to:
- Change the order of table columns
- Add or remove the columns described above
- Add or remove any of your app's recently blocked in-app events. For each added in-app event the following columns are displayed:
Table Column | Description |
---|---|
Events Counter (Total) | Number of the specific event's blocked occurrences |
Unique Users | Number of unique users getting the specific event blocked |
Note that uncommon rates of either of these KPIs don't necessarily indicate fraud, as many events get blocked due to fraudulent post-attribution installs.
The in-app event data in the CPI dashboard is LTV-based, meaning it is all the in-app events associated with installs that occurred during the specified date range.
In-app events dashboard
The in-app events dashboard displays activity-based data, meaning data relating to in-app events that occurred during your selected date range, including events from installs that happened before the date range.
Dashboard features are described in the sections that follow.
In-app events—headline metrics
The headline metrics enable you to see:
- Estimated savings
- Only available if Payable events is enabled.
- Based on the payable events you have configured.
- Total number of identified fraudulent IAEs
In-app events—charts
Fraud trend over time chart
The fraud trend over time chart displays the number of events per day, broken down into:
- Real-time: Fraudulent in-app events blocked in real-time
- Post-attribution: Fraudulent events identified post-attribution
- Non-fraud
Top IAE fraud by media source chart
The top in-app event fraud by media source list contains:
- The 5 media sources with the highest number of fraudulent in-app events in descending order.
-
A bar chart for each media source bar that displays the following in-app event types as a percentage of total in-app events:
- Real-time: Fraudulent in-app events blocked in real-time
- Post-attribution: Fraudulent events identified post-attribution
- Non-fraud
In-app event fraud sunburst chart
The in-app event fraud sunburst chart displays the in-app event fraud breakdown visually.
The innermost (root) ring of the sunburst chart displays in-app events broken down into parent slices: Non-fraud, Fake and Hijacked.
Clicking a parent slice (and subsequent slices in the sunburst hierarchy) displays additional breakdowns of in-app events and media sources.
The in-app events displayed in the sunburst chart are identical in name and meaning to those in the In-app event fraud breakdown table.
In-app events—table
The In-app event fraud breakdown table displays the following data:
- Fraud blocked in real-time
- Fraud identified and marked post-attribution
- Other indications of fraud per media source
The table is presented in a general overview format, as shown in the image that follows.
The dynamic table structure:
- Lets you click the table settings button to add or remove columns to the table.
If you make any changes to the table, make sure to click the Save button afterward. - Is per user, so every account user with access to Protect360 can personally customize their own table structure. See more table options.
Content of the in-app event fraud breakdown table
Table Column | Description |
---|---|
Groupings |
|
In-app events | Headline breakdown of blocked and post-attribution fraudulent IAEs. |
Total IAE (A) |
|
Total fraudulent IAE (B) |
|
Fraudulent events % (B/A) | Fraudulent IAEs/Total IAEs |
Fake IAE real-time blocks |
Fraudulent IAEs blocked in real-time. |
Fake IAE | Fake IAE identified as fraud and blocked in real-time. |
Fake installs |
The original install was identified as fraud and blocked in real-time. |
Post-attribution fake installs |
The original install was identified as fraud post-attribution, before the IAE. |
Saved from hijacking in real-time | IAEs with the original install hijacked by a fraudulent source, that AppsFlyer correctly attributes to the last non-fraudulent source. |
Corrected to organic | Hijacked installs with the last non-fraudulent source being organic. |
Corrected to non-organic source | Hijacked installs with the last non-fraudulent source being a non-organic media source. |
Post-attribution IAE fraud | In-app events identified as fraud post-attribution. |
Fake installs | IAE occurred before the install was identified as fraud post-attribution. |
Hijacked installs | IAE occurred before the install was identified as hijacked, and cannot be correctly attributed post-attribution. |
Validation rules | IAEs blocked due to meeting validation rules conditions. |
Blocked installs | IAEs of installs blocked by validation rules. |
Blocked IAE | IAEs blocked by validation rules. |
Corrected to organic | Hijacked installs with the last non-fraudulent source being organic. |
Corrected to non-organic source | Hijacked installs with the last non-fraudulent source being a non-organic media source. |
Additional table options
- Click Export CSV to download the table to your desktop in CSV format
- Click the gear icon to:
- Change the order of table columns
- Add or remove the columns described above
The amount of events shown is activity-based, and not LTV based, meaning it's the exact number of event blocks during the specified date range.
Payable events
Payable events are IAEs that have a cost. Once enabled and configured, the In-app activity dashboard only displays data related to payable events.
To enable Payable events in the In-app activity dashboard:
To configure payable events:
- In the In-app activities dashboard, click Configure payable events.
The Configure payable events popup displays.
- [Optional] If you configuring a new payable event, click Add new.
- Based on which payable IAEs you want to display in the dashboard, select the following from the drop-down menus:
- Apps
- In-app events
- Media sources
- Campaigns
- Enter the CPA of the IAE.
- Click Save.
- Click Close.
Anomalies dashboard
The Anomalies dashboard:
- Provides insights about media sources that have suspicious Click to Install Time (CTIT) values, or new device ratios, when compared with other media sources.
- Enables you to use the media-source-level KPIs to receive compensation from the media sources and consider whether to continue working with them or not.
- Needs you to have traffic from sources that are trusted by AppsFlyer to have low fraud rates. This is to create a baseline to compare other media sources.
CTIT tab

To view CTIT insights (numbers refer to the preceding screenshot):
- Go to Anomalies > CTIT.
- Select apps to watch on the page.
- Select which countries contribute to the data on the page.
- Select the date range of the data on the page.
- You can see up to 180 days back.
Note: The 180 days started on April 6, so until 180 days have passed from then, less than 180 days is available. - Turn on Exclude post-attribution fraud to see only blocked fraud, or turn it off to see the full fraud insights.
- Select the media source baseline to compare with. The default App Baseline takes into consideration various sources trusted by AppsFlyer, which contribute to your traffic.
- Select the time resolution shown in the graph: seconds, minutes, hours or days.
- Customize the validation rules to exclude installs with illogical CTIT.
Note: the validation rules feature must be enabled for your account to perform this. - To see more details, hover over the distinctly colored parts in the graph, which indicates detected CTIT anomalies.
Note: Only ad networks for which we have enough data to make accurate comparisons are shown. - Click the Protect 360 link to go back to the Identified Fraud page.
The CTIT anomalies breakdown table, at the page bottom, displays all the media sources which have CTIT anomalies. Use it to see data about the number and percentage of installs with abnormal CTIT values. With this table you can also export to CSV, add or remove columns or set their order.
New devices tab

The New devices tab enables you to visually detect media sources and site IDs, which have suspiciously high ratios of new devices installing your app.
Sources, which are colored in gray, are below the New devices ratio threshold. For the yellow-colored sources, if the color is stronger, it means there's a higher new devices ratio.
The area occupied by a media source represents the total number of its installs, including blocked and post-attribution fraud.
To view new device insights (numbers refer to the preceding screenshot):
- Go to Anomalies > New devices.
- Select apps to watch on the page.
- Select which countries contribute to the data on the page.
- Select the date range of the data on the page.
- Set the New devices ratio threshold, above which you consider media sources as suspicious and colored in yellow.
- To see more details about a media source, click on it.
Click on the All media sources link to get back to the view of all media sources. - Click the Installs link to go back to the Installs tab.
- You can export the Identified fraud breakdown table, containing new devices data.
Traits and limitations
Trait | Remarks |
---|---|
Retargeting |
|