PPrimordial Software
Case Study · Budget Sidekick

Lead Verification Built Into the Infrastructure and Code

Most lead verification is an afterthought. A third-party script bolted on. A manual review process. Or worse — sales doing qualification work at $100k a year when a well-built system should have handled it before the lead ever reached them.

The problem

Low-friction marketing assets are high-value targets — PPC or forms that a bot can easily fill. reCAPTCHA v3 was supposed to be free and invisible. It's neither. It adds a visible overlay logo and Google now charges for it. Cloudflare Turnstile is free for now but still leaves a visual footprint. Neither solves the real problem: low-friction marketing assets need tight, purpose-built integration — not off-the-shelf CAPTCHAs bolted on after the fact.

The approach

At Primordial Software we build lead verification into the infrastructure and code from the start.

Here's how we protect Budget Sidekick's low-friction marketing assets from bot traffic and fraud — without breaking the experience for real users or legitimate crawlers.

Bot detection runs async on page load using Vercel BotID, tightly integrated into our Next.js infrastructure at the code level — not bolted on as an afterthought. See the BotID get-started guide for setup. This is the differentiator. Anyone can install a script. Building it cleanly into the application layer requires a different level of engineering. The user sees a normal loading state, identical to any external embedded asset loading asynchronously. No visible CAPTCHA, no friction, no signal to the bot that anything is happening.

  • If the visitor is human — the asset loads. Normal experience, zero friction.
  • If the visitor is a non-verified bot — the low-friction asset never loads. They are served a higher-friction self-qualifying asset instead, maintaining a pathway for conversion in the event of a false positive while preserving the site aesthetics for everyone.
  • Verified bots — Googlebot, legitimate crawlers — pass through automatically. SEO unaffected.

The integration

This isn't a network-level block or a blanket route filter. It's surgical — only the marketing asset itself is affected. The rest of the page loads as normal, preserving the full experience for legitimate users. One component, one check, purpose built. Nothing else on the site is touched.

The wrapper runs verification async on mount and conditionally renders the low-friction asset or the higher-friction fallback:

'use client';

import { useEffect, useState } from 'react';
import Widget from '@/components/Widget';
import FallbackForm from '@/components/FallbackForm';
import { verifyBotStatus } from '@/app/actions/verifyBotStatus';
import { SUPPORT_EMAIL } from '@/utils/constants';

export default function BotProtectedWidget({
  params = {},
  source = 'widget',
}) {
  const [status, setStatus] = useState('loading'); // 'loading' | 'bot' | 'human'

  useEffect(() => {
    const pageUrl = typeof window !== 'undefined'
      ? window.location.origin + window.location.pathname + (window.location.search || '')
      : '';

    verifyBotStatus({
      source,
      page_url: pageUrl,
    })
      .then((data) => {
        if (!data?.isBot || data?.isVerifiedBot) {
          setStatus('human');
        } else {
          setStatus('bot');
        }
      })
      .catch((err) => {
        setStatus('human');
      });
  }, [source]);

  if (status === 'loading') {
    return (
      <div className="w-full min-h-[400px] flex items-center justify-center rounded-3xl border border-gray-200/40 bg-gray-50/50">
        <div className="animate-pulse text-gray-500">Loading…</div>
      </div>
    );
  }

  if (status === 'bot') {
    return (
      <div className="mt-12 w-full">
        <FallbackForm />
        <p className="text-sm text-gray-500 mt-4 text-center text-balance">
          You&apos;ve been detected as a bot and are seeing a fallback form. Contact us at{' '}
          <a href={`mailto:${SUPPORT_EMAIL}`} className="text-gray-600 hover:text-gray-800 underline">
            {SUPPORT_EMAIL}
          </a>
          {' '}to access our full site.
        </p>
      </div>
    );
  }

  return <Widget params={params} />;
}

Bot events are logged for manual review and cross-referenced against Autonomous System (AS) IP classification data — giving us a layered picture of traffic quality that goes deeper than any single tool provides.

That data is available in reporting — detected bot IPs and AS IP classification lookups — ready to export and upload to any paid media platform that supports IP exclusions. No expensive third-party subscriptions. No black boxes you don't own. No ClickCease, no IPQS, no adding yet another vendor dependency. Just the core hosting infrastructure your site depends on.

The question for your business

How is your lead verification and qualification working? Is it purpose built, integrated into your infrastructure and code from the ground up? Or is it a patchwork of tools, manual processes, and tribal knowledge — or worst of all, skilled sales professionals doing qualification work when they should be closing?

This is what we build for Budget Sidekick. It's the level of detail we bring to every engagement.