Modern websites, ranked in AI searchCited by ChatGPT, Perplexity & Google AI Overviews32% of our own traffic comes from AI searchModern websites, ranked in AI searchCited by ChatGPT, Perplexity & Google AI Overviews32% of our own traffic comes from AI searchModern websites, ranked in AI searchCited by ChatGPT, Perplexity & Google AI Overviews32% of our own traffic comes from AI searchModern websites, ranked in AI searchCited by ChatGPT, Perplexity & Google AI Overviews32% of our own traffic comes from AI search
AEO & AI Search

How to See Which Companies Are Visiting Your Website

Most site traffic is anonymous, but it doesn't have to be. A studio explains how website visitor identification resolves the companies behind your traffic, what it can and can't see, and how to do it on data you own.

Space & Story·July 2, 2026·9 min read
visitor identificationwebsite analyticslead generationde-anonymizationreverse IPfirst-party data
Space & Story·July 2, 2026·9 min read
How to See Which Companies Are Visiting Your Website

Key Takeaway

Website visitor identification resolves anonymous traffic two ways: company-level, via the corporate IP a business visitor arrives on, and person-level, when someone fills a form or opens a personalized link. Google Analytics can't do this because it's built to anonymize. The version worth running is first-party, self-hosted, and deterministic, so your leads live in your own database and every identification is auditable for consent.

Most of the traffic on your website is anonymous. A visitor lands, reads two pages, and leaves, and your analytics records a session and a bounce. You paid to earn that visit. You will never know who it was. Website visitor identification is the practice of closing that gap: resolving the anonymous session into the company, and sometimes the person, behind it.

We build sites that get local businesses found in Google and AI search, and we run cite-met.com to track where that traffic comes from. The question clients ask next is always the same one: fine, we are getting found, but who is actually showing up? This is the guide to how you answer that, what the technology can honestly deliver, and where the line sits on privacy.

What "visitor identification" actually means

Identification happens at two levels, and it is worth keeping them separate because they work differently and carry different certainty.

The first is company-level resolution. When a visitor arrives from a corporate network, their connection carries an IP address that often maps to a registered organization. Reverse-IP lookup turns that address into a company name: not "a visitor from Toronto" but "someone at Bloor West Dental Group." This is the same signal that has quietly powered B2B tools for years. It resolves the organization, never a named individual, and it only fires when the visitor is on a corporate connection rather than a home or mobile one.

The second is person-level resolution, and it only happens when the visitor tells you who they are. A form fill, a booking, a click on a personalized link from an email you sent: each of these is a first-party signal the person volunteered. That is the moment an anonymous session becomes a named lead, with an email attached and every page they read before and after stitched to their record.

A visitor profile resolving an anonymous session into a named lead: company, location, visit cadence, engaged time, behavior tags, and full page-by-page journey history
Person-level resolution: an anonymous session becomes a named record with the company, cadence, and full journey attached.

Neither level is a magic trick that unmasks every stranger. Anyone honest about this technology will tell you the same thing: you resolve companies from corporate networks, and you resolve people when they identify themselves. Everything else stays anonymous, as it should.

Why your analytics can't do this

Google Analytics was built to measure behavior in aggregate, and it is genuinely good at that. It will tell you how many sessions you got, which pages they hit, and where the traffic came from. What it will never tell you is which company just read your pricing page twice this week, because it was designed the other way on purpose. It strips identity out. Its whole model is anonymized, sampled, aggregate reporting, and recent versions lean harder into that, not less.

So the traffic report and the lead list are two different documents, and analytics only produces the first one. "412 sessions, 68 percent bounce" is a number you can watch trend. It is not something your sales team can act on. Turning the first document into the second is the entire job of visitor identification. We went deeper on that split in website visitor identification versus Google Analytics, if you want the side-by-side.

How the resolution actually works

Under the hood, four things have to line up for identification to be useful rather than noise.

A first-party anchor. The tracking runs as first-party on your own domain, not as a third-party pixel a browser will block. That is what lets it hold a stable, privacy-respecting sense of "this is the same visitor as last Tuesday" without depending on the third-party cookies that are disappearing everywhere.

Company enrichment. The corporate IP gets matched against an organization database to return the company name, and often its location and industry. This is the reverse-IP step, and its accuracy depends entirely on the quality of that database and how recently it was refreshed.

Person resolution on intent. When someone fills a form or opens a personalized link, their identity attaches to the anchor, and the whole prior journey resolves to them retroactively. The pricing page they read anonymously last week is now part of a named person's history.

Journey stitching. Every page view, in order, ties to the record, so you see not just who but what they cared about: which blog post pulled them in, whether they compared your pricing, where they dropped. That sequence is the difference between a name and a warm sales conversation.

A roster of website visitors resolved to their companies, with location and session counts, anonymous and known in one list
The output: your traffic report becomes a roster. Named companies and people, with cadence, in one searchable list.

The part most guides skip: ownership and consent

There are two ways to run this, and the difference matters more than any feature.

The common way is a cloud tool that watches your visitors and holds the resulting data on its own servers, often enriching it against a shared graph and, increasingly, feeding it into AI models. Your leads live on someone else's infrastructure, under someone else's terms.

The other way is to keep it first-party and self-hosted: the identification runs on infrastructure you own, and the visitor data and leads sit in your own database. Never sold, never used to train a model. This is the version we run for clients, because a dental group's or a law firm's visitor list is exactly the kind of data that should not be sitting in a vendor's cloud.

Consent belongs in the same conversation. Company-level resolution from a business IP is low-risk in most jurisdictions, but the honest position is that IP addresses can be personal data under GDPR, and person-level tracking wants a real consent basis. A deterministic system helps here in a way an AI one cannot: every identification is auditable. You can point at exactly why a visitor was resolved to a company, which is a much easier thing to defend than "a model inferred it." None of this is legal advice, and the specifics deserve a review for your jurisdiction, but the architecture is the thing that makes the review pass or fail.

What to do with it once you can see it

Identification is only worth the effort if it changes what you do. Three uses earn their keep immediately.

First, warm outreach. When a returning company keeps hitting your pricing and services pages, that is a buying signal your sales team can act on before the form ever gets filled. Second, content decisions. When you can see which entry pages actually pull identified companies toward a conversion, and which ones leak them, you stop guessing which content works. Third, capture. The point of knowing who is on the site is to catch them, so forms and booking that tie each submission back to the full journey turn the identified visitor into a booked call rather than a row in a dashboard.

That full loop, found to identified to captured to booked, is what we built Cite-Met Pulse to run, and it is included on our Growth and Authority plans rather than sold as yet another tool. If you want to see who is already visiting the traffic you have, our free audit is where that starts.

The honest summary

You cannot unmask every anonymous visitor, and you should be suspicious of anyone who says you can. What you can do is resolve the companies arriving from corporate networks, resolve the people who identify themselves, and stitch both to the journey that got them there. Done on data you own, deterministically, with consent handled properly, that turns an anonymous traffic report into a lead list your business can actually work. The technology has been quietly doing this for B2B for years. The only real question is whether your leads end up in your database or someone else's.

Is your site invisible to AI search?

Get a free AEO infrastructure audit and find out what your competitors are doing that you're not.

Get Your Free Audit
Quick answers

Frequently asked.