Skip to content
FormAegis Run E2E demo →

Stop HubSpot form spam from creating contacts in your CRM.

FormAegis sits in front of one HubSpot form, scores every submission, and forwards only the clean ones to a hidden destination form bots can't see. Setup creates that destination; retiring old public embeds is an optional hardening step after dependency review.

Run the E2E demo →

Forms scope only · We never read or sync your existing contacts · Roll back anytime

Visitor submits a form. FormAegis scores the submission. Clean ones are forwarded to HubSpot. Risky ones are held in quarantine and do not reach HubSpot. Visitor Your form FormAegis clean HubSpot risky Quarantine

Recorded demo

Watch the full flow in 100 seconds.

The video shows the same public demo you can run yourself: bot bypass, protected submit, quarantine review, and clean forwarding into HubSpot.

Run the live demo →
100-second demo Run the live version →

How it works.

You point one form at FormAegis instead of HubSpot. The form on your site looks the same to visitors. Every submission gets scored before it can reach your CRM.

  1. 1

    Clean submissions reach your CRM, the way they always have.

    We forward them to a hidden destination form on your HubSpot account, with the same fields and submission semantics. Workflows and reports scoped to the original form ID get re-pointed at the destination form during setup; we walk you through that.

  2. 2

    Risky submissions wait in your quarantine.

    You see exactly why each one was held, in plain language: URL in the name field, hidden honeypot triggered, HTML in the message, sender on your blocklist. Release, delete, or block the sender or their domain in one click.

  3. 3

    Re-releasing the same submission stays safe.

    If two operators click Release on the same row, HubSpot still gets one contact. The release is keyed by a hash of the submitted fields, so identical payloads never forward twice. Workflows fire once, reports stay clean.

We ran it against a live HubSpot before inviting anyone in.

Five things we verified on a real test portal. Not in a lecture slide.

Submissions show up in HubSpot's standard form-submissions inbox. Same form-id semantics, same workflow triggers. No custom HubSpot app to install, no integration to maintain.
Setup needs only the HubSpot "forms" scope. We never ask for the Contacts scope. The forms scope alone is enough to read your form's structure and create the hidden destination form.
Risky submissions never touch HubSpot. They sit in FormAegis quarantine until you act on them. If our service goes down, your existing CRM data is untouched; we never had access to it in the first place.
Setup catches the wrong destination form before launch. If the destination has HubSpot's own CAPTCHA enabled, FormAegis refuses to go live and tells you exactly what to fix in the HubSpot UI.
The direct-API bypass is real, and mitigation has a setup path plus an optional hardening step. We confirmed bots can post directly to a known HubSpot form GUID before we built FormAegis. Default setup creates a hidden destination form and routes protected traffic through FormAegis; retiring the old public form is opt-in after dependency review. You can try the full journey in the single-page demo.

Forms scope only · We never read or sync your existing contacts · Roll back anytime

You already enabled CAPTCHA. The spam keeps coming.

  • Bots can submit without ever loading your website.

    Once a bot knows your form's GUID, it posts straight to HubSpot's Forms API. reCAPTCHA, Turnstile, JavaScript challenges: none of them ever run, because the form was never loaded in a browser.

  • HubSpot's own form CAPTCHA breaks server-side forwarding.

    Turn it on and any tool that forwards submissions for you stops working. HubSpot rejects forwarded posts with FORM_HAS_RECAPTCHA_ENABLED. So it's either CAPTCHA or your existing automation. Not both.

  • Fake submissions create real contacts.

    Workflows fire on garbage. Reports skew. SDR time evaporates chasing leads that were never real. And tightening HubSpot's filters too far starts killing real demo requests.

Keep HubSpot. Just take the spam target off the public path.

FormAegis isn't a CRM. It isn't a form builder. It doesn't replace HubSpot's spam tools. It changes one default path on one of your forms: protected submissions post through FormAegis before HubSpot. Setup creates the hidden destination form; optional hardening reviews whether old public embeds can be retired after dependency checks.

You decide what reaches your CRM.

The demo keeps review in context: submit risky traffic, see why FormAegis held it, release a false positive, and watch HubSpot receive exactly one forwarded submission.

Quarantine in context

Run setup, submit risky traffic, and release a held row in one page

Run the E2E demo →

Pre-launch · invite only

Want first access?

What's included

  • One spam-hit HubSpot form protected, free for the beta
  • Done-with-you setup, ~30 min on a call
  • Quarantine workflow + weekly email digest
  • An anonymized before/after report you can share internally

What we need from you

  • One HubSpot form currently receiving spam
  • Ability to change the public form's submit handler (or your dev can)
  • A forms-scope HubSpot token for assisted setup, OR a manually-created destination form GUID for manual setup
  • 30 min for setup + a short follow-up after week 1

Or run the E2E demo first →