Critical-risk tools in Ads
8 of the 88 tools in Ads are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
ga4.conversion_events.deleteDestructiveRemove a conversion event from a GA4 property. High-risk; dry-run by default.
-
ga4.passthrough.writeDestructiveFallback: PATCH/POST/DELETE any GA4 Admin API endpoint not covered by named tools. Use only when no named tool exists. Prefer ga4.conversion_events.create/delete, ga4.custom_dim...
-
gsc.sitemaps.deleteDestructiveRemove a sitemap from Search Console. Dry-run by default.
-
gsc.sites.deleteDestructiveUnclaim a site in Search Console. High-risk; dry-run by default.
-
meta.ads.deleteDestructiveDELETE a Meta ad. Irreversible. For temporary teardown prefer meta.ads.update with status=ARCHIVED. Dry-run by default; high-risk write.
-
meta.adsets.deleteDestructiveDELETE a Meta ad set. Irreversible. For temporary teardown prefer meta.adsets.update with status=ARCHIVED. Dry-run by default; high-risk write.
-
meta.campaigns.deleteDestructiveDELETE a Meta campaign. Irreversible — historical insights stay accessible but the campaign disappears from Ads Manager. For temporary teardown prefer meta.campaigns.update with...
-
meta.custom_audiences.deleteDestructiveDELETE a Meta custom audience. Irreversible. Active ad sets using this audience continue running but will report
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.