The Technical GEO Audit Checklist: 40 Points, in Order
This is the capstone of our technical GEO series: a complete, sequenced audit you can run on any website to answer one question — can AI engines find, parse, trust and cite this site? The order is not arbitrary. Each section depends on the ones before it, and the most expensive audit mistake is polishing signals downstream of a blocker you have not found yet. Work top to bottom; each check links to the deep-dive article that explains it fully.
Why this audit exists
The numbers that justify the work, briefly: at Google I/O in May 2026, AI Mode became the default search experience — VP of Search Elizabeth Reid called it "the biggest upgrade to our Search box in over 25 years" — and third-party trackers now measure AI Overviews on roughly 48% of queries, up from about 15% early in the year. Zero-click searches have climbed to an estimated 60% overall, roughly 93% inside AI Mode, and measured CTR for the #1 organic position has fallen from about 27% to around 11%. Google's Information Agents now monitor topics and deliver answers with no search session at all. Meanwhile, industry estimates suggest a large majority of brands still appear in zero AI answers. The paradigm has shifted from "rank for the keyword" to "be the entity the answer engine cites" — and the technical layer below is what makes that possible at all.
An audit is cheap. Invisibility is expensive and silent — no dashboard alerts you that an answer engine considered your site, failed to parse it, and cited your competitor instead. Auditing is how you find out before the market does.— ClickRadius Institute analysis
Section 1 — Crawl access (checks 1–8)
Nothing downstream matters if the fetchers cannot get in. Full treatment: robots.txt for the AI Era and AI Crawlers Explained.
- robots.txt fetches cleanly (200, plain text, at the root) and contains no leftover
Disallow: /from staging. - Retrieval and fetch bots are allowed: Googlebot, Bingbot, OAI-SearchBot, ChatGPT-User, PerplexityBot, Perplexity-User, ClaudeBot, Claude-User. Remember RFC 9309's named-group override: a bot with its own group ignores
*rules entirely. - Training-bot policy is deliberate (GPTBot, Google-Extended, CCBot, Meta-ExternalAgent) — allowed or blocked on purpose, documented, not by accident.
- CDN/WAF bot rules agree with robots.txt. One-click "block AI bots" toggles at the CDN silently override everything; check the security vendor's console, not just the text file.
- Server logs show verified AI-bot visits (match user agent and published IP ranges). Absence of an allowed bot is a finding.
- No error walls for bots: sample bot requests return 200s, not 403 challenges or JS proof-of-work pages.
- XML sitemap is current, referenced in robots.txt, with truthful
lastmodvalues. - IndexNow is implemented (key file hosted, pings wired to publish/update events) for the Bing-side index cluster feeding Copilot — see IndexNow and Instant AI Indexing.
Section 2 — Rendering and retrievability (checks 9–13)
The documented AI crawlers do not reliably execute JavaScript. Full treatment: Core Web Vitals in AI Search.
- The curl test: fetch your ten most important URLs raw; every price, service description and FAQ answer you want cited must appear in the response body, not only after hydration.
- TTFB under ~1 second at the origin for bot-path requests (bots often bypass edge caches users hit).
- Status-code hygiene per user agent: no 5xx clusters or timeout patterns served specifically to crawlers.
- Core Web Vitals at CrUX "good" — LCP ≤ 2.5s, INP ≤ 200ms, CLS ≤ 0.1 at the 75th percentile — protecting index standing and converting the high-intent clicks that survive zero-click attrition.
- Clean URL health: no redirect chains deeper than one hop on key pages; canonicals consistent and self-referencing.
Section 3 — Entity and structured data (checks 14–22)
Machines cite entities they can resolve. Full treatment: Schema Markup for AI Citation and Industry-Specific Schema Templates That Work.
- One canonical
Organization/LocalBusinessnode with a stable@id, referenced — not redeclared — across the site. - Most specific true type for your industry (
Dentist,Plumber,SoftwareApplication…), not bareOrganization. sameAsarray triangulating your entity across LinkedIn, Google Business Profile, directories, registries — plus registry identifiers (license, NPI, DUNS) where they exist.- Every page is typed (
Article,Service,Product,FAQPage,BreadcrumbList) via JSON-LD generated from CMS data, not hand-pasted. - Article markup carries real provenance: author as
Personwith URL and credentials or honestOrganization, truthful dates — see Article Schema Done Right. - FAQ markup mirrors visible Q&A on the pages where questions genuinely live — see FAQPage Schema and AI Answers.
- Zero validator errors (Schema.org validator + Rich Results Test), zero duplicate/contradictory blocks from plugin overlap.
- Markup matches page content — no invisible claims, no ratings without displayed reviews.
- NAP consistency: name, address, phone identical across site, schema and major external profiles.
Section 4 — Content signals (checks 23–29)
The layer research has actually measured. The Princeton-led GEO study (Aggarwal et al., KDD 2024) found that quotations, statistics and source citations raised source visibility in generative answers by up to roughly 40% in benchmarks — the three signals ClickRadius's content scoring weights directly.
- Priority pages carry inline statistics — specific, current, attributed numbers, not adjectives.
- Attributed quotations with named sources appear where genuinely available.
- Source citations: claims link to authoritative references ("According to Google's documentation…"), making passages verifiable at extraction time.
- Answer-first structure: H2/H3 sections that open with the direct answer, self-contained passages that survive being pulled out of context.
- Question-shaped coverage: the questions customers actually ask assistants have pages or FAQ entries that answer them directly.
- No internal contradictions: old pages do not dispute current pages on prices, claims or recommendations.
- Topical consolidation: one strong page per topic rather than three thin overlapping ones.
Section 5 — Freshness (checks 30–33)
Answers quote the index's copy of you. Full treatment: Content Freshness and Decay for AI.
- Volatility-based review calendar exists (fast topics quarterly, evergreen annually) and is actually running.
dateModifiedis honest — updated on real revisions, never bumped cosmetically.- Stale liabilities handled: superseded content refreshed, merged with 301s, or retired — after checking AI-crawler fetches, not just analytics.
- Change notification wired: sitemap
lastmodplus IndexNow fire on every meaningful update.
Section 6 — Trust and security (checks 34–37)
Subtraction of catastrophic risk. Full treatment: Security Headers as a Trust Signal.
- HTTPS everywhere: valid auto-renewing certificate, single-hop HTTP→HTTPS redirects, zero mixed content.
- Baseline headers shipped: HSTS,
X-Content-Type-Options: nosniff,Referrer-Policy, CSPframe-ancestors— an hour of work, graded at securityheaders.com. - No Safe Browsing flags, no injected spam pages in a
site:search — the compromise that silently becomes your machine-visible content. - llms.txt published and synchronized — a curated, honest site map for token-limited readers. Unproven consumption, near-zero cost; the reasoning is in What Is llms.txt and Do You Need It?
Section 7 — Verification loop (checks 38–40)
The audit is not done when the fixes ship; it is done when the answers change.
- Citation monitoring is running: your priority questions asked across the live engines — ClickRadius monitors ChatGPT, Gemini, Perplexity, Claude and Grok — with results tracked over time, because engine answers are non-deterministic and single spot-checks mislead.
- Accuracy check: where you are cited, engines describe your business correctly (offerings, prices, location). Wrong answers about you are a freshness or contradiction bug upstream.
- Quarterly re-audit scheduled. Headers regress in migrations, schema rots in redesigns, CDN vendors ship new default bot blocks, and the AI-crawler roster changes. Every one of these has silently undone someone's finished audit.
Running the audit: logistics that make it stick
A few process notes from running this list against many sites:
- Timebox the first pass to a single working session — two to four hours for a typical small-business site. The first pass is reconnaissance, not repair: record pass/fail and evidence (the curl output, the validator screenshot, the log excerpt) for every check, and resist fixing anything mid-audit. Mixing diagnosis with treatment is how audits stall at check 11.
- Score it simply. Pass = 1, fail = 0, not-applicable = excluded. The resulting fraction per section tells you where the systemic problem lives — a site at 2/8 on crawl access and 7/9 on structured data has a very different situation from the reverse, even at the same total.
- Convert fails to tickets with owners. Roughly half these checks belong to whoever runs the website (headers, sitemaps, robots.txt), a quarter to content (signals, freshness, contradictions), and a quarter to whoever owns the CMS templates (schema, rendering). An audit that ends as a PDF instead of an assigned backlog changes nothing — the March-audit-still-failing-in-July pattern is the most common one we see.
- Fix in dependency order, re-test in reverse. Repair from section 1 downward; when the fixes ship, verify from section 7 upward — because citation monitoring (check 38) is the integration test that tells you whether the stack now works end to end, not just whether each layer passes in isolation.
- Keep the evidence file. Next quarter's re-audit is a diff, not a redo: what regressed, what improved, what new bots and standards appeared. Sites that keep this history spot regressions in one quarter; sites that do not rediscover the same failures annually.
Reading your results
Score yourself honestly: a typical unaudited small-business site passes fewer than half of these checks, and the failures cluster — a site that fails the curl test usually fails the schema checks too, because both trace back to nobody ever having looked. Do not let that read as hopeless; it reads as opportunity. With most brands at zero AI-answer presence, the bar for early movers is completing the foundations, not perfecting them.
Ranked search rewarded incremental effort — one more link, one more point of domain authority. Answer engines reward completed systems: crawlable, parseable, verifiable, current. The checklist is long precisely because the reward is binary.— ClickRadius Institute analysis
And keep the technical layer in proportion: on-site readiness is the foundation, but industry data consistently indicates that the majority of what drives citations is off-site — entity authority, directory presence, third-party mentions across platforms. This checklist makes you citable; authority building makes you chosen. Do both.
Frequently asked questions
How long does a technical GEO audit take?
Manually, budget two to four hours for a typical small-business site using this checklist, and considerably more for large or JavaScript-heavy sites. Automated platforms compress the technical portion to minutes, but the judgment items — content signal quality, entity consistency, internal contradictions — still benefit from a human pass.
How is a GEO audit different from a normal technical SEO audit?
They overlap heavily — crawlability, structured data, performance and security serve both. A GEO audit adds AI-specific layers a classic audit skips: the AI-bot roster in robots.txt and CDN rules, raw-HTML completeness for non-rendering fetchers, extraction-friendly content structure, citation-signal density, and monitoring of what AI engines actually say about the brand.
What should I fix first if I fail many checks?
Follow the dependency order: crawl access first, because nothing downstream matters if fetchers are blocked; then raw-HTML rendering; then entity and structured-data foundations; then content signals; then freshness plumbing; then security and performance hardening. Fixing in this order means every later fix compounds instead of waiting on an earlier blocker.
Or run the whole checklist in minutes: ClickRadius scores all six categories automatically, shows every failing check, and fixes most of them on-site. Start with your free AI Readiness Score — plans are on the pricing page.