Back to docsRecipe
Fraud scoring engine design
A composable rule pipeline that ingests session telemetry, hardware fingerprints, and behavioral signals to produce a single risk score per authentication attempt.
Signal taxonomy
- device — TPM EK, disk serial, BIOS UUID, MAC-derived fingerprint
- network — ASN, geo-IP delta from last known good login, Tor/relay detection
- temporal — hour-of-day anomaly, inter-request velocity, session age
- behavioral — mouse trajectory entropy, keystroke cadence, paste frequency
Pipeline stages
- Ingest — collect raw signals from loader telemetry and browser fingerprint
- Normalize — map disparate formats into a unified feature vector
- Score — weighted ensemble of heuristic rules and a lightweight gradient-boosted model
- Threshold — classify as allow, challenge, or deny based on configurable risk bands
- Feedback — log outcome, update per-user baseline, push to Upstash KV for real-time dashboards
Risk bands
| Score range | Verdict | Action |
|---|---|---|
| 0 – 0.3 | Allow | Proceed to license check |
| 0.31 – 0.7 | Challenge | Require additional factor |
| 0.71 – 1.0 | Deny | Block and flag for review |
Circuit breaker
If the scoring service exceeds a 5% error rate over a 60-second sliding window, the pipeline fails open to a cached allow-list signed with HMAC. This prevents the licensing flow from being blocked by a degraded fraud engine.