FRAUD DETECTION ENGINE

Stop fraud without
breaking good payments.

SignalBrain-OS combines account, device, payment, graph, and policy signals into signed fraud decisions. It catches attacks, explains the evidence, and creates case packets that analysts can act on.

FRAUD TYPOLOGIES

Built for the fraud your team actually sees.

Fraud is not AML. It is account compromise, payment abuse, identity manipulation, and loss prevention under conversion pressure.

ATO

Account Takeover

Detect new device, impossible travel, credential reset, phone change, and first high-value transaction in one timeline.

Testing

Card Testing

Identify rapid low-value attempts, issuer decline patterns, merchant concentration, and linked IP/device reuse.

Abuse

Refund & Promo Abuse

Score refund velocity, repeat merchant disputes, policy exploitation, multi-account couponing, and suspicious fulfillment loops.

Networks

Mule Accounts

Trace funds through new beneficiaries, rapid cash-out, shared devices, shared addresses, and clustered counterparty risk.

Identity

Synthetic Identity

Combine identity proofing, account age, behavioral inconsistency, phone/email risk, and payment instrument reuse.

Scams

Authorized Push Payment Risk

Flag urgent narratives, new payees, unusual amounts, remote-access indicators, and sudden behavior change before transfer.

GRAPH RISK

Find fraud rings, not just bad transactions.

Shared-entity graph

SignalBrain links accounts, cards, devices, IPs, addresses, beneficiaries, merchants, wallets, phone numbers, and payment instruments. A single transaction can inherit risk from its neighborhood.

Device FanoutOne device touches 18 accounts in 24 hours.

Beneficiary ReuseNew payee appears across unrelated customers.

IP ClusteringCheckout bursts share VPN/proxy infrastructure.

Payment InstrumentCard or wallet token recurs across accounts.

Evidence receipt

Every fraud decision returns a compact proof packet: risk score, reason codes, linked entities, model version, policy version, and Merkle proof. It is built for analyst review, dispute handling, and control testing.

{
  "decision": "HOLD",
  "risk_score": 0.86,
  "reason_codes": [
    "DEVICE_FANOUT",
    "NEW_BENEFICIARY",
    "ATO_TIMING"
  ],
  "linked_entities": 7,
  "case_packet": "case_31a...",
  "certificate_id": "cert_b92...",
  "merkle_proof": "proof_6db..."
}

OPERATIONS

From alert to case packet.

AlertModel, rules, graph, or external signal escalates the event.

AssembleTimeline, account changes, payment history, and linked entities are gathered.

DecidePolicy emits approve, step-up, hold, decline, or manual review.

ProveReceipt and case packet are signed for audit and analyst handoff.

API EXAMPLE

Fraud evaluation with reason codes.

{
  "domain": "fraud",
  "event": {
    "type": "payment_attempt",
    "customer_id": "cus_8847",
    "amount": 1250.00,
    "currency": "USD",
    "merchant_id": "m_48291",
    "device_id": "dev_91a",
    "beneficiary_id": "ben_42"
  },
  "signals": {
    "password_reset_minutes_ago": 18,
    "new_device": true,
    "new_beneficiary": true,
    "device_account_count_24h": 18,
    "velocity_1h": 5
  }
}

{
  "decision": "HOLD",
  "recommended_action": "MANUAL_REVIEW",
  "risk_score": 0.86,
  "reason_codes": [
    "RECENT_CREDENTIAL_RESET",
    "NEW_DEVICE",
    "DEVICE_FANOUT",
    "NEW_BENEFICIARY"
  ],
  "review_sla": "15m",
  "case_packet": "case_31a..."
}

Stop fraud withoutbreaking good payments.