KaizoCoreKaizoCore docs

Entity graph & bad-actor registry

How KaizoCore links devices, identities, and known bad actors across requests — and across customers.

The entity graph (per-customer)

Every decision links the request's device identifier to whatever entity keys you supply (user_id, email, anything meaningful to your business) into a graph scoped to your account only. This graph is what velocity and impossible-travel checks read from — "how many requests has this IP made in the last hour," "has this user_id been seen from a physically-impossible pair of locations."

The bad-actor registry (cross-customer, anonymized)

Separately, when a session scores high enough to cross the BLOCK threshold, its device fingerprint (a SHA-256 hash of the most stable device signals — never raw PII) is recorded into a shared registry visible across all KaizoCore customers. A repeat record for the same fingerprint raises its stored risk score (never lowers it — a later, lower-scoring sighting doesn't get to erase a previously-confirmed bad actor) and increments how many times it's been seen.

Correlation only, never trust

A match against the bad-actor registry only ever adds risk to a session. There is no path anywhere in the scoring engine where a fingerprint's mere presence, stability, or absence from the registry adds confidence. See Why KaizoCore for why this distinction is the whole point.

Your own list, layered on top

The shared registry has no per-customer visibility — it's genuinely global, so showing it to you directly would mean showing you signal derived from other customers' traffic, which KaizoCore doesn't do. Instead, you get your own private overlay: see Lists for the customer-facing block/allow/watch list layered on top of (never a substitute for) the shared registry's silent background protection.

What gets linked

For each decision, the entity layer upserts a weighted edge between typed nodes — for example device:<id> to user_id:<value> — with a running seen-count and a last-seen timestamp. This is what lets a later investigation answer "what other identities has this device touched," not just "what's this device's current risk score."

On this page