Entity graph & bad-actor registry
How KaizoCore links devices, identities, and known bad actors across requests — and across customers.
Two related but distinct systems
The entity graph (per-customer)
Every decision links the request's device identifier to whatever entity keys
you supply (user_id, email, anything meaningful to your business) into a
graph scoped to your account only. This graph is what velocity and
impossible-travel checks read from — "how many
requests has this IP made in the last hour," "has this user_id been seen
from a physically-impossible pair of locations."
The bad-actor registry (cross-customer, anonymized)
Separately, when a session scores high enough to cross the BLOCK
threshold, its device fingerprint (a SHA-256 hash of the most stable device
signals — never raw PII) is recorded into a shared registry visible
across all KaizoCore customers. A repeat record for the same fingerprint
raises its stored risk score (never lowers it — a later, lower-scoring
sighting doesn't get to erase a previously-confirmed bad actor) and
increments how many times it's been seen.
Correlation only, never trust
A match against the bad-actor registry only ever adds risk to a session. There is no path anywhere in the scoring engine where a fingerprint's mere presence, stability, or absence from the registry adds confidence. See Why KaizoCore for why this distinction is the whole point.
Your own list, layered on top
The shared registry has no per-customer visibility — it's genuinely global, so showing it to you directly would mean showing you signal derived from other customers' traffic, which KaizoCore doesn't do. Instead, you get your own private overlay: see Lists for the customer-facing block/allow/watch list layered on top of (never a substitute for) the shared registry's silent background protection.
What gets linked
For each decision, the entity layer upserts a weighted edge between typed
nodes — for example device:<id> to user_id:<value> — with a running
seen-count and a last-seen timestamp. This is what lets a later
investigation answer "what other identities has this device touched," not
just "what's this device's current risk score."