Rules reference
Representative rules per layer. The full, current list is always available live from your dashboard.
The authoritative list is always live, not this page
Rules are added and tuned over time. The definitive, always-current list —
every rule ID, its layer, base score, and whether it's deterministic — is
available from GET /v1/policy/rules or the dashboard's
Rules page, generated directly from the same
registry the scoring engine runs against. This page documents the stable,
representative core so you understand the shape of the rule set; treat
the live endpoint as ground truth for the exact current set.
network (10% weight)
| Rule | Deterministic | What it means |
|---|---|---|
network/tor_ip | Yes | Request originates from a Tor exit node. |
network/vpn_ip | No | Request originates from a known VPN exit IP. |
network/datacenter_ip | No | Request originates from a known datacenter IP range. |
network/cgnat_ip | No | Carrier-grade NAT (common on mobile networks) — a weak signal alone. |
network/impossible_travel | Yes | See Impossible travel. |
network/ip_velocity_high / _very_high | No | Elevated request rate from one IP. |
device (20% weight)
| Rule | Deterministic | What it means |
|---|---|---|
device/bot_user_agent | Yes | User-Agent matches a known script/crawler/automation-framework fragment. |
device/known_bot_ja3 | Yes | TLS client fingerprint (JA3) matches a known automation library. |
device/known_bot_ja4 | Yes | Same, for the newer JA4 fingerprint format. |
environment (15% weight)
See Environment integrity for the full explanation of each.
| Rule | Deterministic |
|---|---|
environment/js_engine_tampered | Yes |
environment/iframe_context_mismatch | No |
environment/worker_context_mismatch | No |
behavior (25% weight)
Behavioral rules key off features like speed variance, speed kurtosis, directional entropy, acceleration jerk, jerk variance and autocorrelation, and flat-speed tremor (the last handled as a deterministic post-processing multiplier rather than a raw model feature, to protect trackpad users from false positives). See ML fusion for how these combine with the supervised/unsupervised models.
journey (15% weight)
Journey-confidence rules read a session's real page-view sequence — dwell time, scroll depth, interaction count across pages — accumulated via PULSE. Confidence bands range from very-low (single instant page, no interaction) to high (a multi-page, realistically-paced browsing session).
entity (10% weight)
Entity-layer rules read cross-request velocity (per-IP, per-entity-key) and bad-actor registry matches.
session (5% weight)
Session-layer rules cover cookie-binding mismatches (IP or User-Agent changed mid-session from what the signed cookie was issued for) and token replay abuse (the same session token used far more times than a legitimate single-user flow would).