KaizoCoreKaizoCore docs

Rules reference

Representative rules per layer. The full, current list is always available live from your dashboard.

The authoritative list is always live, not this page

Rules are added and tuned over time. The definitive, always-current list — every rule ID, its layer, base score, and whether it's deterministic — is available from GET /v1/policy/rules or the dashboard's Rules page, generated directly from the same registry the scoring engine runs against. This page documents the stable, representative core so you understand the shape of the rule set; treat the live endpoint as ground truth for the exact current set.

network (10% weight)

RuleDeterministicWhat it means
network/tor_ipYesRequest originates from a Tor exit node.
network/vpn_ipNoRequest originates from a known VPN exit IP.
network/datacenter_ipNoRequest originates from a known datacenter IP range.
network/cgnat_ipNoCarrier-grade NAT (common on mobile networks) — a weak signal alone.
network/impossible_travelYesSee Impossible travel.
network/ip_velocity_high / _very_highNoElevated request rate from one IP.

device (20% weight)

RuleDeterministicWhat it means
device/bot_user_agentYesUser-Agent matches a known script/crawler/automation-framework fragment.
device/known_bot_ja3YesTLS client fingerprint (JA3) matches a known automation library.
device/known_bot_ja4YesSame, for the newer JA4 fingerprint format.

environment (15% weight)

See Environment integrity for the full explanation of each.

RuleDeterministic
environment/js_engine_tamperedYes
environment/iframe_context_mismatchNo
environment/worker_context_mismatchNo

behavior (25% weight)

Behavioral rules key off features like speed variance, speed kurtosis, directional entropy, acceleration jerk, jerk variance and autocorrelation, and flat-speed tremor (the last handled as a deterministic post-processing multiplier rather than a raw model feature, to protect trackpad users from false positives). See ML fusion for how these combine with the supervised/unsupervised models.

journey (15% weight)

Journey-confidence rules read a session's real page-view sequence — dwell time, scroll depth, interaction count across pages — accumulated via PULSE. Confidence bands range from very-low (single instant page, no interaction) to high (a multi-page, realistically-paced browsing session).

entity (10% weight)

Entity-layer rules read cross-request velocity (per-IP, per-entity-key) and bad-actor registry matches.

session (5% weight)

Session-layer rules cover cookie-binding mismatches (IP or User-Agent changed mid-session from what the signed cookie was issued for) and token replay abuse (the same session token used far more times than a legitimate single-user flow would).

On this page