Sentinel

Real-time account-takeover risk engine

Every login here gets scored as it arrives. The account's recent history is pulled from the feature store, turned into features, and run through a calibrated gradient-boosted model right inside the serverless function, which hands back a risk score and the reasons behind it. Usually in a few milliseconds.

Events scored

this session

Flag rate

—

0 flagged

p95 latency

—

avg —

Throughput

0/min

last 60s

Live precision

—

flagged that were real ATO

Live recall

—

ATO caught vs ground truth

Speed

3/s

Connecting…

Live decision stream

0 recent

Press “Start stream” to begin scoring auth events

Risk band distribution

Risk score timeline

Operating point

We don't flag at 0.5. The threshold is picked offline to catch as much fraud as possible while holding false positives under a 2% “alert budget,” which is roughly what a real SOC team can review in a day. Flagged events are the ones worth a human's time.

Confirm or dismiss one and it gets labeled. That's the data a retraining job learns from.