Our service

Fraudnode

A trust infrastructure platform built from observable evidence: browser runtime, transport fingerprints, DNS resolver topology, reputation context, and anomaly explanations.

checkergatewaycollectoranalyzerexplainability

What this thing is

Fraudnode is the part before the fraud story gets tidy.

Most anti-fraud systems arrive at the end of the party with a number and a serious expression. Fraudnode starts earlier. It asks the browser, the network, the resolver, the transport path, and the reputation layer to each put their little homework on the table. Then Orca sorts the papers, Spider brings in the field notes, and Penguin will eventually read the whole thing like a suspicious but fair math teacher.

The goal is not to slap a bad-user sticker on a session because one signal twitched. The goal is to show the shape of a session: what was captured, what was missing, what disagrees with what, and where a human or an API should pay attention. If fraud is a costume party, Fraudnode checks the shoes, the accent, the cab receipt, and whether the invitation was printed yesterday.

The stack is intentionally split into jobs that can be inspected. Spider observes, Orca organizes, and Penguin will judge only after the evidence has names, versions, and a trail back to the session. That is slower than inventing a magical score in a basement, but much easier to defend when someone asks the irritating and very useful question: why?

How we use it

Checker makes the evidence readable before we call it risk.

Orca keeps the site and B2B contracts steady while internals evolve.

Spider collects signals directly instead of outsourcing the interesting parts.

Penguin will turn contradictions into explanations, not fortune cookies.

Orca

Gateway and parser layer

Spider

Collector in the field

Penguin

Analyzer layer

Our path continues

From raw diagnostics to explained anti-fraud decisions

Our gateway

Orca

Railway deploymentsession snapshotsblock normalizationparser orchestration

Orca is the gateway with teeth: it opens sessions, accepts collector evidence, normalizes artifacts, and keeps the public site talking to one stable API.

Control plane with a memory

Orca starts sessions, signs internal calls, keeps policy close, and remembers what happened. The browser never receives service secrets, Spider does not become a business rules department, and the site gets one clean contract instead of a drawer full of cables labeled maybe.

session lifecyclesigned callspolicysingle API

Parser runtime

Spider sends raw evidence; Orca turns it into stable blocks the site can read: IP, TCP, TLS, HTTP, JS, GEO, DNS, blacklist, UDP/QUIC, and anomaly. Each block can be ok, partial, missing, or error, because reality sometimes arrives late and wearing a fake mustache.

normalized blockspartial-safedeterministic outputUI contract

T0 first, T1 when the plot thickens

T0 is the fast lane: TCP, TLS, HTTP, JS, and quick enrichment for an early decision. T1 is the extended lane: DNS, UDP, QUIC, reputation, and heavier follow-up. Orca keeps those stages separate so the product can be fast without pretending every slow signal is already home.

T0T1stage markerslate enrichment

Storage without drama

For Checker and demo/trial flows, Orca stores raw envelopes, normalized blocks, audit traces, and analyzer results. For high-throughput B2B, it can run compact or no-persist modes. Same contract, different appetite. Like ordering coffee for a meeting, but nobody argues about oat milk in the API.

with_dbshort_persistwithout_dbaudit

Replay is not a party trick

Snapshots carry artifact versions, correlation IDs, timing, missing blocks, and deterministic replay metadata. That means a later anomaly check can run from the stored evidence instead of asking the user to please blink, reload, and reproduce Tuesday.

artifact_versioncorrelation_idreplaysnapshot

B2B is a different tempo

The website can show a full checker story, but B2B often wants the short answer before checkout loses patience. Orca supports compact T0 checks, async T1 callbacks, quotas, key ownership, and tenant isolation, while keeping Spider and Penguin behind the curtain where service secrets belong.

b2b_t0b2b_t1callbackstenant isolation

Why it is called Orca now

A plain gateway forwards traffic and looks busy. Orca coordinates: session policy, quotas, storage, enrichment, replay, analyzer calls, and block contracts. At some point the front desk became mission control, and we stopped pretending it was only handing out visitor badges.

Why the site only talks to Orca

The frontend should not know Spider internals, Penguin secrets, or which enrichment module had a complicated morning. Site code asks Orca for checker blocks. Orca handles the contract, the timing, the upstream weirdness, and the support-friendly trace ID.

Our collector

Spider

Public data planeTCP/TLS/HTTP captureDNS probe zoneJS, UDP, and QUIC probes

Spider does the field work. It watches live ingress, browser probes, DNS resolver behavior, UDP/STUN, QUIC, and the low-level traces that most products hide.

Data plane, not theater

Orca may hand out the session and policy, but the client collection path goes straight to Spider. That matters. If collection traffic is politely dragged through a control-plane proxy, the good fingerprints stay at home and send a blurry postcard. Spider sits where the packets actually arrive.

direct collect pathsession-boundraw visibilityOrca-controlled

L3-L7 live ingress

Spider collects the transport stack as one story: TCP/IP envelope, TLS fingerprints, HTTP/1.1, HTTP/2, headers, Akamai-style HTTP/2 hints, and browser runtime evidence. It is not trying to guess the client from a single hat. It checks the hat, the shoes, the receipt, and the handwriting on the receipt.

TCP/IPTLSHTTP/2browser runtime

DNS probe zone

DNS is where we decided not to rent a mystery box and call it science. Spider watches our own probe zone, sees which resolvers actually come knocking, keeps the request trail, and hands Orca enough structure to say what happened without waving incense over a third-party screenshot. Resolver topology, ECS hints, client echo, ASN/ISP context, and geolocation from our internal enrichment service all move through the same pipeline.

own probe zoneresolver trailECS hintsinternal geo enrichment

UDP and QUIC are side quests with receipts

UDP is checked through a session-bound STUN flow: Spider opens a port, watches the browser try to reach it, answers when it can, and only calls UDP detected when packets really crossed the room. QUIC/HTTP3 lives beside Spider as a sidecar, so a failed H3 probe does not burn down the rest of the collection.

STUN flowUDP port poolQUIC sidecarcontrolled fallback

Artifacts Orca can trust

Spider exports versioned artifacts with status, missing blocks, capture health, timing, replay metadata, and correlation IDs. That gives Orca something better than a shrug: a snapshot it can store, show in Checker, use for B2B T0, enrich later in T1, and replay without asking the visitor to perform the same little dance again.

schema v1.1artifact_versionT0/T1replay

Why Spider lives off the easy hosting path

Railway is great for the public site and gateway work, but Spider needs a place where packet capture, public IPv4, TLS ingress, and UDP ranges are not theoretical concepts in a brochure. That is why the collector runs as its own service: it needs to see the network, not hear about it later from someone wearing a tie.

Why missing does not mean broken

Checker pages can show partial blocks because real collection is a timed event, not a perfectly choreographed musical. T0 waits for the fast core signals. T1 is allowed to arrive later with UDP, QUIC, heavier reputation, or other enrichment. Spider keeps the difference visible instead of painting everything green and hoping nobody opens the hood.

Our analyzer

Penguin

weighted detectorshistory-aware checksreasoned verdictsfast and full modes

Penguin is the next layer: not deployed yet, but already shaped around one promise: anomaly decisions should explain themselves.

Heuristics, not a borrowed oracle

Penguin is built around deterministic heuristics and pattern study, not an LLM verdict and not a secret answer copied from someone else's paper. The patterns are refined against our own observed traffic: millions of sessions and more than eight million technical documents from different networks, clients, and masking habits.

own dataheuristicspattern studyno LLM verdict

Correlation beats fortune telling

Penguin is designed to compare the same session from several angles: TCP, TLS, HTTP, JS, DNS, WebRTC-style origin clues, geo context, and history. One signal can be noisy. Five signals disagreeing in the same direction is less of a coincidence and more of a meeting with minutes.

TCPTLSHTTPJSDNShistory

Device profile first

Before Penguin calls something risky, it builds a technical portrait: probable OS, browser, device type, confidence, and why each layer voted that way. TCP may hint at the operating system, TLS may hint at the client family, HTTP/2 may tell a different bedtime story, and the final detector has to be the adult in the room.

final OSbrowserdevice typeconfidence

Anomaly classes with reasons

The anomaly layer is not a single giant lever. Proxy, VPN, bot, unusual fingerprint, DNS mismatch, and profile-switching checks each produce their own evidence. The final class can be Clean, Possible Proxy, Possible VPN, Proxy, VPN, Bot, or a combined masking story, with reasons attached instead of dramatic fog.

proxyvpnbotunusual printreasons

The second pass checks the homework

After the base detectors and anomaly blocks make their decisions, Penguin has a final-question layer. It gathers detector output, proxy/VPN/bot/unusual signals, blacklist context, and OS-change risk, then asks the deeply annoying but useful question: did we solve the problem correctly, or did one clever clue bully the rest of the class?

final questionrisk mergeconfidence correctionfinal reason

History has a memory

Penguin does not only ask who you are right now. It asks who this IP, fingerprint, and linked origin looked like before. If last week the same trail was Windows/Chrome and today it is an exotic mobile stack with a new story, the history layer keeps the receipt. A shaved head does not grow dreadlocks by Thursday.

ip historyfp hashprofile changestime windows

OS changes are not hand-waved away

The OS-change logic compares current final profile and user-agent profile against recent local history and linked IP/WebRTC-style history. One profile switch may be normal. Many switches inside tight geo/AS windows are the sort of thing a system should remember before politely stamping Clean.

OS changeUA mismatchlinked IPs90-day context

Fast path and full notebook

The Penguin shape separates pure detection logic from runtime adapters. Fraudnode can use the full notebook with stored rows, history, and reports. B2B can run the same domain logic in a fast stateless path, then attach persistence only when the customer or policy asks for it. Same math, different backpack.

domain logicchecker modefraud statelessoptional DB

TCP as reusable domain logic

The TCP refactor plan starts with a clean block: input object in, weighted hints out, final TCP verdict returned. Quick path, TTL, cap length, options order, window scale, source port, TCP window, uptime, MSS, and organization hints become reusable logic instead of a database-shaped maze.

quick pathparameter hintsaggregationreusable TCP

Why Penguin is not the first thing we ship

A detector is only as useful as the evidence it can trust. That is why Orca and Spider come first: they make sessions observable, versioned, and replayable. The parser work belongs in Orca now, so Penguin should receive a clean case file, not a pile of napkins and one suspiciously confident spreadsheet.

Where explanations live

Penguin keeps the reasoning close to the verdict: detector candidates, weighted scores, conflict markers, triggered rules, rarity metrics, and history deltas. Text, when it exists, is a narrator, not the judge. The goal is not only to say allow, challenge, or deny. The goal is to answer the next question: what made us think that?

Our path continues

The work stays visible

We are building Fraudnode in layers because fraud decisions should not feel like magic. DNS, JS, TCP, TLS, HTTP, UDP, QUIC, reputation, and geo evidence first become readable checker blocks. Then those same blocks become the raw material for Penguin and the Anti-Fraud Layer.

Every collector signal should have a reason.

Every missing field should be visible.

Every anomaly should be explainable.