Built by engineers focused on trust infrastructure

IP Identity is the top-level summary for the current checker session. It combines the observed client IP with HTTP and user-agent identity fields.

Network shows IP address, country, ASN, and ISP. These fields can come from live ingress, Geo enrichment, or normalized Orca block data.

HTTP / UA shows protocol version, method, and raw user agent. These are useful for checking whether the browser request matches the captured network identity.

UA Fields are parsed from the user-agent string. They are convenience labels, not proof by themselves.

A missing IP usually means T0 did not finalize, live ingress did not capture the request, or the snapshot was read before Orca finished parsing.

TCP is packet-level evidence from the transport path. It helps compare the client network stack, proxy path, and capture behavior.

Packet Envelope contains IP-layer fields such as captured length, total length, TTL, IP version, DF flag, and packet identifiers.

TCP Header contains flags, MSS, offsets, sequence and acknowledgement numbers, checksum, timestamp, urgent pointer, window, and window scaling.

Options and Window contains parsed TCP options, their order, window size samples, average window size, and uptime-like hints when available.

Empty TCP fields mean no usable packet-level TCP artifact arrived for the session yet. They should not be interpreted as a client anomaly without checking T0 readiness.

The Fingerprint Set groups stable TLS identifiers: JA3, JA3N, JA4, peetprint, and their hashes when available.

Handshake Traits show raw TLS negotiation fields such as cipher suites, extensions, elliptic curves, point formats, and RSA PKCS#1 SHA-1 usage.

Cipher Suites and Extensions tables show raw numeric codes next to decoded names. Empty rows mean the collector did not receive decoded TLS material yet.

The health badge is diagnostic. Modern means the captured handshake looks current; legacy means old or weak primitives are visible; unknown means no TLS evidence arrived.

GREASE is normally a compatibility signal from modern browsers, not an error by itself.

The top panel summarizes protocol, method, user agent, header count, and whether the captured structure looks coherent.

HTTP/1.1 contains raw headers and header order for sessions that arrived through an HTTP/1.1 path.

HTTP/2 contains frame and settings hints such as Akamai fingerprint, header table size, initial window size, max frame size, and pseudo-header presence.

A suspicious badge on real data means required HTTP structure is missing or inconsistent. On empty data it should stay unknown, not suspicious.

HTTP evidence is part of T0. If it is empty while TCP/TLS exist, check live ingress and Orca parser output before treating it as a client signal.

Blacklist Signals show request/response counters, status, found_in sources, and dirty blacklist entries from configured DNSBL-style checks.

Scamalytics Profile adds IP and organization risk, IP range, organization name, and network trait flags.

Overall score is a local reputation score for this block. Empty data must be unknown, not risk low and not score 0/100.

A clean result means checks ran and returned no hits. Unknown means the data did not arrive or the provider did not expose that field.

Google proxy, Googlebot, VPN, datacenter, AWS, and iCloud Private Relay are traits for explanation and anomaly logic, not automatic fraud decisions.

Location Core is the operational view: IP, network, ASN, ISP, organization type, region, country, city, and time zone.

Registration Context describes how the IP range is registered and represented. It can differ from the apparent user location.

Coordinate Map appears only when latitude and longitude are available. Empty coordinates mean the database did not provide map-grade location for this IP.

Geo Traits are boolean network hints such as anycast, anonymous proxy, or satellite provider. Empty traits should be read as unknown, not automatically false.

Resolver Topology counts distinct resolvers that queried the delegated checker zone for the current session.

Your IP Addresses is the client echo table: it should show request number, resolver IP, resolver ASN/ISP, and geo enrichment when available.

ECS Subnets shows whether the resolver exposed EDNS Client Subnet. If present, the subnet can reveal coarse client network location; if absent, the UI should say ECS not exposed.

DNSSEC Summary is about validation evidence from DNS checker payloads. Unknown means no conclusive DNSSEC matrix, not necessarily an error.

DNS health should stay degraded while resolver or ECS/client echo data is missing, but it must not be treated as a fraud verdict by itself.

JS Runtime should fill after the browser sends language, timezone, fonts, plugins, screen, user-agent hints, and related runtime fields.

Locale Flags compare browser language with timezone-derived country. A mismatch is a signal for review, not a direct conclusion.

Language is intentionally not used as a fallback for timezone country. We keep those signals independent to avoid false geography under VPN/proxy/timezone spoof scenarios.

Timezone and Language are the stable human-readable fields. They should be present even when font detection is sparse.

Fonts are detected from a candidate set and depend on browser privacy behavior, OS, and font availability. A short list or empty list can be normal in hardened browsers.

Other contains raw runtime hints that are useful for later anomaly logic but should stay secondary in the UI.

UDP Path shows whether the browser-originated UDP/STUN probe reached Spider and produced packet evidence.

QUIC Path shows whether the HTTP/3 observer flow was reachable and whether the browser-side probe could confirm HTTP/3 or a QUIC handshake.

Packet Symmetry compares observed UDP request and response counts. Empty symmetry means one of the counts is unavailable, not automatically that the client is bad.

Score Breakdown is a local diagnostic health score. Positive rows mean useful transport evidence arrived; negative rows mean a signal was missing, degraded, or errored.

Checker and Anti-Fraud answer different questions. Checker shows what was collected; Anti-Fraud explains what those signals mean together.

Orca prepares the canonical anomaly payload from the collected session and calls Penguin. Penguin evaluates bot, VPN, proxy, unusual traffic, profile consistency, and supporting evidence.

The result is not only a clean or dirty label. It includes risk class, probability, detected OS/browser/device, class scores, parameter-level analysis, history state, and inconsistencies.

Fraudnode provides classification and evidence. The client still owns the final action such as allow, challenge, recheck, review, or block.

Run Checker starts or continues collection through Spider and stores the normalized session through Orca.

My Anomaly becomes available after the checker session is initialized. It builds a validated Penguin payload from the stored snapshot and requests the classification.

This separation is intentional: diagnostics can be collected without paying the cost of anomaly analysis on every run.

If the button is disabled, return to Checker and run the collection first. If analysis fails, the checker evidence remains available and can still be inspected.

Classification describes the final result. For dirty traffic, dirty_type explains the dominant category such as proxy.

Class risk score describes the strength of the dominant class. Final probability describes confidence in the final classification. They answer related but different questions.

Risk class converts the numeric result into an operational level such as low, medium, high, or critical.

Detected OS, browser, and device are weighted conclusions from independent fingerprint layers. Their confidence can be lower than the overall fraud-class probability.

Analysis Coverage reports whether expected signal blocks were assembled and whether Orca marked data quality as complete or degraded.

Bot evaluates automation and non-human browser behavior. VPN evaluates network, timezone, language, and geography combinations associated with tunneled traffic.

Proxy evaluates relay behavior, stack contradictions, resolver distance, cascade patterns, and incompatible claimed versus detected profiles.

Unusual captures uncommon or internally inconsistent fingerprints that do not cleanly belong to another class.

A class is detected when its score crosses the configured threshold. Reasons show which observations contributed and by how much.

A non-detected class may still have a non-zero score. That means supporting evidence exists, but it did not reach the class threshold.

Name is the human-readable parameter label. The internal key is used by the contract and frontend but is intentionally hidden from the normal report.

Your value is the observed value from the session. Claimed is the browser or operating-system identity asserted by UA or another source. Detected is the profile suggested by the actual signal.

Confidence describes how strongly the parameter supports the detected profile. Reliability describes how dependable that parameter is for this type of inference.

Normal means the observation agrees with a known profile. Warning means meaningful inconsistency. Critical means a strong anomaly. Info means useful context without a direct negative judgment.

Opening a row reveals the general parameter description, the analysis-specific explanation, and supporting metrics such as prevalence, exclusivity, consistency, and spoof probability.

T0 uses the fast baseline: Spider TCP, TLS, HTTP, and JavaScript signals plus Orca GEO enrichment.

T1 rebuilds the current T0 context and adds enabled extended evidence such as DNS, blacklist, UDP/QUIC, and historical comparison.

T1 is not automatic. The client can trigger it when class score, transaction value, account context, or another policy weight justifies the extra collection time.

If history was not compared, the report says that the T1 stage did not pass assembly. This is a valid standalone T0 result, not an application error.

The client remains responsible for deciding whether to act on T0 immediately or wait for T1.

Examples include a claimed Windows profile conflicting with Android-like TCP evidence, language differing from network geography, or timezone country differing from client country.

Severity communicates operational importance: high contradictions should be reviewed first, followed by medium and low contextual mismatches.

Evidence chips preserve the values behind the explanation, while Technical details expose check type, subclass, and structured evidence.

Inconsistencies explain why the verdict changed. They do not replace the full signal tables, where the client can inspect every contributing observation.

A mismatch is evidence for policy, not proof of malicious intent by itself. Hardened browsers, corporate networks, travel, privacy tools, and unusual infrastructure can produce legitimate contradictions.

Demo provides 3 days or 1,000 requests, whichever comes first. Trial provides 30 days or 10,000 requests.

Both evaluation modes use API keys, quota and expiry enforcement, Spider + Penguin + DB, and full persistence for investigation.

Production B2B uses a dedicated contour per customer. Persistence can be compact Orca-managed storage, customer-managed storage, or no Orca parser persistence.

The right contour depends on traffic, confidentiality, audit requirements, expected throughput, and whether historical T1 comparison is required.