Models

Industry leading
self learning models

At the core of Castle, detecting threats quickly and accurately is our key focus. We are continuously investing in our models in order to improve its performance and strive towards 0% false-positive rates as new attacks get introduced.

Create New Account
Sophisticated bot detection

Castle’s bot detection looks for scripted or automated behavior. Client side sensors evaluate and fingerprint both web and mobile devices.

Account takeover protection

Castle’s ATO detection incorporates User & Entity Behavioral Analysis (UEBA) to build patterns of norms for each user, and detect anomalous activity on a per-device level.

Attack awareness

Castle learns from historical traffic patterns unique to each app, so automated attacks like credential stuffing and spam registration are quickly caught.

Trained by users

Our models are constantly maximized for performance. Each time a user reports a device, solves a captcha, or completes MFA, they are labeling and training the models.

3-Tier risk score ranges

Our risk scores range are calibrated into ranges with usability in mind. Normal ranges between 0 and 59, Anomalies between 60-89, and threats between 90-100 with a threat certainty of 99.9%.

Self-calibrating

Castle is constantly learning and adjusting it’s models to your specific app & users. We learn good behaviors from your good users to better detect anomalies and minimize false-positives. We listen when devices are reported to detect emerging threats.

Rigorous pre-staging

We are regularly rolling out new models to keep ahead. Once we have a candidate model, we evaluate it’s performance against historical data, monitor it on live data, and activate it once performance gains are a certainty.

Dual scoring system

Castle produces 2 risk scores for every event: Bot Risk and ATO Risk. Bot Risk highlights automated, scripted activity. But not all bots are bad. ATO Risk highlights account takeovers in action, even when human-powered.

Risk Signals

Risk signals we track

When we surface a threat, we highlight any key risk signals that were detected. Use these insights for analysis, or make them actionable through Policies.

Bot Signals
Invalid fingerprint
Scripted environment
Datacenter access
Disposable email domain
Botlike interactions
Proxy / VPN Access
ATO Signals
Leaked email
Fast travel
New device
Unusual location
Credential stuffing signature
Brute force signature
Models, Heuristics, and Traps

Improve performance, minimize false-positives

We leverage a blend of techniques and constantly trial new tactics to improve performance and minimize false-positives. Here are a few examples of how we locate, assess, and determine each threat.

Time series based anomaly detection

We’re always monitoring incoming streams of events, looking for anything really weird to happen. Sudden, large amounts of traffic (like rate limiting). Odd proportions of events (spike in failed logins over successful logins). Any surprising mix of events that we haven’t seen before.

Time series entropy analysis

We look at entropy of different factors. For example, at scale, most users are on the latest Chrome, Safari, or Firefox versions. Attackers however, often attempt to mask an onslaught by rotating through a multi-faceted set of User Agents. If you plot this on a histogram, entropy appears very flat and easy to see.. after the fact. We apply entropy analysis on real time streams of events, across a range of parameters, detecting it as it’s happening.

Catch with simple traps

Sometimes it’s best to stick to the basics. The client didn’t run JS properly? A mismatch between the request timezone and client timezone? Incoming headers don’t align with the expected User Agent? Dozens of these tried-and-true, simple traps run in parallel to help to catch the majority of common bot attacks with low false-positive rates.

Try for free

Get started in minutes

You can test and deploy a fully automated, user-centric approach to account security for free.

Create Free Account