Skip to main content

Risk Analysis

Availability

Risk Analysis only operates on authentication flows performed through SecTrail's web interface: Mobile App Registration and SSO (Single Sign-On) logins. It does not apply to RADIUS, Windows Logon, or other protocol-based authentication flows.

Risk Analysis is a real-time behavioral security engine built into SecTrail MFA. At each login attempt, the engine evaluates dozens of contextual signals — IP reputation, geographic location, device fingerprint, login timing, and account behavior — and produces a numeric risk score. Based on this score, the system can transparently allow the user through, inject additional MFA factors, or block access entirely.

How It Works

Every time a user attempts to authenticate, the Risk Engine runs in the background:

  1. IP Resolution — The client IP is extracted from the configured HTTP header or from the direct connection.
  2. Geo & ASN Lookup — Country, region, city, coordinates, and Autonomous System Number (ASN) are resolved from the IP.
  3. Device Fingerprinting — The user-agent string is parsed to extract browser, operating system, and device type.
  4. History Comparison — The user's recent login history (last 50 successful logins) is loaded and compared against the current attempt.
  5. IP Reputation Check — All enabled reputation sources are queried (built-in feeds or custom sources).
  6. Signal Evaluation — Five context evaluators run in parallel:
    • Reputation — Known bad IPs, blocklists
    • Location — Impossible travel, new country, VPN/Tor/datacenter ASN
    • Identity — Dormant account, first login, repeated failures
    • Time — Unusual hour, nighttime, weekend, timezone mismatch
    • Device — Bot detection, new device, browser/OS/fingerprint changes
  7. Score Calculation — Each triggered signal contributes a weighted score. The total score is mapped to a severity level.
  8. Action — Based on the active Risk Policy, the system allows, challenges, or blocks the login.

Severity Levels

LevelDefault Score RangeAction
Safe0 – 29Login proceeds normally
Low30 – 49Additional MFA factors injected
Moderate50 – 99Additional MFA factors injected
High≥ 100Access blocked (IP and/or user, configurable)

Thresholds are configurable per Risk Policy.

Main Sections

  • Dashboard — Real-time overview of risk events, score distribution, top signals, risky users and IPs
  • Policies — Create and manage risk policies with custom thresholds and block actions
  • IP Reputation Sources — Configure built-in and custom IP reputation feeds
  • Events — Browse, filter, and investigate individual risk events with full detail
  • Blocks — View and manage active risk blocks; create manual blocks