How the intelligence works
Every Kairos Check call runs through 9 layers of analysis in under 200ms. Here's exactly what happens — and why it matters for your business.
Layer 0 — Domain name heuristic
Before any OSINT lookup, we analyse the entity string itself for known fraud patterns. This catches the attacks that bypass traditional databases.
- Brand impersonation: 37 brands tracked.
paypal-account-suspended.store→ BLOCK score 100. - Homograph detection:
paypa1-verify.com(where "1" replaces "l") → BLOCK score 75. Zero competitors catch this. - High-risk TLD matrix: 60+ TLDs including
.store,.shop,.xyz,.tk. - Keyword combinations: domain names containing "security" + "verify" + brand name = confirmed phishing pattern.
Layers 1–8 — OSINT signal analysis
| Layer | What it checks | Signal examples |
|---|---|---|
| 1 — Core content | Phishing patterns, high-risk URL patterns, suspicious TLDs | high-risk-pattern, phishing-pattern |
| 2 — Guru-scam | Fake investment schemes, "get rich quick" patterns (50+ languages) | guaranteed-returns, passive-income-machine |
| 3 — Reputation | Known scam entities, complaint databases, review-site gaslighting | known-scam-entity |
| 4 — NLP heuristic | 7-axis scam matrix: urgency, fake ROI, vague method, authority bait, FOMO, identity escape, easy money | scam-matrix:CONFIRMED |
| 5 — Live reputation | Real-time reputation evasion patterns, complaint camouflage | reputation-evasion |
| 6 — Checkout inspection | Hostile checkout funnels, aggressive upsell patterns | aggressive-funnel |
| 7 — N-gram similarity | Fuzzy matching against confirmed-scam corpus | ngram-match:0.87 |
| 8 — Network intelligence | Cross-tenant reputation graph — entity seen by other customers | network-intelligence:score=95 |
The cross-tenant reputation graph
This is our data moat. Every check you run contributes a signal to a shared reputation graph. When paypal-customer-support.store is flagged by one customer, every subsequent check of that domain by any customer gets a higher confidence score.
The graph gets smarter every day — automatically — without anyone doing anything. It's the reason our detection rate improves month over month:
| Month | Detection rate | What drove it |
|---|---|---|
| Launch | 50% | Layer 0 + static patterns only |
| Month 1 | ~75% | Nightly seeder + first customer checks |
| Month 3 | ~90% | Graph populated, patterns classified |
| Month 12 | 95%+ | Family fingerprinting, cross-tenant amplification |
Scoring thresholds
| Verdict | Score range | Recommended action |
|---|---|---|
BLOCK | 60 – 100 | Deny the request. Log the entity for your records. |
REVIEW | 30 – 59 | Apply friction: CAPTCHA, email verification, manual review queue. |
ALLOW | 0 – 29 | Proceed normally. |
Zero PII: We analyse public signals only. We never store email content, message bodies, or any personal information beyond what you explicitly send in the query field. The audit trail stores only SHA-256 hashes.