Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Overview

Introduction

In today's digital landscape, where fraudsters exploit every possible touchpoint, understanding the complete user journey is paramount. Traditional fraud detection tools often operate in silos, analyzing isolated events without the broader context, leaving gaps that sophisticated attackers can exploit. Recognizing this challenge, Spec's pioneering Realtime User Behavior Tracking makes user interaction silos a problem of the past. This revolutionary approach captures and analyzes every user interaction, from the moment a customer lands on your platform to their final click. By stitching together these interactions into a cohesive event timeline, Spec provides unparalleled visibility, enabling teams to detect anomalies, prevent fraudulent activities, and ensure a seamless experience for legitimate users.

Spec deploys our Realtime Engine at the network layer. This product operates transparently, is undetectable by client browsers, and does not require any client side JavaScript or SDKs. We integrate seamlessly at your public network endpoint, which requires only a single deploy. The Realtime Engine is responsible for extracting data from incoming network requests, normalizing it, and labeling that data with a name and type. We record these data elements from each request into an Event. Our engine investigates the timeline of user journey Events, which we call a Session, and provides a Label for any observed behaviors, whether risky or trusted.

The data generated by our RE is captured for analysis within the Hub. The Hub is a web interface that offers behavioral insights and tooling for investigations that is updated in realtime.

The Spec Platform is a zero JavaScript implementation with flexible deployment options and transparent operation that is undetectable by clients. The platform is a powerful, realtime engine capable of executing highly performant risk assessments and can perform extensive third-party integrations to complement your existing systems.

How Spec Works

The Spec Realtime Engine (RE) sits in the path of web traffic between your end users and your protected origins, enabling you to capture, analyze, and respond to all origin-bound traffic for anomalous behavior.

The RE gathers data and triggers rules-based workflows based on customer-defined configurations, tailored specifically to align with your unique business model. You can configure actions and view collected data and labeled findings in the Spec Hub.

The RE only collects the data it is configured to collect. Requests to endpoints that the Realtime Engine is not configured to monitor are never collected nor read; they are passed directly through to the protected origin. For endpoints it is configured to monitor, all data not explicitly configured to be collected is ignored.

Data and labeled findings are streamed to the Spec analytics platform in real time and are immediately accessible to you through the Hub. Optional third-party integrations to further enrich your data are also fully configurable and managed through the Hub.

The following diagram shows the Realtime Engine in action.

Product

Spec's product consists of two main components: the Realtime Engine and the Hub. The Realtime Engine operates at the network layer to capture, analyze, and label every user interaction in real time, enabling advanced risk assessment and automated mitigation without requiring client side code. The Hub is a web-based interface that provides realtime monitoring, analytics, configuration management, and investigation tools, empowering teams to visualize user journeys, detect suspicious patterns, and manage integrations—all in one unified platform.

Realtime Engine

The Realtime Engine (RE) is the workhorse of the Spec platform. This engine is responsible for extracting data from incoming network requests, normalizing it, and labeling that data with a name and type. Models that detect risky user journey patterns execute within the engine. These models are tuned specifically to customer applications to generate risk assessments that form the foundation of the rest of the platform's capabilities. These risk assessments can be used to stop activity on your platform or alert you when it occurs. Your data is never shared with anyone, for any reason.

One of the greatest powers the Realtime Engine has is the ability to mitigate. Mitigation is the capability of the platform to modify incoming requests, outgoing responses, or generate a response to a request without involving the customer application. These actions can only be taken when the platform is operating in Active Mode.

Actions taken by the RE are performed by the rules engine in the platform. Rules provide flexibility and control by fine tuning when actions are taken by the platform. Actions govern mitigation, generating alerts, or sending information to other platforms.

The RE can incorporate any third party data into the realtime dataset. We do this through Integrations which can contact other applications over HTTP. Retrieving more data is not its only use; these integrations can be used to open tickets in your case tracking software when risky activity is detected. We can also alert you through your favorite channels when this activity is observed and merits further investigation. In addition, Integrations allow the RE to make calls to other platforms to perform further actions.

note

Integrations are not required. The Realtime Engine can make risk assessments, monitor and alert, and take action without using any third party services.

Hub

Insights

Insights provide trend visualizations and analytics that describe the population of the application. These insights describe trends in the Session, Event, and Element activity within the platform. There are insights provided for each module that describe common scenarios like Account Take Over (ATO) and Card Testing attacks.

Session Search enables users to find and analyze Sessions based on specific criteria. Users can access a directory of saved session searches, view recent searches, and build new queries using filters. Saved searches promote efficient, reusable searches and improve performance by encouraging the use of saved, cacheable queries. The interface supports quick navigation, sorting, and searching through session data, making it easier for analysts to answer questions about user interactions.

User Session Assessment

The User Session Assessment provides a comprehensive overview of an individual Session. It features a visual “guitar chart” that tracks the session’s risk rating evolution over time and highlights the final risk score. You can see the Session Labels associated with a session organized by severity, as well as any actions taken. The page includes a session spotlight with key summary points and an events tab listing all session events, with options to filter the view. We describe the session's Entities along with the set of linked entities, those entities that have been seen in the same session.

Entity Behavior and Linking

The Entity Behavior and Linking page focuses on how Entities, such as accounts or devices, interact within and across sessions. It provides insights into shared sessions between entities, helping analysts identify patterns, relationships, and potential risks by tracking how entities are linked through shared activity.

Tech and Scale

The Spec Realtime Engine utilizes cloud-native, industry-proven technologies such as Kubernetes, Rust, and Kafka to deliver scalability, performance, and security.

Kubernetes
Rust
Kafka

High Availability and Scalability

Spec's workloads run in load-balanced, self-healing, containerized environments in cloud infrastructure across multiple data centers. With Kubernetes and auto-scaling infrastructure, Spec Realtime Engine scales as you do.

For production-grade customer offerings, failover mechanisms are implemented across multiple layers to ensure high availability and maintain business continuity.

Performance and Reliability

The ability to process large amounts of traffic in real time is accomplished by a proprietary platform built for high performance using throughput-oriented technologies such as Rust and Kafka. 100% of the Spec Realtime Engine is written in Rust, with minimal system dependencies. Rust allows us to achieve maximum performance without the reliability issues and security vulnerabilities often present in other systems programming languages. Kafka allows Spec to durably and quickly move data from the edge into our data warehouse for long-term access and storage.

Spec uses infrastructure as code to reliably create and maintain the platform. This allows us to set up new client environments quickly and keep configuration consistent at all times.

Spec uses a third party logging and monitoring solution that is an industry standard for cloud-based platforms. The team utilizes a paging system and an on-call rotation to ensure that any and all issues are investigated as soon as they become apparent.

Security

Spec views the security of its cloud as paramount: we run daily audits on all code that runs as part of the platform to ensure that it is free from any known vulnerabilities. Any new CVEs that are discovered are addressed immediately. Software updates are deployed on a frequent and regular basis to deploy security patches, introduce new features, and enhance existing functionality.

Spec conducts regular internal security audits to ensure platform compliance at all times, extending beyond the duration and scope of SOC2 audits.