Skip to main content

Behavior Patterns

Beyond single-session scoring, ShieldLabs tracks multi-session patterns — repeated anomalies linked to the same device, visitor, or user across time.

What patterns track

Patterns are detected on three entity types:
Entity TypeTracksUse case
device_idSame hardware fingerprintMulti-accounting from one device
visitor_idSame browser profileAccount farming from one browser
user_hidSame hashed user identifierCompromised account re-use
webrtc_ipSame WebRTC-detected IPIP-based velocity

Pattern levels

Each pattern can escalate through two levels:
LevelDescription
suspiciousAnomaly detected — elevated risk, monitor
dangerousConfirmed threat — high confidence, action required

Viewing patterns

Patterns are available in the dashboard under Sessions → Patterns, or via the API: 
# Get all patterns for a domain
GET /api/domains/{domain_id}/patterns

# Get pattern detail for a specific pattern name
GET /api/domains/{domain_id}/patterns/{pattern_name}
Response includes: 
[
  {
    "pattern_name": "high_velocity_device",
    "entity_type": "device_id",
    "suspicious": 12,
    "dangerous": 3,
    "total": 15,
    "last_seen": "2026-04-14T09:30:00Z",
    "weeks_active_4": 2
  }
]

Rate limiting

ShieldLabs automatically rate-limits devices exceeding 10 requests per minute. The device is flagged with DeviceID: "-1" and subsequent checks return: 
{
  "Score": 999,
  "Details": [
    { "Value": 999, "Description": "User has been banned 1H, to many requests" }
  ]
}
The ban is automatically lifted after 1 hour.