Skip to main content
Patterns link a visitor’s activity over time and flag eight relationship shapes that signal abuse, such as many accounts on one device. They look across many visits, not one request, and grade an entity by how its linked identifiers cluster. A pattern flags an entity: a device, an account, a visitor, or a Local IP. When that entity’s correlations cross a threshold, it surfaces on the dashboard for your team to review.
Patterns are a dashboard feature only. They are computed server-side from history and are not in the webhook or Management API payload. For per-request decisions in your own code, use the Risk Score and Details you receive over webhooks.

The eight abuse patterns

Each pattern answers one question about how identifiers cluster over time. The name says the shape, the outcome says what it signals.
PatternWhat it flagsExample abuse
Many Accounts on One DeviceOne device linked to many accounts.Multi-accounting, account farms
Many Devices on One AccountOne account used from many devices.Account sharing, resale, takeover
Changing IDs on One AccountOne account that keeps changing its device and visitor IDs.Scripted activity, anti-detect browsers
Many Accounts on One Local IPMany accounts behind the same Local IP.Account farms, multi-accounting
Multiple Countries on One AccountOne account active from many countries in a day.Account sharing across regions, geo bypass
Many Devices on One VisitorOne visitor seen on many devices.Fingerprint spoofing, anti-detect browsers
Shared Local IP Across Multiple AccountsAccounts share a Local IP while using different devices and different public IPs.Coordinated fraud, account farms
New Device and New Country on One AccountAn existing account appears from a new device-and-country pair.Account takeover, compromised credentials
“Local IP” is the dashboard name for the visitor’s local network address, used to correlate accounts that look distinct on their public IP.
Patterns share identifiers, so one entity can match several at once. A device that trips Many Accounts on One Device often trips Many Accounts on One Local IP too. Entities matching the most patterns are usually the most clearly coordinated.

How grading works

Every pattern grades an entity on three levels by counting its linked identifiers inside a rolling window.
  • Normal - the entity has not crossed the Suspicious threshold. The baseline. Nothing is recorded.
  • Suspicious - the entity crossed the lower threshold for that pattern in its window.
  • Dangerous - the entity crossed the higher threshold. The strongest grade.
Only Suspicious and Dangerous are stored as detections. Normal is simply the absence of a flag.

The window

Most patterns count over a rolling 30-day window. Three use a shorter one to make the signal meaningful.
WindowPatterns
30 daysMany Accounts on One Device, Many Devices on One Account, Many Accounts on One Local IP, Shared Local IP Across Multiple Accounts, Many Devices on One Visitor
24 hoursMultiple Countries on One Account
7 daysChanging IDs on One Account
Recent 7 days vs historyNew Device and New Country on One Account
A tight window is what gives Multiple Countries on One Account its meaning: one account from several countries in a day is hard to explain as normal travel.

Two rules shape every grade

  • The level never downgrades. Once an entity reaches Dangerous, it stays Dangerous on later runs. Only its current count and last-seen time update.
  • Thresholds adapt to the entity’s Risk Score. An entity that already looks anonymous or abusive flags sooner. A low-risk entity has to cross a higher count first.
Threshold counts are illustrative of intent, not guaranteed exact numbers. The live thresholds are server-side configuration that can change and that shifts with each entity’s Risk Score. There is no setting you control. Read each pattern as “flags when an entity crosses a Suspicious or Dangerous count in this window,” not as a fixed number to rely on.
A legitimate user can land on a card too: a shared office network, a frequent traveler, a privacy browser. Confirm against your own context before you act.

Where patterns live

Patterns are computed server-side from your historical identify data, then shown on the dashboard Patterns view. A background worker recomputes all eight for each verified domain about every 10 minutes, with one run at startup. There is nothing to trigger and no schedule to configure. The Patterns view gives you three things.
  • Overlap summary - deduplicated totals across all patterns, so you can tell whether a small set of entities is responsible for most flags. Per-card totals are not additive: an entity matching three patterns counts three times across the cards but once here.
  • Pattern cards - one card per pattern, broken down per identifier, each with a Suspicious and a Dangerous sub-count. You can export flagged IDs to CSV or JSON, or open the Data view filtered to that pattern.
  • Data view - the request rows behind each flag, with the identifiers, country, signals, and Risk Score that produced it.

Patterns are distinct from per-request signals

Patterns and the per-request Risk Score answer different questions. Use the right one for the job.
Risk ScorePatterns
ScopeOne visit, in real timeAn entity, across history
DeliveryWebhook and History APIDashboard Patterns view only
GradesClean / Low / Medium / High (0-100)Normal / Suspicious / Dangerous
You act on itIn your own code, per requestBy exporting flagged IDs and acting in your own systems
A note on “bot activity”: some pattern use cases mention automated or scripted traffic. That is a downstream symptom these correlation patterns can surface, for example a visitor jumping across many devices. ShieldLabs identifies visitors, detects anonymity, and correlates abuse signals across linked identifiers.

You export the IDs and decide

The Patterns view is read-only. ShieldLabs surfaces the flagged entities. Your own code owns every allow, challenge, review, or block decision. There is no in-product rules engine and no threshold UI. The workflow is short.
1

Find the coordinated entities

In the overlap summary, compare total against unique affected IDs. A large gap means a few entities are tripping many patterns each.
2

Open the pattern that matters

Read the per-identifier blocks on the card and their Suspicious and Dangerous sub-counts.
3

Get the evidence

Open the Data view to inspect the request rows behind the flag and confirm context.
4

Export and act

Export the flagged IDs as CSV or JSON, then apply your own policy in your own systems.
The exported IDs join cleanly to the per-request records you receive over webhooks and read through the History API. Load them into your fraud, billing, or moderation tooling and apply your rules there.
Exports are free. They do not consume request balance. Billing is per identification only. See Billing.

Next steps

Risk Scoring

The per-request 0-100 score, its bands, and the signals behind it.

Stop fake signups

Use the Risk Score and patterns to flag multi-accounting at signup.

Traffic Analytics

The dashboard, the Data view, and how traffic quality is measured.