Three layers of AI intelligence, live on every transaction.
Caspix runs a fully operational multi-layer AI system: concurrent behavioral and network scoring, trained ML classifiers, fraud network graph analysis, six autonomous investigation agents, and a natural language Alert Analysis Copilot — all live in production, not on a roadmap.
Three layers of AI, all live in production
Each layer operates independently and feeds the next. Behavioral scoring runs in milliseconds; agents and Copilot run on analyst demand.
Real-Time Scoring Pipeline
Every transaction passes through concurrent behavioral rule signals, trained ML classifiers, behavioral anomaly detection, and fraud network graph analysis — all in parallel, in milliseconds.
Autonomous AI Agents
Six specialist agents run on demand: fraud investigation, rule optimization, insider threat detection, regulatory report drafting, executive intelligence, and alert triage.
Alert Analysis Copilot
A natural language interface that lets analysts query the entire platform — transactions, alerts, cases, account history, and network relationships — in plain English.
Four decision tiers in one unified score
A continuous 0–100 risk score maps to one of four outcome tiers. Every decision includes a full breakdown of which signals contributed and why.
Transaction passes all risk signals. Logged and allowed through with no analyst intervention required.
Elevated signals present. Transaction is allowed but logged with full signal attribution for analyst review.
Multiple risk signals triggered. Transaction is routed into the analyst review queue for disposition.
High-confidence fraud signals. Transaction is blocked automatically before settlement with a fraud alert created.
20+ signals across six intelligence categories
Detection signals span device identity, behavioral baselines, financial crime typologies, network and location intelligence, customer risk, and fraud network relationships.
Device Fingerprint Anomaly
Every device builds a behavioral profile over time. Significant deviations from an established device signature — hardware, software, or configuration changes — are flagged for elevated scoring.
Device History Risk
Devices previously linked to compromised sessions or confirmed fraud incidents carry a persistent risk contribution on subsequent transactions.
SIM-Device Mismatch
When a mobile identity appears across multiple device profiles in a compressed window — a pattern consistent with SIM swap attacks — a targeted risk signal is applied.
Off-Hours Activity
Transactions initiated outside normal banking operation windows receive elevated risk contributions based on time-of-day analysis.
Dormant Account Reactivation
Accounts with recent DORMANT status that suddenly initiate transactions receive an elevated risk contribution.
Daily Velocity Spike
Transaction count and cumulative daily amount are tracked per account. Unusual spikes relative to the account's established behavioral baseline trigger scoring contributions.
Interaction Pattern Deviation
Passive analysis of session interactions — timing, rhythm, and navigation sequences — is scored against each account's established behavioral baseline. Deviations consistent with account takeover or automation are flagged.
High-Value Transaction
Large transactions receive score contributions scaled to the amount — larger amounts contribute proportionally more, relative to institution-configured thresholds.
Odd-Amount Structuring
Odd-amount transaction patterns inconsistent with natural payment behavior are flagged as structuring indicators — a recognized financial fraud typology.
Circular Transfer Loop
When funds cycle between two accounts within a short detection window, a circular transfer pattern is detected and scored.
High-Risk Network Indicator
Transactions originating from anonymization infrastructure, known high-risk IP ranges, or networks associated with prior fraud incidents receive elevated scoring.
Geographic Anomaly
When a transaction's physical origin is inconsistent with the account's established location history, a geographic anomaly contribution is applied.
Cross-Border Risk Signal
Transactions crossing national boundaries outside an account's established behavior — or involving jurisdictions with elevated risk profiles — contribute to the composite score.
Customer Risk Tier
Customers flagged as HIGH or MEDIUM risk tier contribute weighted score increments to every transaction they initiate.
KYC Verification Status
Customers with PENDING KYC status — unverified identity — add a score contribution regardless of transaction amount.
New Beneficiary Large Amount
Significant amounts sent to a first-time beneficiary are flagged for social engineering, drugging, ATO and mule account exposure.
Fraud Ring Connectivity
Accounts with verified network-level connections to confirmed fraud actors — even through several intermediary hops — receive a direct risk contribution independent of behavioral signals.
Mule Account Pattern
Accounts exhibiting structural money-mule characteristics — receiving funds from multiple sources and immediately forwarding them — are identified through relationship pattern analysis.
Shared Infrastructure Signals
Multiple accounts sharing device, network, or contact attributes in patterns inconsistent with legitimate relationships are flagged for network-level risk.
Trained ML models, live in production today
Rule signals are augmented by two trained ML models running in parallel on every transaction — not on a roadmap.
Trained Fraud Classifier
A supervised ML classifier trained on analyst-labeled case outcomes produces a fraud probability for every transaction. It runs alongside rule signals and contributes directly to the composite risk score.
- Trained on labeled outcomes from the case management system
- Produces a calibrated fraud probability used in composite scoring
- Falls back to a heuristic classifier if no trained model is loaded
- Continuously retrainable as new labeled data accumulates
Behavioral Anomaly Detection
A per-account anomaly model maintains a behavioral baseline for every account and scores each new transaction against that baseline — surfacing statistically unusual behavior independently of defined rules.
- Per-account baselines built and updated automatically after every transaction
- Detects anomalies the rule engine has no explicit rule for
- Baseline adapts to legitimate behavioral change over time
- Model drift monitoring alerts when scoring behavior shifts from its own baseline
Network graph analysis running on every transaction
Behavioral signals alone miss coordinated fraud. Caspix runs a live network graph analysis in parallel with behavioral scoring — mapping relationships between accounts, devices, and actors to detect patterns invisible in individual account data.
- Fraud ring membership — direct network connections to confirmed fraud actors
- Mule account patterns — fund aggregation and immediate forwarding structures
- Insider-account linkages — staff-to-customer relationship flags for investigation
- Multi-hop fund tracing — laundering paths identified across account chains
- SIM swap chains — mobile identity appearing across multiple device histories
- Shared infrastructure clustering — accounts grouped by shared device or network attributes
Why graph detection matters
Behavioral signals miss coordination
A mule account with no prior fraud history scores low on every behavioral signal. Its fraud ring membership — visible only in relationship data — is what flags it.
Independent weight — not averaged away
Graph intelligence contributes directly to the composite score. Relational evidence is weighted independently so it cannot be diluted by clean behavioral signals.
Fails safe — no impact on SLA
Graph analysis degrades gracefully when unavailable. All other scoring modules continue unaffected, maintaining ingest throughput and response time commitments.
Transparent decisions. Auditable at every step.
All intelligence modules run concurrently per transaction. Every score is accompanied by a full breakdown of which signals contributed, at what weight, and why — visible to analysts and written to the audit log in structured form for SIEM ingestion.
- All intelligence modules run concurrently — no signal waits for another
- Each module returns a named contribution, a score delta, and a human-readable reason
- Composite score capped at 100 with configurable per-tier thresholds
- Full attribution in every fraud evaluation response — analyst-visible and SIEM-logged
- SHAP-style feature attribution identifies the dominant contributors to each outcome
- Recommended analyst actions generated per decision — severity-appropriate and actionable
- Model drift monitoring and shadow scoring run continuously post-evaluation
Every decision is explained
Each fraud evaluation returns the composite score, the signals that contributed, and a human-readable narrative — visible to analysts and written to the audit log.
Structured SIEM output
Scoring results are logged as structured events for ingestion into your SIEM pipeline — with risk level, action taken, and contributing signal identifiers.
Self-monitoring ML
Shadow scoring and model drift monitoring run automatically after every transaction. If the scoring model's behavior shifts, an alert surfaces before it impacts detection quality.
AI agents that investigate so analysts don't start from zero
Six specialist AI agents run on demand, each focused on a specific investigation or operational task. All are live in production.
Fraud Investigation Agent
Automatically assembles a full investigation brief for any alert: transaction history, account relationships, network connections, and AI risk narrative — in seconds, not hours.
Rule Optimization Agent
Analyzes false positive and false negative patterns across the detection engine and surfaces recommended rule adjustments to improve signal accuracy over time.
Insider Threat Agent
Detects collusion patterns between internal staff and customer accounts through behavioral and relationship-level analysis — without relying on manual reporting.
Regulatory Reporting Agent
Drafts Suspicious Activity Reports for qualifying cases, pre-populated with case evidence, timeline, and regulatory narrative aligned to CBK and FRC requirements.
Executive Intelligence Agent
Generates daily institutional fraud posture summaries — trend analysis, open case status, channel risk breakdown — automatically refreshed and ready for leadership review.
Alert Triage Agent
Automatically prioritizes and routes incoming alerts based on risk score, account history, case patterns, and analyst queue depth — reducing triage time at volume.
Query your entire fraud platform in plain English
The Alert Analysis Copilot is a natural language investigation interface built for fraud analysts. Instead of building queries or navigating dashboards, analysts describe what they need — and the Copilot assembles an investigation-grade response from live platform data.
- Query transactions, alerts, cases, account history, and network relationships in plain English
- Live data retrieval — responses are grounded in current platform data, not static reports
- Streamed responses for long investigations — results arrive as they are assembled
- East African fraud typology context built in: SIM swap, mobile money, agent banking, insider collusion
- Every response cites specific data points — account IDs, amounts, dates, signal attributions
- No SQL or technical skills required — designed for frontline fraud analysts
Example Copilot queries
“Show me all suspicious activity linked to this phone number this week.”
“Why was this transaction blocked? Explain the contributing signals.”
“Are there any mule account patterns in accounts opened in the last 30 days?”
“Which active cases involve the same device as this alert?”
“Summarise the fraud exposure on all HIGH-risk accounts in this region.”
Where we are, and where we are going
The full AI intelligence stack is live today. The roadmap builds deeper learning on top of it.
Full AI Intelligence Stack
Multi-layer scoring (rule signals + trained ML classifiers + behavioral anomaly detection + fraud network graph analysis), six autonomous investigation agents, and the Alert Analysis Copilot are all live in production.
Deep Learning Signal Models
Sequence-aware deep learning models to improve temporal pattern detection; graph neural networks trained on accumulated labeled data to replace heuristic fraud ring analysis.
Iterative Agentic Investigation Loops
Agents that iteratively pull platform data mid-investigation — forming hypotheses, querying additional context, and refining conclusions — without analyst prompting at each step.
See the full AI stack against your fraud scenarios
We run structured demos against real-world East African fraud typologies — mobile money fraud, internal fraud, account takeover, and coordinated fraud rings.