Risk score calculation
Mosaic’s Fraud Prevention framework continuously evaluates the risk associated with each user action to detect and prevent fraud in real time. This evaluation process relies on three core components that work together to assess threats and recommend the appropriate mitigation:
- Risk detection: During every user interaction, Mosaic collects behavioral, device, and contextual risk signals (telemetry) — such as device reputation, network context, and behavioral anomalies — to identify trust and risk indicators.
- Risk score calculation: The collected signals are processed by Mosaic’s risk engine, which combines deterministic and probabilistic logic to calculate a risk score ranging from 0 to 100. This score quantifies the likelihood of fraudulent activity for the evaluated action, with 0 being the lowest risk and 100 being the highest risk.
-
Recommendations:
Based on the calculated score, the system produces a
risk recommendation
—
Trust
,
Allow
,
Challenge
, or
Deny
— guiding how the system should respond in real time.
These recommendations enable organizations to apply proportional mitigation, escalating security measures only when the assessed risk justifies it.
This page explains how the risk score is determined and how it maps to the corresponding recommendation category.
For an overview of all components that cooperate in risk detection and mitigation, see Understand risk detection & mitigation components.
How the score is calculated
Mosaic evaluates a combination of signals collected during each user interaction. These signals are dynamically analyzed by Mosaic’s machine learning–based risk engine, which continuously adapts its models based on new telemetry and feedback to assign a real-time risk score.
Typical signals include:
- Device intelligence: Known or trusted device, emulator detection, IP reputation, and device fingerprint consistency.
- Behavioral analysis: Typing cadence, navigation patterns, and session anomalies.
- User context: Geolocation, network characteristics, and time of access.
- Network indicators: Use of VPN, proxy, Tor, or anonymizer services, as well as network reputation or hosting detection.
- Transaction attributes: Amount, frequency, and correlation with previous actions.
- Historical data: Prior risk scores, confirmed fraud cases, and account velocity indicators.
- Label-driven and reputation signals: Insights derived from analyst-applied labels and previously observed entity behavior across users, devices, and IPs.
Each factor contributes differently to the overall score depending on its relevance and severity. The resulting score is then mapped to one of the five risk levels.
Note
Mosaic’s risk scoring models are continuously refined through adaptive machine learning based on observed fraud patterns and real-time feedback.
Scores are computed in real time to support both step-up authentication and automated decisioning.
Risk levels and recommendations
Each recommendation type corresponds to a proportional mitigation level — from minimal friction (Trust / Allow) to full prevention (Deny).
| Risk level | Score range | Description | Recommendation |
|---|---|---|---|
| Low risk | 0–69 | Minimal indicators of fraud; the action appears safe and can proceed with standard checks | Trust / Allow |
| Moderate risk | 70–79 | Some indicators of potential fraud; closer scrutiny or additional verification is recommended | Challenge |
| Elevated risk | 80–89 | Multiple indicators of potential fraud; higher likelihood of fraudulent activity requiring additional verification | Challenge |
| High risk | 90–94 | Strong indicators of likely fraud; the action should be blocked and optionally reviewed manually | Deny |
| Very high risk | 95–100 | Highly suggestive of fraud; the action is almost certainly fraudulent and must be blocked immediately | Deny |
Mosaic defines score ranges using mathematical intervals noted as [X, Y) — meaning each range includes its lower value (e.g., 70) and extends up to, but does not include, the upper value (e.g., 80). This ensures that each score belongs to a single range.