{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"redocly_category":"Guides","product":"Identity Management","type":"markdown"},"seo":{"title":"How Identity Threat Protection works","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"how-identity-threat-protection-works","__idx":0},"children":["How Identity Threat Protection works"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Authentication alone doesn't tell you whether a login is legitimate. A valid password can come from a compromised device, an anonymized network, or a location that contradicts the user's recent activity. Without real-time risk awareness, identity flows treat every authentication attempt equally — leaving gaps that attackers exploit through credential stuffing, brute force attacks, and other techniques that lead to account takeover."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic's Identity Threat Protection brings real-time risk awareness directly into identity flows."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"what-is-identity-threat-protection","__idx":1},"children":["What is Identity Threat Protection"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Identity Threat Protection is a set of journey-native risk detection capabilities that identify common identity-driven threats and anomalous access patterns during user interactions."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["It collects and correlates 25+ risk factors from device, network, location, and behavioral signals, and exposes them to journeys so you can make informed decisions on how to proceed with sensitive actions like logins and registrations."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Identity Threat Protection is intentionally scoped for identity use cases. It does not require model tuning, investigator workflows, or post-event analysis — making it a good fit for organizations that want to adapt identity flows based on risk without deploying a standalone fraud platform or operating a dedicated fraud team."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Looking for more advanced fraud detection?"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you need ML-driven recommendations, behavioral biometrics, risk scoring, or full analytics, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/risk/overview"},"children":["Fraud Prevention"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"capabilities","__idx":2},"children":["Capabilities"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Identity Threat Protection supports the following capabilities:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Brute force mitigation"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Credential stuffing prevention"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Account takeover protection"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Login velocity / frequency anomaly detection"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Device consistency evaluation"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["New device detection"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["IP reputation / proxy / TOR detection"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Geo-velocity / impossible travel detection"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Location risk scoring"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Session anomaly detection"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Bot detection / bot prevention"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["High-risk registration pattern mitigation"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Shared device / IP across accounts detection"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"collected-data","__idx":3},"children":["Collected data"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The engine enhances Mosaic's existing data collection by incorporating additional contextual signals:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Device data (crypto keys, characteristics)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Browser data (user agent, configuration, anomalies)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["IP and network data (reputation, geolocation, ASN, proxy indicators)"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["It also utilizes data already collected throughout standard journey flows:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["User profile attributes"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Authentication context"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Event and behavioral signals"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This unified data model ensures that risk evaluation is both comprehensive and consistent with existing Mosaic capabilities."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"allow-and-deny-rules","__idx":4},"children":["Allow and deny rules"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can define explicit allow and deny ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/risk/rules"},"children":["rules"]}," under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Journey Tools"]}," to control how specific entities are handled during journey execution:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allow rules"]},": define trusted entities (e.g., IP ranges, devices) that bypass risk-based restrictions"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Deny rules"]},": restrict or block access from specific origins or attributes"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["These rules operate alongside the Identity Threat Protection engine and let you refine or override risk-based outcomes. They can be incorporated into journey logic to immediately allow trusted users, block known malicious sources, or route users based on predefined policies."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"next-steps","__idx":5},"children":["Next steps"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Learn how to ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/auth_risk_based"},"children":["build a risk-based authentication flow"]}," using Identity Threat Protection and journeys."]}]},"headings":[{"value":"How Identity Threat Protection works","id":"how-identity-threat-protection-works","depth":1},{"value":"What is Identity Threat Protection","id":"what-is-identity-threat-protection","depth":2},{"value":"Capabilities","id":"capabilities","depth":2},{"value":"Collected data","id":"collected-data","depth":2},{"value":"Allow and deny rules","id":"allow-and-deny-rules","depth":2},{"value":"Next steps","id":"next-steps","depth":2}],"frontmatter":{"seo":{"title":"How Identity Threat Protection works"}},"lastModified":"2026-05-25T14:44:32.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/user/identity_threat_protection","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}