---
title: Risks
description: A risk is Rupt's read on what an evaluation looks like, scored per category and graded by severity. Risks summarize; they don't dictate the verdict. Your policies decide what to do.
---

# Risks

A risk is Rupt's read on what an [evaluation](/docs/v3/concepts/evaluations) looks like (_this smells like account takeover, this looks like a fake account_), scored per category and graded by severity. A risk never dictates the [verdict](/docs/v3/concepts/verdicts) on its own. It's a summary, and your [policies](/docs/v3/concepts/policies) decide what to do with it.

## How a risk is scored

Risks are built from the ground up:

- **[Signals](/docs/v3/concepts/signals)** are the raw measurements Rupt collects from the user's environment.
- **[Checks](/docs/v3/concepts/checks)** turn those signals into specific facts: is this IP a VPN, has this user moved impossibly far since last seen.
- A **risk** takes the checks that predict it, weights each by how much it counts, and adds them up.

That weighted total is the score, and each risk maps its score to one of four severities: `low`, `medium`, `high`, or `maximum`.

The cutoffs aren't shared across risks. Each risk sets its own, because the same check can carry very different weight depending on what you're detecting: a score one risk treats as `high` might still be `medium` for another. Severity also depends on how the checks combine, not just how many fire: for [account sharing](/docs/v3/concepts/account-sharing), [concurrent sessions](/docs/v3/concepts/concurrency) and [impossible travel](/docs/v3/concepts/impossible-travel) together rank far higher than either alone, while a modest [device](/docs/v3/concepts/devices) count on its own stays low.

The severities roll up into a `risk_summary` on the [evaluation](/docs/v3/concepts/evaluations). Read it in your own logic, or write a [policy](/docs/v3/concepts/policies) over the [checks](/docs/v3/concepts/checks) behind a risk. Matching a policy directly on a risk severity is coming soon.

## Standard risks

Rupt ships with a standard set of risks out of the box, and the list grows as the fraud landscape shifts. You don't configure anything to get them. Most are scored for your policies to act on directly; a few Rupt only records for visibility.

### Acted on by policies

Each of these is scored so your [policies](/docs/v3/concepts/policies) can match it directly, weighting every [check](/docs/v3/concepts/checks) by how strongly it predicts the risk.

- **[Account takeover](/docs/v3/concepts/account-takeover) (`ato`)**: someone other than the owner is signing in. Leans on a new [fingerprint](/docs/v3/concepts/fingerprints), a [new IP](/docs/v3/concepts/ip), [impossible travel](/docs/v3/concepts/impossible-travel), and [anonymizing networks](/docs/v3/concepts/anonymizing-network).
- **[Fake account](/docs/v3/concepts/fake-account) (`fake_account`)**: the signup probably isn't a real person. Driven by [email quality](/docs/v3/concepts/email): disposable, invalid, unverified, or webmail.
- **[Account sharing](/docs/v3/concepts/account-sharing) (`account_sharing`)**: one account, several people. Shows up as [concurrent sessions](/docs/v3/concepts/concurrency), [impossible travel](/docs/v3/concepts/impossible-travel), and a pile of [devices](/docs/v3/concepts/devices) on one account.
- **[Scraping](/docs/v3/concepts/scraping) (`scraping`)**: automated extraction rather than a human. Flagged by [anonymizing networks](/docs/v3/concepts/anonymizing-network) and high [velocity](/docs/v3/concepts/velocity).
- **[Linked accounts](/docs/v3/concepts/linked-accounts) (`linked_accounts`)**: separate accounts sharing the same [fingerprint](/docs/v3/concepts/fingerprints). Catches multi-accounting and ban evasion.

### Recorded for visibility

Rupt scores these on every evaluation but doesn't act on them by default. They surface in the dashboard so you can keep an eye on them.

- **`bot`**: automated, non-human traffic. See [Bots](/docs/v3/concepts/bots).
- **`tampering`**: the client environment has been modified to lie about itself.
- **`anti_fingerprinting`**: the user is running tooling built to defeat fingerprinting, like Tor Browser, Brave farbling, or Firefox RFP.
- **`incognito`**: the session is in private browsing mode.
- **`replay_attack`**: a captured evaluation is being replayed instead of run fresh.

## Custom risks (coming soon)

Soon you'll be able to define your own risks in the dashboard. Since a risk is just a weighted set of [checks](/docs/v3/concepts/checks), and checks are derived from [signals](/docs/v3/concepts/signals), you'll pick the checks that matter, set how much each one counts, and choose the score thresholds that map to severity, the same machinery Rupt's built-in risks run on. That lets you target whatever's specific to your business: fraudulent listings, low-intent leads, payout abuse, and the like.

This is coming very soon.

## Where risks fit

Risks summarize. [Policies](/docs/v3/concepts/policies) decide. The [verdict](/docs/v3/concepts/verdicts) acts.