Alerts

Stop reacting to fraud after the damage is done. Dregs alerts your team the moment a user's risk profile crosses your thresholds — in the dashboard, by email, on Slack, or via webhooks to your own systems.

What Are Alerts

An alert is a notification triggered when an identity's scores or badges match conditions you define. When Dregs re-scores an identity and the result matches one of your alert rules, the alert fires.

Alerts serve as the bridge between passive monitoring and active response. Without alerts, you would need to watch the dashboard constantly. With alerts, Dregs watches for you and tells you when something needs attention.

Alert Rules

Alert rules define the conditions that trigger alerts. You create rules in the dashboard under Settings, and each rule specifies what to look for and what to do when it matches.

Score Thresholds

The most common condition: trigger an alert when a score drops below (or rises above) a threshold you set. You can set thresholds on any of the four dimensions independently.

• Humanity below 30 — likely a bot or automated script
• Uniqueness below 50 — probable duplicate account
• Authenticity below 40 — fake or disposable identity data
• Any single score below 25 — serious red flag in any dimension

You can combine score conditions in a single rule. For example, "Humanity below 40 AND Authenticity below 50" targets identities that look both automated and fake — a narrower, higher-confidence match than either condition alone.

Badge Conditions

Alert rules can also trigger based on badge presence or absence. This is powerful because badges represent settled classifications, not momentary score fluctuations.

• Identity has the "Suspicious" badge — badge rules already confirmed this identity is problematic
• Identity does not have the "Verified" badge — expected badge was never assigned, warranting investigation

Identity Age

Restrict alerts to identities of a certain age. This is useful for focusing on new signups (where fraud is most concentrated) without generating noise from established users whose scores may temporarily fluctuate.

Severity

Every alert rule has a severity level that determines how urgently your team should respond:

• Info — worth noting, but not urgent. Review when convenient.
• Warning — needs attention soon. Something is off and should be investigated.
• Critical — act immediately. Strong evidence of fraud or abuse that could cause damage right now.

Use severity to prioritize your team's response. A well-configured alert system uses all three levels: Info for monitoring edge cases, Warning for likely problems, Critical for confirmed threats.

Notification Channels

Each alert rule specifies where to send the notification. You can select multiple channels per rule:

• Dashboard — always available, alerts appear in the Alerts section of the Dregs dashboard
• Email — send alert details to team members' inboxes
• Slack — post alerts to a Slack channel for team visibility
• Webhooks — send structured payloads to your own backend for automated response

See Channels for details on setting up notification delivery.

Alert Lifecycle

Every alert follows a three-stage lifecycle:

• Open — the alert has been created and no one has acted on it yet. Open alerts demand attention.
• Acknowledged — someone on your team has seen the alert and is investigating. This prevents duplicate work when multiple people monitor the dashboard.
• Closed — the alert has been resolved. The issue was addressed, determined to be a false positive, or otherwise handled.

This lifecycle keeps your alert queue manageable. New alerts start as Open. Your team acknowledges them to signal ownership. Closing them clears the queue and builds a historical record of how incidents were handled.

Alert Summary

The dashboard provides an alert summary with counts of Open, Acknowledged, and Closed alerts. This gives your team a quick triage view at a glance — if open alerts are piling up, something needs attention. If most alerts are closed, your rules are working and your team is keeping up.

You can filter alerts by status, severity, and associated identity to quickly find what matters most.

Example Use Cases

Here are common alert configurations that work well across many applications:

Bot Detection

Alert when a new signup has a Humanity score below 25. Set severity to Critical and notify via webhook so your backend can automatically restrict the account while your team investigates.

Duplicate Account Detection

Alert when Uniqueness drops below 40. Set severity to Warning. This catches free trial abusers, ban evaders, and referral fraudsters. Pair with a "Freeloader" badge rule for automatic classification.

Account Compromise

Alert when a previously stable user's Behavior score drops by a large amount. A sudden shift in behavioral patterns — new IP ranges, unusual hours, rapid session creation — may indicate the account has been taken over.

Suspicious Signups

Alert when a new identity (less than 24 hours old) has an Authenticity score below 40. Disposable emails, fake names, and inconsistent data at signup are the earliest warning signs. Set severity to Info or Warning depending on your tolerance.