Behavioral analytics for SaaS fraud detection.
Real users behave like real users. They wander, they pause, they make typos, they explore. Bots execute. Freeloaders navigate with surgical precision because they've been here before. Scrapers move at metronomic intervals. Credential stuffers run the same form submission a thousand times in a row.
Behavioral patterns are the hardest fraud signal to fake — because faking them costs the attacker the speed and scale that made the fraud worthwhile in the first place. Dregs's behavioral analytics — also called user behavior analytics, or UBA — score every user continuously against your baseline of real customers, surfacing the ones whose patterns don't fit.
What Is Behavioral Analytics
Behavioral analytics looks at how a user interacts with your application, not just what credentials they show up with. A user with a clean email, a unique device, and a real name can still be a fraudster — and frequently is, since those are the surface signals every abuser learns to fix first. What's much harder to fake is the way they navigate, the rhythm of their actions, and how their patterns compare to other identities in your system. That pattern data is what behavioral analytics turns into a signal.
Dregs treats behavior as a first-class signal and aggregates it into a Behavior score that sits alongside Humanity, Authenticity, and Uniqueness. Together, the four scores give you a full picture of risk: who they claim to be, how human they look, how unique they are, and how they actually act.
Behavioral Analytics, UBA, and UEBA
The terms behavioral analytics, user behavior analytics (UBA), and user and entity behavior analytics (UEBA) show up in overlapping ways, and it's worth being precise about which one Dregs is.
- Behavioral analytics is the broadest term — any analysis of behavior over time, applied to users, customers, or any kind of actor. It shows up across product analytics, fraud detection, marketing, and security domains.
- User Behavior Analytics (UBA) narrows the scope to user activity, usually in a security or fraud context. The focus is per-user baselining and anomaly detection: every user's normal looks different, and the goal is to spot when an individual user's current behavior diverges from theirs or from the population's.
- User and Entity Behavior Analytics (UEBA) extends UBA to also cover non-user entities — service accounts, devices, applications, network endpoints. It's the term the enterprise security industry has settled on for SOC-grade tooling like Splunk UBA, Exabeam, Securonix, and Microsoft Defender for Identity.
Dregs is what most teams would call UBA: per-user behavioral analytics for external SaaS users — your signups, customers, and prospects, not your internal employees or service accounts. If you're trying to put behavioral analytics on the people using your application to catch abuse, that's exactly what this page is about. If you're trying to place Dregs against the enterprise UEBA category, the UEBA page covers that comparison directly.
How Dregs Does Behavioral Analytics
Behavioral analytics in Dregs run on your existing event stream — the same tracking calls you'd send to a product analytics tool. As events arrive, Dregs aggregates them per identity and runs a pipeline of analyzers, each looking for one specific kind of behavioral signal:
- Navigation patterns — how a user moves through your app, with attention to unnaturally efficient or repetitive paths
- Event timing — humanlike pauses versus inhuman cadence, scheduled-looking intervals, and burst patterns
- Session structure — session length, depth, time-of-day distribution, and how it compares to your real users
- Interaction patterns — the order and combinations of actions a user takes within a session
- Cross-session repetition — whether a user is repeating behavior unnaturally cleanly across sessions or across linked identities
- Anomaly detection — usage patterns that diverge sharply from the baseline of legitimate users
Each analyzer produces observations against the Behavior category, and the scoring engine aggregates them into the 0–100 Behavior score you see on every identity. The full list of contributing observations is preserved, so a low Behavior score always traces back to specific signals you can audit.
See Behavioral Analytics in Action
Below are two live event streams: one from a typical legitimate user, one from a problematic one. Watch how the Behavior score shifts in real time as events arrive.
What Makes Dregs Different
Behavioral analytics aren't unique to Dregs. What's different is the integration: behavior isn't a separate product, separate dashboard, or separate billing meter — it's one of the four identity scores running on every identity, with the same data, the same rules engine, and the same automation surface as the rest of the platform.
Continuous, Not Triggered
Behavior scoring updates with every event — there's no rule to fire, no threshold to cross before analysis begins. A user who looks fine at signup and starts misbehaving on day three has their Behavior score reflect it within seconds.
Combined With Other Signals
A low Behavior score on its own can mean a quirky power user. Combined with low Uniqueness (shared device) or low Humanity (automation signatures), it's nearly always abuse. The four-score system makes Behavior more powerful, not less.
Customizable
On the Advanced plan, write custom analyzers in JavaScript that encode behavioral patterns specific to your product. Anything you can describe in code — sequences, ratios, timing relationships — can become a behavioral signal that feeds the score.
Cross-Identity Awareness
Behavior analyzers can see across identities, not just within one. Two accounts with suspiciously similar interaction profiles get linked — the same person running the same playbook twice, with no shared device required.
Behavioral Analytics for Fraud Is Not Product Analytics
A reasonable question: if you're already sending events to Mixpanel, Amplitude, or PostHog, why send them to Dregs? The two systems serve different goals.
Product analytics tools are descriptive. They aggregate user behavior into cohorts, funnels, and retention curves so you can understand what's happening across your user base. Dregs is prescriptive: it scores individual users for fraud risk in real time and pushes those scores back to your application via webhook so you can take action immediately.
The two are complementary. Most teams send the same events to both — product analytics for growth and retention, Dregs for fraud detection and abuse prevention. Dregs doesn't replace product analytics, and product analytics doesn't surface fraud signals.
When Behavior Alone Isn't Enough
Behavioral signals work best when there's enough behavior to look at. A brand-new user who just signed up and hasn't generated any events yet won't have a strong Behavior score — and that's correct, because there's nothing to score yet. For these moments, the other three scores carry more weight: Authenticity catches obviously fake profile data, Humanity catches bots, Uniqueness catches users sharing a device with previous accounts.
Sophisticated attackers also adapt. Industrial fraud rings learn to inject randomness, add pauses, and humanize their click patterns. Dregs catches most of this through cross-identity similarity (the same humanization script applied to a hundred accounts produces an obvious pattern at the population level) and through the other three scores. But it's why Behavior is one of four signals, not a single source of truth.
Where Behavioral Analytics Helps Most
Bot Detection
Inhuman timing and repetitive patterns are the clearest bot signals.
Credential Stuffing
Behavioral velocity and identity cycling expose stuffing attacks before they succeed.
Free Trial Abuse
Returning freeloaders navigate with unnatural efficiency because they've been here before.
Included With Every Dregs Plan
Behavioral analytics run on every event you send and are part of every Dregs plan. Plans start at $17/month. Custom behavioral analyzers are available on the Advanced plan. See the pricing page for details.
Frequently Asked Questions
Q: What's the difference between behavioral analytics, user behavior analytics (UBA), and UEBA?
A: The terms overlap heavily and are often used interchangeably. Behavioral analytics is the broadest — any analysis of behavior over time, applied to users, customers, or any kind of actor. User Behavior Analytics (UBA) narrows the scope to user activity specifically, typically in a security or fraud context. User and Entity Behavior Analytics (UEBA) extends UBA to also cover non-user entities — service accounts, devices, applications — and is the term the enterprise security industry has settled on for SOC tooling. Dregs does what most teams call UBA: per-user behavioral scoring of external SaaS users. The UEBA page covers how Dregs compares to traditional enterprise UEBA products.
Q: What events do I need to send for behavioral scoring to work?
A: The minimum useful set is page views and key user actions — signups, logins, important conversions, and any interaction that distinguishes a real user from a casual visitor or automated script. Dregs analyzes the stream you already send. You don't need to instrument anything specifically for fraud detection; the same events you'd send to a product analytics tool are what feed the Behavior score. The richer your event stream, the more behavioral signal Dregs can extract.
Q: How long until behavior scoring becomes accurate?
A: Some signals are accurate from the first few events — automation signatures, inhuman timing, repetitive navigation patterns within a single session. The signals that compare against your baseline of legitimate users sharpen over time as Dregs builds up data. Most teams see useful Behavior scores within the first day of integration, with continuous improvement over the following weeks. There's no required training period before scoring starts producing actionable signals.
Q: Does behavioral analysis work for B2B SaaS, or only consumer apps?
A: Both. The signals are different — B2B users tend to have lower volume but more deliberate, repeatable patterns; consumer apps see higher volume with broader behavioral diversity. Dregs adapts to either by aggregating against the actual usage patterns of your real users rather than assuming a particular shape. The Behavior score is most useful in B2B for catching credential stuffing, scraping competitors, and shared-account abuse; in consumer apps it's more about bots, content spam, and free trial cycling.
Q: Can I define what 'good behavior' looks like for my product?
A: Yes, two ways. First, by marking known-good users as 'disregarded' so they're excluded from baseline calculations and you keep your behavioral norms grounded in actual customers rather than mixed with bots and abusers. Second, on the Advanced plan, by writing custom analyzers in JavaScript that produce behavioral observations specific to your domain — for example, 'this user is exploring features in an unusually directed pattern that suggests prior knowledge from a previous account.'
Q: How is this different from product analytics tools like Mixpanel or Amplitude?
A: Product analytics tools are descriptive — they tell you what happened, broken down by cohorts and segments. Dregs is prescriptive: it scores individual users for fraud risk in real time, and pushes those scores back to your application via webhook so you can act on them automatically. The two are complementary. You can send the same events to both: Mixpanel for retention and funnel analysis, Dregs for fraud detection and abuse prevention. Dregs doesn't replace product analytics, and product analytics doesn't replace Dregs.
Q: What signals does Behavior look at without custom training?
A: Out of the box: navigation patterns (how the user moves through your app, including unnaturally efficient paths that suggest prior knowledge or automation), event timing (humanlike pauses versus inhuman cadence or scheduled-looking intervals), session structure (length, depth, time-of-day distribution), interaction patterns within a single session, and repetition across sessions or across linked identities. None of this requires you to label any data — Dregs computes the signals from the events you're already sending.
Behavioral analytics, automatically.
Drop the Dregs tracking script into your application and start scoring every user's behavior automatically — no custom rules, no manual thresholds, no machine learning team required.
Schedule a Demo