Dashboard Manual Pricing Use Cases

Linked account detection through the identity graph.

Multi-account fraud doesn't usually look like fraud one account at a time. A freeloader on their fifth trial, a referral self-referrer, a banned user evading their ban — each individual account often passes muster. The pattern only emerges when you connect them.

Dregs builds an identity graph automatically as events flow in. Every shared device, IP, or session becomes a relationship between identities. Every similar name or email becomes a weaker but still useful link. The result is a navigable graph of who's connected to whom — and a lot of fraud that was invisible at the account level becomes obvious at the graph level.

Start Free Trial Schedule Demo

What Is an Identity Graph

An identity graph is a network of accounts and the connections between them. In Dregs, every user identity is a node. Whenever Dregs detects that two identities are likely the same person — or the same group of coordinated people — it creates an edge between them, tagged with the type of evidence that connects them.

The graph isn't speculative. Every edge is backed by a concrete observation: a specific fingerprint shared between two browsers, a specific session that touched both accounts, a specific IP that sent events for both. You can audit any link and see exactly why Dregs drew it.

How Identities Get Linked

Dregs creates relationships of six types, each with a different strength signal:

Same device Two identities active on the same browser fingerprint. The strongest single signal — legitimate users rarely share fingerprints.

Shared session Both identities active in the same browsing session. Stronger than shared device — same person within minutes of each other.

Shared IP Active from the same IP address. Useful but weaker — coffee shops, offices, and shared networks generate legitimate matches.

Similar name Names that match closely — variants, transliterations, simple respellings — measured with string similarity functions.

Similar email Email addresses with shared structure, plus-aliasing patterns, or matching local-part with different domains.

Similar behavior Identities with overlapping usage patterns, navigation paths, or temporal profiles — hard to fake when fraud is industrialized.

Each edge stores its type and the underlying evidence, so you can filter the graph by confidence. "Show me only same-device links" produces an extremely high-precision graph; adding similar-name links broadens the recall at some cost to precision.

Walking the Graph

The most valuable thing about a graph isn't the immediate neighbors — it's what you find by walking. Multi-account fraud rings tend to be tightly connected: one account links to three, each of those links to two more, and within a few hops you've found the whole ring.

The dashboard surfaces direct links per identity and lets you pivot into any related identity to see *its* links, repeating until the graph closes. The REST API exposes the same traversal programmatically — useful when you want to automate "ban everyone linked to this account, transitively" without hand-walking the graph in the dashboard.

Built In, Not Bolted On

Identity graphs aren't new. What's unusual about how Dregs handles them:

Automatic, Not Configured

You don't write rules to link accounts. Dregs creates relationships as events flow in, using the same analyzer pipeline that produces scores. New types of connections light up the moment the data is available — no schema changes, no migrations.

Tied to Scoring

The graph isn't a separate report — it directly feeds the Uniqueness score. An identity with three linked siblings has a low Uniqueness score automatically, which means it surfaces in your dashboard, badges, and alerts without any extra configuration.

Multiple Edge Types

Not just shared devices. Dregs links by IP, session, name, email, and behavior, each with its own strength signal — so you can build a high-precision graph from same-device links alone, or a higher-recall graph that includes weaker signals.

Disregarding Cleans the Graph

Mark an identity as disregarded — your office machines, QA bots, support team accounts — and Dregs excludes it from the graph everywhere. No false-positive rings made of your own employees.

When the Graph Misses

Identity graphs are powerful but not omniscient. The most common ways legitimate users get linked are shared household devices (parent and teenager on the same laptop), shared mobile networks (carrier-grade NAT puts thousands of phones behind one IP), and shared workplaces (coworkers on the office Wi-Fi). Dregs flags these — that's correct behavior — but it's on you to triage them. The relationship type and evidence make this easy: a SAME_DEVICE link is actionable; a SHARED_IP link with no other signal usually isn't.

On the other side, attackers using clean devices on residential proxies with hand-crafted profiles can avoid the strongest edges. The graph still catches them — usually through behavior similarity, similar-email patterns, or eventually through shared sessions when they accidentally cross-pollinate accounts — but the link will be weaker. That's why Dregs scores on four dimensions rather than relying on the graph alone.

Where the Identity Graph Helps

Wherever fraud involves multiple accounts.

Duplicate Accounts

One person, several accounts. Same-device and shared-session links catch most cases automatically.

Referral Fraud

Self-referrals always link to the referrer through device, IP, or session. The graph exposes the cycle.

Free Trial Abuse

Every new trial from a previously seen device adds an edge. After two cycles, the pattern is undeniable.

Included With Every Dregs Plan

The identity graph is built automatically from your events — there's nothing extra to enable. It's part of every Dregs plan, including $17/month Starter. Custom relationship types via custom analyzers are available on Advanced. See the pricing page for details.

Frequently Asked Questions

Q: How does Dregs decide that two accounts are linked?

A: Dregs creates a relationship whenever two identities share an attribute that legitimate users rarely share by accident. The strongest is a shared device fingerprint — two accounts active on the same browser are almost always the same person or two people in the same household. Other relationship types include shared IP, shared session, similar email patterns, similar names, and similar behavioral profiles. Each relationship has a type, so you can tell whether two accounts share a laptop versus just visited from the same coffee shop.

Q: Can I see all related identities for a given user?

A: Yes. The dashboard shows a relationships panel on every identity, listing every other identity Dregs has connected to it and the type of connection. The same data is available through the REST API at the identity endpoints. Each relationship records the evidence — the specific device, IP, or session that triggered the link — so you can audit why two accounts were connected.

Q: Does the graph follow indirect links — friend-of-friend?

A: Yes, by walking. The dashboard shows direct relationships per identity, but you can pivot from any related identity into its own relationships and continue from there. This is how multi-account fraud rings unwind: you start with one suspicious account, find its three linked siblings, then find each of their linked siblings, and inside a few hops you've mapped the entire ring. The API supports the same traversal programmatically if you want to build automated investigation tools.

Q: What relationship types exist between identities?

A: Six built-in types: SAME_DEVICE (shared device fingerprint), SHARED_IP (active from the same IP), SHARED_SESSION (same browsing session — strongest possible link), SIMILAR_NAME (name similarity by Jaccard or Tversky distance), SIMILAR_EMAIL (email pattern similarity), and SIMILAR_BEHAVIOR (overlapping behavioral profiles). Custom analyzers on the Advanced plan can introduce additional relationship types if you have domain-specific signals worth tracking.

Q: Can I query the graph through an API?

A: Yes. Every identity endpoint exposes the related identities, and every relationship records its type and the evidence behind it. You can pull the graph for any identity, walk it programmatically, and use the data to drive your own automation — for example, automatically restricting every account linked to one that just got banned. The /links endpoints return the data in a shape that's easy to traverse.

Q: How is this different from a CDP like Segment or RudderStack?

A: A customer data platform unifies the data you already know about a user across different tools and channels — typically by matching on email or login. Dregs builds the opposite kind of graph: it links accounts that are trying to look unrelated. CDPs assume goodwill; Dregs assumes the user might be trying to deceive you. Both can coexist — your CDP unifies your real customer's view across products; Dregs surfaces when several of those 'real customers' are actually the same person.

See the connections you've been missing.

Most multi-account fraud is obvious in retrospect. Dregs makes it obvious in real time, by linking related identities the moment the evidence appears.

Schedule a Demo