No. 06 · Aegis Suite Streaming Multi-channel

Score every transaction
in under 50 milliseconds.
Across three channels.

A streaming fraud-detection platform that scores payments, SMS and email events as they land. Kafka ingress with 6-partition fan-out, an ML+rules scoring path fused with per-event reasoning, Redis Streams alert egress, FastAPI + gRPC sync scoring, Prometheus + Grafana observability, and a drift detector that PSI/JS the feature distribution every window.

See the live feed View on GitHub
Scoring Console · /score
Live · dev stream
Scored · 24h
1.47M
events across 3 channels
Alerts fired
4,183
threshold 0.85 · precision@100 = 0.60
p95 latency
48 ms
REST · bootstrap model · eager path
Drift
0.18
aggregate PSI + JS · window 24h
Time Channel Top Reasons Score Lat Verdict
14:32:07 payments amount · merchant_risk · txn_count_1m_user 0.891 1.2 ms ALERT
14:32:08 sms text_len · url_count · suspicious_word_hits 0.004 0.8 ms PASS
14:32:08 subject_len · body_len · link_count 0.003 0.7 ms PASS
14:32:09 payments amount · geoloc_mismatch · night_velocity 0.441 1.1 ms PASS
14:32:10 link_count · blocklist_hit · reply_to_mismatch 0.927 0.9 ms ALERT
14:32:11 sms suspicious_word_hits · shortener_url · urgency 0.881 0.8 ms ALERT
14:32:11 payments amount · merchant_ok · device_trust 0.012 1.3 ms PASS
Score live

Every button below calls the real model.

The widget posts to POST /score on the live inference API and renders the returned score ∈ [0,1], is_alert, ranked reasons[], and end-to-end latency_ms. Flip between payments, SMS, and email, then try a safe or fraud preset — or edit the JSON payload and see how the score shifts.

Event payload
Model decision
score · 0.00 – 1.00
Awaiting first event
Top reasons
latency
is_alert
threshold
Channels

One engine, three surfaces.

Each channel has its own feature pipeline, rule DSL, and ML sub-model. All feed the same scoring contract: score ∈ [0,1], is_alert, ranked reasons[], and an end-to-end latency_ms.

Payments

Tx & card risk

High-volume card transactions with amount, merchant, velocity and device signals. 6 Kafka partitions for parallel scoring.

Top features amount merchant_risk txn_count_1m_user device_trust geoloc_mismatch
{ "score": 0.891, "is_alert": true, "threshold": 0.85, "reasons": [ "amount", "merchant_risk", "txn_count_1m_user" ], "latency_ms": 1.2 }
SMS

Smishing & scam

Short-form messaging with URL shorteners, urgency language, blocklist hits and suspicious-word vocabulary.

Top features text_len url_count shortener_url suspicious_word_hits urgency_score
{ "score": 0.004, "is_alert": false, "threshold": 0.85, "reasons": [ "text_len", "url_count", "suspicious_word_hits" ], "latency_ms": 0.8 }

Phishing & BEC

Longer-form content with subject/body heuristics, link volume, reply-to mismatches and spoofed display names.

Top features subject_len body_len link_count blocklist_hit reply_to_mismatch
{ "score": 0.003, "is_alert": false, "threshold": 0.85, "reasons": [ "subject_len", "body_len", "link_count" ], "latency_ms": 0.7 }
Stack

Kafka in, Redis out, metrics everywhere.

Event producers feed Kafka; a consumer scores and emits alerts to a Redis Stream; a sync REST+gRPC API offers on-demand scoring for UI integrations; Prometheus scrapes custom metrics; Grafana dashboards surface throughput, latency and drift.

GENERATOR payments · SMS · email Kafka TOPICS · PARTITIONED payments × 6 sms × 3 Consumer SCORING · RULES · ML rule DSL ML score alerts Redis ALERT STREAM XADD alerts:* REST + gRPC API SYNC SCORING POST /score FraudScoring.Score Prometheus scrape · /metrics Grafana SLO · drift · alerts LEGEND events / sync alerts telemetry
GENERATOR → KAFKA → CONSUMER → REDIS STREAM · SYNC · PROMETHEUS · GRAFANA
Metrics

Offline + online, paired.

Offline: PR-AUC, ROC-AUC, precision@k. Online: latency percentiles and drift (PSI + JS) over a rolling window. Thresholds are tuned on offline holdout and validated against live cost/benefit.

PR-AUC
0.867
Precision-recall AUC on imbalanced holdout (bootstrap model, baseline features).
precision@100
0.60
Of the top-100 highest-scored events, 60% are true fraud — the cost-driver for review queues.
p95 latency
48 ms
End-to-end REST scoring latency on 8-core CPU, no GPU path required.
drift score
0.18
Aggregate PSI + JS over the last 24h of feature distributions.
Anatomy

Under the hood.

Every layer is observable, tested, and independently scalable. The consumer and sync API share the same scoring module so online/offline feature skew is minimised.

Layer Tech Role
Ingress Kafka · Zookeeper · 6/3/3 partitions Multi-topic fan-out for payments / SMS / email with independent parallelism knobs.
Scoring Python · scikit-learn · rules DSL Shared-nothing scoring module — ML features fused with a rule DSL producing ranked reasons[].
Sync API FastAPI · gRPC (protobuf) Dual-protocol scoring endpoint for online integrations + admin /config.
Alert egress Redis Streams Downstream consumers (case-management, ops dashboards) subscribe without coupling to Kafka.
Observability Prometheus · Grafana · custom exporter Throughput, latency percentiles, drift, alert rate, threshold-effect — all dashboarded.
Evaluation PR-AUC · ROC-AUC · precision@k · PSI/JS Offline harness + drift report, tuned on holdout and validated live.
API

One scoring contract.

REST and gRPC both return the same shape — a score, an alert flag, ranked reasons, and a latency. The threshold is runtime-configurable via /config.

examples/score_payment.sh
# POST /score — live endpoint, real API curl -sS -X POST https://stelioszach.com/aegis-fraud-guard/score \ -H 'Content-Type: application/json' \ -d '{ "source": "payments", "payload": { "amount": 4821.50, "merchant_id": "M-772", "user_id": "U-2039", "country": "CA", "merchant_risk": 0.9, "txn_count_1m_user": 12 } }' # → 200 OK { "score": 0.891, "is_alert": true, "threshold": 0.85, "reasons": [ "amount", "merchant_risk", "txn_count_1m_user" ], "latency_ms": 1.2 } # gRPC mirrors the same contract: # FraudScoring.Score(source, payload) → ScoreReply