Overview

Passive and Discrete Signals represent an automated, ambient layer of security. Unlike Data Validation or IDV, which require active input or documents from a supplier, these signals are compiled through standard behavioral metadata and technical domain validation patterns.

These signals do not typically act as a "hard block" that stops a supplier's progress. Instead, they serve as passive risk signals used for Graphite's security review, providing internal teams and customers with a context-heavy risk profile during the final evaluation phase.

Current Signal: Domain Analysis

As of the current release, Graphite’s primary passive signal is derived from deep-tier domain and website analysis.

Logic

When a supplier enters their website or email domain, Graphite automatically queries registration data (WHOIS) and historical records to identify anomalies common in business email compromise (BEC) and phishing attempts.

• Domain Age: Domains exhibiting recent registration tenures or immature operational histories are automatically flagged. Fraudulent entities frequently register "burner" domains for specific campaigns.
• Domain Similarity: The system utilizes advanced string-distance algorithms to detect near-character variations and look-alike permutations that attempt to mimic established corporate domains.
• Email Provider Analysis: Corporate entities utilizing free email providers (e.g., Gmail, Outlook, ProtonMail) for primary business transactions are flagged for review.
• Registrar Data: Mismatches between the domain registrar’s geographic location and the supplier's stated headquarters are noted as potential risk factors.

Outcome

If a domain check returns an anomaly, the signal is added to the Trust Center.

• Subscriber Impact: The supplier is ineligible for an automated "Verified: Guaranteed" status and is routed to the managed Security Review team.
• Non-Subscriber Impact: The signal is displayed as a warning to the customer, requiring a manual determination before the supplier can be moved to a "Valid" status.

Continuous Perimeter Evolution

To stay ahead of evolving fraud vectors, the platform dynamically expands its metadata assessment capabilities. This includes advanced layers of structural verification:

• Adaptive Location Insights: The system continuously evaluates network telemetry and IP routing architectures to detect anomalies, such as access originating from high-risk jurisdictions or the utilization of known anonymizers, proxy networks, and TOR exit nodes.
• Advanced Device Intelligence: The architecture is designed to generate unique environmental identifiers based on localized hardware, browser, and software configurations. This intelligence isolates advanced automated "bot" activity and detects if a single device is being leveraged to manipulate multiple, seemingly unrelated supplier profiles—a primary hallmark of organized business email compromise (BEC).

Integration with the Security Waterfall

Passive signals act as a modifier for the Security Waterfall.

1. Low Risk: If all passive signals are clear, the waterfall proceeds to standard automation (Network Protection or JPMC).
2. High Risk: If a passive risk signal is detected, the waterfall "slows down." Even if a bank account matches via JPM check, the detected domain risk will prevent the account from reaching a "Guaranteed" tier without human check from the Security Review team.

Troubleshooting & False Positives

We recognize that legitimate startups may have young domains.

• Internal Review: When a legitimate supplier is flagged, the Security Review team evaluates other factors (such as IDV or Tax Validation) to determine if the risk is mitigated.
• Customer Visibility: Customers can view the specific reason for a domain flag within the Trust Center and choose to override the signal if they have independent verification of the supplier's legitimacy.