Graph Explorer

Visualise the 2-hop fraud network around any risk assessment and understand how users, indicators, and enrichment nodes are connected.

Overview

The Graph Explorer builds a 2-hop fraud graph anchored to a stored assessment. It helps analysts understand how the evaluated user connects to devices, IPs, emails, payment methods, and nearby suspicious users.

The graph typically shows:

  • the seed user from the selected assessment
  • global indicator nodes for hashed email, device, IP, phone, and payment identifiers
  • enrichment nodes such as card BIN and geolocation
  • peer users who share one or more indicators with the seed

The graph is historically stable in assessment mode: it uses the indicator snapshot captured at assessment time, so the view reflects the neighborhood at the moment the decision was made.

Accessing the Graph Explorer

Navigate to Dashboard → Graph Explorer. The left panel lists recent assessments. Click any row to load its graph.

You can also deep-link directly:

plaintext
/dashboard/graph-explorer?assessmentId=<uuid>

API endpoint

plaintext
GET /graph/explore/:assessmentId

Auth: bearer token required. Your plan must include the graph_explorer feature.

Response shape:

json
{
  "nodes": [
    {
      "id": "riskuser::usr_abc123",
      "label": "RiskUser",
      "group": "riskuser",
      "properties": {
        "user_id": "usr_abc123",
        "is_confirmed_fraud": false,
        "knn_fraud_similarity": 0.12,
        "gds_pagerank_score": 0.031
      }
    },
    {
      "id": "globalindicator::a1b2c3d4...",
      "label": "GlobalIndicator",
      "group": "globalindicator",
      "properties": {
        "indicator_type": "email",
        "indicator_hash": "a1b2c3d4...",
        "is_global_threat": false
      }
    }
  ],
  "links": [
    {
      "source": "riskuser::usr_abc123",
      "target": "globalindicator::a1b2c3d4...",
      "type": "USES_INDICATOR"
    }
  ],
  "meta": {
    "seedUserId": "usr_abc123",
    "nodeCount": 14,
    "linkCount": 18
  }
}

Node types

  1. Seed RiskUser Shown as pulsing cyan. This is the user from the assessment you are investigating.
  2. Fraud RiskUser Shown in crimson with glow. This is a peer user already confirmed as fraud.
  3. Peer RiskUser Shown in muted slate. This is a first-hop or second-hop neighbor not confirmed as fraud.
  4. GlobalIndicator nodes These represent hashed device, IP, email, phone, or payment identifiers.
  5. CardBIN Enrichment node built from the payment card prefix.
  6. GeoLocation Country-level geolocation node derived from IP context.

Node properties

RiskUser nodes expose:

  1. user_id Your application’s user identifier.
  2. is_confirmed_fraud Whether this user has been confirmed as fraud.
  3. knn_fraud_similarity Similarity score from 0 to 1 against nearby confirmed fraud users.
  4. gds_pagerank_score Centrality score. Higher values usually mean the node is highly connected.
  5. gds_betweenness_score Bridge score. Higher values suggest the user connects otherwise separate clusters.

GlobalIndicator nodes expose:

  1. indicator_type One of device, ip, email, phone, or payment.
  2. indicator_hash The hashed identifier value.
  3. is_global_threat Whether the indicator is present in the global threat database.
⚠️

Raw PII (email addresses, phone numbers, IP addresses) is masked in all graph responses. The first 3 and last 2 characters are retained; the middle is replaced with ***. Indicator hashes are not masked.

Edge types

  1. USES_INDICATOR Connects a RiskUser to a GlobalIndicator from that user’s indicator ring.
  2. USED_CARD_BIN Connects a RiskUser to the card BIN seen at assessment time.
  3. LOCATED_IN Connects a RiskUser to the geolocation derived from IP context at assessment time.

Edges connecting to confirmed-fraud nodes are drawn in red. All other edges use a muted slate colour.

Toolbar filters

Use the toolbar at the bottom-left of the canvas to reduce visual noise:

  1. Safe Users Enabled by default. Hides peer users who are not confirmed as fraud.
  2. Geo Enabled by default. Hides geolocation nodes.
  3. Card BIN Enabled by default. Hides card BIN nodes.

Reading the graph

Identifying fraud clusters

A confirmed-fraud peer (crimson node) sharing an indicator directly with the seed means those two users have used the same device, IP, email, phone, or payment method. This is strong evidence of coordinated fraud or account takeover.

Super-connectors

GlobalIndicator nodes with more than 500 connections are automatically excluded from the graph. These are shared infrastructure (e.g., a public IP or shared device used by thousands of users) that would make the graph unreadable without adding signal.

Graph Intelligence scores

Click any RiskUser node to open the detail panel. The Graph Intelligence section shows:

  • KNN Fraud Similarity — how similar this user's graph embedding is to confirmed-fraud users nearby. Values above 0.6 are high-risk.
  • PageRank — how central this user is to the overall network. A fraudster who acts as a hub will have a high PageRank.
  • Betweenness Centrality — how often this user lies on the shortest path between other nodes. High values suggest a bridge account connecting otherwise separate fraud rings.
💡

Use the Graph Explorer alongside the Event Explorer: click "View events for this user" in the node detail panel to deep-link into the full transaction history of any node.

Assessment mode vs live mode

  1. Assessment mode Used when an assessmentId is provided. The graph is anchored to the snapshot captured at assessment time.
  2. Live mode Used when browsing without an assessment. The graph shows the user’s current neighborhood as it exists in Neo4j now.
⚠️

In assessment mode, is_confirmed_fraud is suppressed on peer users. This prevents fraud labels set after the assessment (e.g., a chargeback received days later) from appearing to have been known at assessment time.