Obsidian is a cross-operator threat intelligence platform for regulated industries. By sharing enriched intelligence across organisations — modelled on the fraud consortium approach used by credit reference agencies — every operator benefits from the network’s collective intelligence. Bad actors flagged by one organisation are visible to all.
Obsidian addresses the structural fraud problems that exist regardless of industry — then layers sector-specific intelligence on top.
When a customer opens an account, initiates a transaction, or requests a service, your team acts on incomplete information. Static snapshots cannot reflect the dynamic, evolving nature of organised threat actors.
Threshold-based fraud systems are reactive by design. Bad actors probe for limits, identify the boundaries, and engineer around them systematically. Rigid rules create a predictable, exploitable attack surface.
Analysts spend hours stitching together session logs, device lookups, and account history by hand. Every hour spent investigating is an hour your platform remains exposed. Speed is not a luxury — it is leverage.
Individuals flagged by one institution move freely to the next. Without shared intelligence — processed under a Legitimate Interest basis consistent with credit reference agencies and fraud consortia — every organisation starts from zero against the same actors.
The fraud landscape has evolved faster than the tools built to stop it. Most operators are operating blind, or reacting too late.
Multiple accounts created to exploit promotional mechanics drain marketing budgets and skew acquisition economics. Without cross-registration device and browser intelligence, every registration appears legitimate at the point of signup.
The same individual operates multiple accounts for peer-game collusion, gnoming, or repeated bonus extraction. Cross-entity graph linkage — across devices, browser fingerprints, and email addresses — is the only reliable detection mechanism.
Gambling platforms are targeted for placement and layering of illicit funds. IP intelligence — TOR, VPN, datacenter ranges, bad ASNs — combined with cross-operator identity signals surfaces laundering patterns that transactional monitoring alone cannot detect.
UKGC, MGA, and 6AMLD obligations require operators to identify at-risk players, trigger enhanced due diligence, and report suspicious activity. Without real-time signal intelligence, compliance obligations cannot be adequately discharged.
APP fraud, synthetic identity, and mule networks are now the defining fraud challenges for UK financial services — and they are cross-institutional by design.
£1.17bn was stolen through fraud in the UK in 2024 (UK Finance). Authorised Push Payment fraud and mule account infrastructure are cross-institutional by design — single-institution controls can only ever see part of the picture.
AI-generated synthetic identities combine real and fabricated data to pass traditional KYC checks. Pattern recognition across devices, email addresses, and IP ranges surfaces inconsistencies that single-point document verification cannot detect.
Compromised credentials and deepfake-assisted social engineering are enabling sophisticated account takeover at scale. Device fingerprint changes, impossible travel, and browser anomaly signals detect access anomalies that passwords alone cannot surface.
Fraud and AML teams operating independently means the same mule network can be visible to one function and invisible to the other. Converged entity intelligence — linking accounts, devices, and IPs across the customer lifecycle — closes the gap.
£1.16bn in fraudulent claims was detected in the UK in 2024 (ABI). Organised rings and opportunistic fraudsters both rely on identity manipulation that Obsidian's signals surface.
98,400+ fraudulent claims were detected in 2024, up 12% on 2023 (ABI). From exaggerated losses to entirely fabricated incidents, claims fraud depends on identity manipulation and false documentation — both addressable through entity intelligence at point of claim.
False information at point of application inflates losses and undermines underwriting integrity. Email, device, and IP signals detect fabricated or stolen identities before policies are issued — stopping losses before they begin.
Criminal intermediaries use false or stolen identities to obtain, manipulate, and resell policies. Cross-entity identity signals detect the reuse patterns — the same device, email address, or IP range across multiple policy applications — that ghost brokers depend on.
Crash-for-cash and staged incident rings submit claims simultaneously across multiple insurers. Cross-operator intelligence is the only mechanism that exposes the network — not just the individual incident — enabling insurers to act on the ring, not just the claim.
Obsidian layers real-time session telemetry, device fingerprinting, and network intelligence into a continuously enriched graph — so your decisions are always informed by the full picture.
The moment a session begins, Obsidian captures raw TLS ClientHello data for JA4+ fingerprinting, collects browser and device telemetry via the client script, and begins graph-based enrichment — all before your platform has served a single page.
Unlike single-operator fraud tools, Obsidian shares enriched intelligence across all participating organisations. A device, email address, or IP flagged at one operator immediately strengthens detection at every other. This is processed under a Legitimate Interest basis consistent with established financial-sector fraud consortia such as CIFAS.
Obsidian draws on open-source intelligence feeds, breach databases, and external threat intelligence sources — then combines them with proprietary signals generated by the cross-operator graph. Neither source alone is sufficient. Together, they produce intelligence that no single feed or single operator could generate independently.
A purpose-built graph database stores the relationships between sessions, devices, browsers, IPs, email addresses, and usernames. Confidence levels scale with graph connection density — not just individual attributes.
Subscriptions deliver webhook updates as intelligence evolves. When a user account's risk profile changes — because a linked IP is later flagged, or a connected device surfaces elsewhere — your platform is notified immediately.
Session binding mismatches return HTTP 200 with a directive: continue response — indistinguishable from success. Attackers cannot probe the system to discover detection thresholds.
Obsidian signals map directly to the regulatory requirements your compliance, risk, and AML teams are accountable for — across the major licensing and regulatory frameworks applicable to your sector.
Credential stuffing, phishing, and social engineering to access legitimate accounts. Detected via impossible travel, new device or IP for a known account, JA4+ fingerprint changes, and automation signals.
Fabricated or manipulated identities combining real and false data to open accounts. Flagged via email breach correlations, temporary domain patterns, and cross-entity registration anomalies.
Using stolen or fabricated identity to open accounts or apply for credit. Cross-entity device and email signals surface repeated application patterns across institutions using different identities.
Recruited or compromised accounts used to receive and move illicit funds. IP intelligence, device sharing across accounts, and unusual behaviour patterns identify mule infrastructure before funds move.
Automated use of stolen username/password pairs to compromise accounts. JA4+ TLS fingerprinting, typing cadence anomalies, and browser automation signals detect bot-driven credential attacks.
Legitimate customers misrepresenting circumstances or disputing genuine transactions. Behaviour anomalies, cross-entity history, and device linkage across disputes surface deliberate misrepresentation.
Multiple accounts created to claim promotions repeatedly. Detected via device sharing across registrations, browser fingerprint reuse, and email address patterns.
Same individual operating multiple accounts, including peer-game collusion. Cross-entity graph linkage surfaces shared devices, browser fingerprints, and email relationships across accounts.
Credential stuffing, phishing, or brute force against established accounts. Detected via impossible travel, new device/IP for a known account, JA4+ fingerprint mismatch, and automation signals.
Fabricated or manipulated identities used to open accounts. Flagged via email breach correlations, likely-temporary email domain patterns, and cross-entity registration anomalies.
Accounts used to receive and move illicit funds through gaming activity. IP intelligence (TOR, VPN, datacenter), cross-operator identity linkage, and behavioural anomalies surface layering patterns.
Scripts and AI-driven bots simulating human play for exploitation. JA4+ TLS fingerprinting, automation detection, suspicious typing cadence, and browser anomaly signals fire in combination.
Customers deceived into authorising transfers to fraudster-controlled accounts. Behaviour anomalies, device changes during high-value sessions, and known fraudulent IP ranges signal APP fraud in progress.
Credential stuffing, SIM-swap, and social engineering to access legitimate accounts. New device or IP for a known customer, impossible travel, and JA4+ fingerprint mismatches are primary detection signals.
AI-generated identities combining real and fabricated data to pass KYC at onboarding. Cross-entity signals surface inconsistencies across multiple application attempts using the same underlying infrastructure.
Recruited or compromised accounts used to receive and layer illicit funds. Device and IP sharing across multiple accounts, unusual onboarding patterns, and cross-institution identity signals identify mule infrastructure.
Stolen or fabricated identity used to apply for credit, loans, or accounts. Cross-entity graph signals surface repeated application attempts across institutions using the same device or email infrastructure.
Legitimate customers misrepresenting circumstances or disputing genuine transactions. Behaviour anomalies and cross-entity account history flag deliberate misrepresentation patterns.
False or stolen identity used at point of quote to obtain policies or reduce premiums. Device and email cross-entity signals detect fabricated or reused application infrastructure before policies are issued.
Deliberately inflated or fabricated claims submitted after a policy is taken out. Cross-entity claimant history, device linkage across multiple claims, and submission behaviour anomalies surface both opportunistic and organised fraud.
Deliberately staged or induced road traffic incidents for financial gain. Cross-insurer identity signals identify individuals and networks with prior staged incident history invisible to single-insurer view.
Criminal intermediaries using false or stolen identities to obtain and resell manipulated policies. The same device, email domain, or IP range across multiple policy applications is the defining signal.
Misrepresenting the main driver or policyholder to reduce premiums. Cross-entity account and device linkage surfaces the relationships between the named proposer and the actual primary user that manual checks miss.
Coordinated criminal networks submitting claims across multiple insurers simultaneously. Cross-operator intelligence exposes the network — shared devices, IP ranges, and identity clusters — enabling action on the ring, not just the claim.
Suspicious Activity Reporting. The Proceeds of Crime Act requires reporting of suspected money laundering. Obsidian's real-time signals and audit trail create the evidence base needed for timely, legally defensible SAR filing.
Legitimate Interest Processing. Cross-entity fraud prevention data sharing is processed under Art. 6(1)(f) UK GDPR — consistent with ICO guidance and analogous to the legal basis used by CIFAS and credit reference agencies. A Legitimate Interest Assessment (LIA) is available on request.
Extended Predicate Offences. Obsidian's network intelligence — linking accounts, devices, and IPs across operators — supports fraud and money laundering detection obligations under the Sixth Anti-Money Laundering Directive.
Failure to Prevent Fraud (in force Sep 2025). Large organisations must demonstrate "reasonable procedures" to prevent fraud. Obsidian's real-time signals, audit trail, and cross-entity intelligence form part of a defensible fraud prevention framework.
SR Code 3.4.1 — Safer Gambling. Identification of customers displaying indicators of harm. Obsidian's behavioural, automation, and impossible travel signals provide data points for at-risk player identification obligations.
LC 12.1.1 — AML & KYC. Customer due diligence triggers and source of funds checks. IP intelligence, cross-entity account linking, and email breach data support enhanced due diligence decisions and ongoing monitoring obligations.
AML/CFT Implementing Procedures. The MGA's player due diligence and transaction monitoring requirements are addressed by Obsidian's cross-entity graph, IP risk classification, and real-time behavioural signals.
Extended Predicate Offences. Obsidian's network intelligence — linking accounts, devices, and IPs across operators — supports the fraud and money laundering detection obligations under the Sixth Anti-Money Laundering Directive.
Financial Crime Systems & Controls. FCA-regulated firms must maintain adequate systems to detect and prevent financial crime. Obsidian's entity graph and real-time signals form part of a defensible financial crime control framework consistent with FCA expectations.
APP Fraud Mandatory Reimbursement (in force Oct 2024). The PSR's reimbursement rules require firms to demonstrate fraud detection capability. Obsidian's real-time signals and audit trail support both detection obligations and the evidence required for reimbursement decisions.
Suspicious Activity Reporting. SAR obligations under the Proceeds of Crime Act require timely reporting and defensible reasoning. Obsidian's full audit log of signals raised against a customer record supports both the SAR and any subsequent investigation.
FRAML Convergence. Fraud and AML typologies increasingly overlap. Obsidian's unified entity intelligence addresses both disciplines — cross-entity account linkage surfaces mule networks for both fraud and AML purposes simultaneously.
Insurance Conduct of Business — Customer Due Diligence. FCA ICOBS 2.5 requires firms to take reasonable care regarding the identity of customers. Obsidian's signals support identity verification at point of quote, inception, and claim.
Duty of Fair Presentation. Insurers must understand the risk being underwritten. Obsidian's application fraud signals — detecting false identity and misrepresentation at point of quote — directly support the underwriting due diligence required under the Act.
Proceeds of Crime Reporting. Insurance fraud proceeds are frequently laundered through legitimate claims. SAR obligations apply and Obsidian's cross-entity intelligence and audit trail support both detection and reporting obligations.
Industry Intelligence Sharing. The Insurance Fraud Bureau and IFED expect insurers to actively detect and share intelligence on organised fraud rings. Obsidian's cross-operator graph provides the network-level intelligence that individual insurer systems cannot produce alone.
These figures apply across sectors. Select a tab above to see sector-specific data.
These are not projections. iGaming fraud is accelerating, regulators are enforcing, and operators without intelligence infrastructure are exposed.
Fraud now represents a systemic risk to UK financial services. Regulators are actively enforcing, and the burden of proof has shifted to firms.
Fraudulent claims exceed £1 billion for the second consecutive year. Detection remains the industry's primary challenge — and cross-operator intelligence the primary gap.
Obsidian collects hundreds of data points per session — browser telemetry, device characteristics, network metadata, TLS handshake data, and behavioural signals — then distils them into 32 enriched, high-confidence intelligence signals. Every signal is graph-derived or threat-feed-enriched, carries a confidence level, and is immediately actionable. No manual triage. No alert fatigue. Two categories: graph traversal signals that surface entity association anomalies, and enrichment signals from open-source threat intelligence and behavioural analysis.
Signal coverage is continually expanding. Disposable mobile number detection is in development and will be added to the platform shortly.
Every architectural decision is made to maximise detection capability and minimise attacker feedback.
Obsidian captures raw, unproxied TLS ClientHello data to compute a true JA4+ fingerprint — a next-generation TLS fingerprinting method that identifies clients by their TLS handshake characteristics, resistant to the spoofing techniques that defeat legacy fingerprinting approaches.
JA4+ · TLS handshake · spoof-resistantObsidian’s intelligence is graph-native, not bolt-on. Every signal is derived from explicit entity relationships — not black-box ML scoring. This means every signal is fully explainable: your compliance team can trace exactly why a confidence level was assigned, which entities contributed, and what changed. Deterministic, auditable intelligence that regulators can interrogate.
explainable · auditable · graph-nativeIntelligence enrichment is driven by an event streaming pipeline. Two trigger patterns — new session events and user account link events — power all 32 intelligence signals. New sessions trigger immediate enrichment; new user account associations trigger cross-entity re-evaluation. The pipeline operates continuously, not in batch.
event-driven · continuous · 2 trigger patternsL3 firewall, TLS 1.3 minimum, JWT with asymmetric signing and short-lived tokens, IP-based sliding window rate limiting, and an API key to access token flow. The operator API key never reaches the browser.
JWT · TLS 1.3 · rate limitingA dedicated ingestion service continuously sources and maintains threat intelligence from open-source feeds, breach databases, and specialist threat intelligence providers — covering bad IPs, VPN IPs, TOR exit nodes, datacentre IP ranges, and bad ASNs. Multiple independent ingestion rules run continuously, each updating its own feed automatically.
OSINT + proprietary · continuously updatedIntelligence updates are delivered to your registered endpoint within 30 seconds of enrichment completion over TLS 1.3. Failed deliveries trigger automatic retry with three attempts and exponential backoff, with dead-letter logging for manual review. Subscription durations of 1, 30, 180, and 365 days are supported.
Webhook · 3× retry · exponential backoffObsidian’s deterministic graph intelligence provides the auditable foundation. The next phase layers machine learning on top — pattern detection across the cross-operator graph, anomaly scoring that improves with network scale, and predictive risk signals that surface emerging fraud typologies before they materialise. Graph-first, then AI-enhanced: explainability is never sacrificed for automation.
ML roadmap · graph + AI · explainableObsidian is a third-party platform processing your customer data. We expect to be scrutinised. Here is what you need to know before your security and legal teams ask.
Firesand holds ISO 27001 certification, extending to cover the Obsidian platform and its data processing operations. Independently audited annually.
Cyber Essentials Plus certification extends to Obsidian, demonstrating verified technical controls against common cyber attack vectors.
The Obsidian platform undergoes independent penetration testing on a defined schedule. Test reports are available to enterprise clients under NDA.
Built on serverless cloud infrastructure with multi-availability-zone deployment. No single point of failure in the critical enrichment path.
Operators are notified within 30 minutes of a confirmed platform incident, with status updates throughout resolution.
Legitimate Interest (Art. 6(1)(f) UK GDPR). The processing of customer data for cross-operator fraud prevention is analogous to the legal basis used by established financial-sector fraud consortia and credit reference agencies. A Legitimate Interest Assessment (LIA) has been conducted and is available to operators on request.
All data processed and stored in UK data centres by default. US operators may request US-region deployment. Session data is retained for 13 months. Intelligence graph data uses a rolling 5-year window. Encrypted at rest; TLS 1.3 in transit.
A Data Processing Agreement (DPA) is in place with all operators prior to go-live. Operators remain the data controller. Right to erasure requests are processed within 30 days. Full audit log of all signals raised against a customer record is available on request for regulatory or legal purposes.
Obsidian is designed to complement your existing fraud, KYC, and AML stack — not replace it. It provides the cross-operator intelligence layer that single-operator tools cannot offer. Integration is minimal friction, and a full sandbox environment is available from day one.
Add the Firesand script to your front-end. It fires on page load, collects browser and device telemetry, and establishes a session — either binding to your own session identifier or generating one automatically.
On account creation or onboarding, register the user account via the REST API with their email and/or username. You receive a User Account URI for all subsequent calls.
Associate the current session with the user account via a single API call. This triggers cross-entity enrichment across the intelligence graph.
Register your webhook endpoint to subscribe for intelligence updates. Initial intelligence is returned immediately; ongoing updates are pushed automatically as risk profiles evolve.
Full-featured test environment with sandbox API keys and synthetic data available to all clients from the start of integration.
OpenAPI specification and integration guide provided to all clients. Dedicated integration support available throughout onboarding.
Whether you need continuous monitoring for your full customer base or on-demand intelligence for specific investigations, Obsidian has a model that fits.
Continuous, real-time intelligence monitoring for your customer base. Includes webhook delivery, live graph enrichment, and ongoing signal updates for the subscription duration.
On-demand intelligence queries for specific user accounts or sessions. Ideal for investigations, onboarding checks, or supplementing an existing fraud stack with enriched graph intelligence.
Talk to the Firesand team. We'll walk you through a live demo using your environment, and answer your compliance and security questions directly.