Skip to main content

Welcome to Sentinel

Sentinel protects program integrity by identifying fraudulent submissions while maintaining low false-positive rates for legitimate applicants. Define fraud vectors, run batch analysis, and ensure benefits reach the people who need them.
As generative AI makes fake documents increasingly realistic, benefit programs need sophisticated fraud detection that goes beyond document verification. Sentinel analyzes patterns across 450,000+ applications to identify coordinated fraud attempts, synthetic identities, and suspicious behaviors—without creating barriers for legitimate applicants from marginalized communities.

What Sentinel Does

Sentinel is a fraud analysis platform with four core capabilities:

Batch Upload

Upload submission data from Airtable, Terra, or other sources. Process thousands of applications in a single batch.

Fraud Vectors

Define heuristics and detection rules. Geographic clustering, IP analysis, bank verification, duplicate detection, and more.

Automated Workflows

Turn fraud vectors into automated pipelines that run on every batch. Flag suspicious submissions for human review.

Results Export

Export flagged submissions to Airtable for case management review. Sync fraud findings back to Hub.

Who Uses Sentinel

Primary Users: Fraud Analysis Team
  • David (CEO): Defines fraud vectors, reviews patterns
  • Brian (Director of Systems Integration): Builds automated workflows
  • May (Engineer): Implements detection algorithms
Workflow:
  1. Upload batch of submissions (from Airtable or Terra)
  2. Run fraud vector analysis
  3. Review flagged submissions
  4. Export results to new Airtable base
  5. Case managers review and make final decisions

Fraud Vectors

Sentinel supports multiple types of fraud detection:

Geographic Analysis

VectorDescriptionExample
Geo ClusteringMultiple applications from same location50 applications from single IP address
Address VerificationAddress doesn’t match other dataRental assistance for non-existent address
Distance AnalysisEmployer/bank far from residenceBank in different state than home address
Jurisdiction MismatchApplicant outside program areaSeattle program, Portland address

Identity Analysis

VectorDescriptionExample
Duplicate DetectionSame person, multiple applicationsSSN used across 3 programs
Synthetic IdentityFabricated identity markersSSN/DOB combination doesn’t exist
Identity VelocityNew identity, high activitySSN first seen, 10 applications in 1 week
Name VariationsSuspicious name changes”John Smith” → “Jon Smyth” → “Jonathan Smith”

Document Analysis

VectorDescriptionExample
Template DetectionDocuments from same template20 paystubs with identical formatting
Metadata AnalysisDocument creation patternsPDF created 5 minutes before submission
Inconsistency FlagsData doesn’t match across documentsPaystub income ≠ tax return income
Known FraudulentPreviously flagged documentsDocument hash matches known fraud

Behavioral Analysis

VectorDescriptionExample
Submission VelocityRapid-fire applications10 applications in 5 minutes
Time PatternsUnusual submission timesAll applications at 3am
Device FingerprintSame device, multiple identitiesOne browser, 50 different people
Referral PatternsCoordinated referral abuseAll applications from same referrer

Financial Analysis

VectorDescriptionExample
Bank VerificationBank account doesn’t verifyAccount closed or doesn’t exist
Fraudulent BanksKnown problematic institutionsBanks frequently used in fraud rings
Income InconsistencyClaimed income vs. verifiedClaims 2k/month,depositsshow2k/month, deposits show 500
Payment VelocityMultiple payments to same account5 different applicants, same bank account

Workflow Architecture

Risk Scoring Model

Each submission receives a risk score (0-100) based on weighted fraud vectors: 
interface RiskAssessment {
  submissionId: string;
  overallScore: number; // 0-100

  vectorScores: {
    geographic: number;
    identity: number;
    document: number;
    behavioral: number;
    financial: number;
  };

  flags: FraudFlag[];
  confidence: number;
  reviewRequired: boolean;
}

interface FraudFlag {
  vector: string;
  severity: 'low' | 'medium' | 'high' | 'critical';
  description: string;
  evidence: any;
  falsePositiveLikelihood: number;
}

Scoring Thresholds

Score RangeActionFalse Positive Target
0-30Auto-approve (no fraud indicators)N/A
31-50Low priority review<5%
51-70Standard review required<10%
71-85High priority review<15%
86-100Critical review + escalation<20%

Human in the Loop

Sentinel flags submissions for review—it does not auto-deny. Every high-stakes decision requires human review.

Path to Redemption

Someone flagged for fraud should not be permanently barred:
  1. Program-Specific Flags: Fraud flags are scoped to the program where detected
  2. Time-Limited: Flags expire after configurable period (default: 1 year)
  3. Appeal Process: Applicants can submit additional documentation
  4. Human Override: Case managers can clear flags with justification
  5. Cross-Program: Only confirmed fraud (human-verified) affects other programs

Bias Mitigation

Legitimate applicants from marginalized communities may exhibit patterns that models incorrectly flag:
PatternWhy It HappensMitigation
Frequent address changesHousing instabilityWeight address history less for housing programs
Non-standard employmentGig economy, seasonal workAccept alternative income documentation
Shared bank accountsMulti-generational householdsAllow multiple applicants per account
No traditional IDUndocumented, homelessAccept alternative identity verification
Regular audits analyze false-positive rates by demographic group to identify and correct bias.

Data Model

Core Tables

-- Batch uploads for analysis
CREATE TABLE sentinel_batches (
  id UUID PRIMARY KEY,
  name TEXT NOT NULL,
  source TEXT NOT NULL, -- 'airtable', 'terra', 'csv'
  source_config JSONB,
  status TEXT DEFAULT 'pending', -- pending, processing, complete, failed
  record_count INTEGER,
  flagged_count INTEGER,
  created_by UUID REFERENCES users,
  created_at TIMESTAMPTZ DEFAULT NOW(),
  completed_at TIMESTAMPTZ
);

-- Individual records in a batch
CREATE TABLE sentinel_records (
  id UUID PRIMARY KEY,
  batch_id UUID REFERENCES sentinel_batches,
  external_id TEXT, -- Airtable record ID, submission ID, etc.
  submission_id UUID REFERENCES submissions,
  applicant_id UUID REFERENCES applicants,
  raw_data JSONB NOT NULL,
  normalized_data JSONB,
  created_at TIMESTAMPTZ DEFAULT NOW()
);

-- Risk assessments per record
CREATE TABLE sentinel_assessments (
  id UUID PRIMARY KEY,
  record_id UUID REFERENCES sentinel_records,
  overall_score DECIMAL(5,2),
  vector_scores JSONB,
  flags JSONB,
  confidence DECIMAL(3,2),
  review_required BOOLEAN DEFAULT FALSE,
  reviewed_by UUID REFERENCES users,
  reviewed_at TIMESTAMPTZ,
  review_decision TEXT, -- 'cleared', 'confirmed_fraud', 'needs_info'
  review_notes TEXT,
  created_at TIMESTAMPTZ DEFAULT NOW()
);

-- Fraud vector definitions
CREATE TABLE sentinel_vectors (
  id UUID PRIMARY KEY,
  name TEXT NOT NULL,
  category TEXT NOT NULL, -- geographic, identity, document, behavioral, financial
  description TEXT,
  config JSONB NOT NULL, -- Vector-specific configuration
  weight DECIMAL(3,2) DEFAULT 1.0,
  enabled BOOLEAN DEFAULT TRUE,
  created_at TIMESTAMPTZ DEFAULT NOW()
);

-- Automated workflow definitions
CREATE TABLE sentinel_workflows (
  id UUID PRIMARY KEY,
  name TEXT NOT NULL,
  trigger TEXT NOT NULL, -- 'batch_upload', 'scheduled', 'manual'
  vectors UUID[] NOT NULL, -- Array of vector IDs to run
  output_config JSONB, -- Where to send results
  enabled BOOLEAN DEFAULT TRUE,
  created_at TIMESTAMPTZ DEFAULT NOW()
);

-- Known fraudulent data points
CREATE TABLE sentinel_blocklist (
  id UUID PRIMARY KEY,
  type TEXT NOT NULL, -- 'ssn', 'bank_account', 'address', 'ip', 'device_id', 'document_hash'
  value_hash TEXT NOT NULL, -- Hashed for privacy
  reason TEXT,
  confirmed_by UUID REFERENCES users,
  expires_at TIMESTAMPTZ,
  created_at TIMESTAMPTZ DEFAULT NOW()
);

UI Wireframe

Batch Analysis Dashboard

┌─────────────────────────────────────────────────────────────────┐
│  Sentinel                                 [User] [Settings]     │
├──────────────┬──────────────────────────────────────────────────┤
│              │                                                  │
│  Batches     │  ERA December 2024                              │
│  ──────────  │  ═══════════════════                            │
│              │                                                  │
│  > Dec 2024  │  Records: 2,847    Flagged: 127 (4.5%)          │
│    Nov 2024  │  Status: Complete  Reviewed: 89/127             │
│    Oct 2024  │                                                  │
│              │  ┌────────────────────────────────────────┐     │
│  ──────────  │  │  Risk Distribution                     │     │
│  Vectors     │  │  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░  0-30: 2,450    │     │
│  Workflows   │  │  ▓▓▓░░░░░░░░░░░░░░░░░  31-50: 180     │     │
│  Blocklist   │  │  ▓▓░░░░░░░░░░░░░░░░░░  51-70: 127     │     │
│              │  │  ▓░░░░░░░░░░░░░░░░░░░  71-85: 67      │     │
│  ──────────  │  │  ░░░░░░░░░░░░░░░░░░░░  86+: 23        │     │
│  + Upload    │  └────────────────────────────────────────┘     │
│              │                                                  │
│              │  Flagged Records (Pending Review)               │
│              │  ─────────────────────────────                  │
│              │  ┌──────────────────────────────────────────┐  │
│              │  │ [!] Score: 87  John D*** - IP cluster     │  │
│              │  │ [!] Score: 82  Maria S*** - Doc template  │  │
│              │  │ [!] Score: 79  Robert J*** - Bank verify  │  │
│              │  └──────────────────────────────────────────┘  │
│              │                                                  │
│              │  [Export to Airtable]  [Generate Report]        │
└──────────────┴──────────────────────────────────────────────────┘

Vector Configuration

┌─────────────────────────────────────────────────────────────────┐
│  Fraud Vectors                            [+ New Vector]        │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  Geographic Vectors                                             │
│  ══════════════════                                            │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │  [✓] IP Clustering                          Weight: 1.2  │   │
│  │      Flag when >5 submissions from same IP in 24hr      │   │
│  │      Threshold: 5 | Window: 24hr | Severity: High       │   │
│  │                                           [Edit] [Test]  │   │
│  ├─────────────────────────────────────────────────────────┤   │
│  │  [✓] Address Verification                   Weight: 1.0  │   │
│  │      Verify address exists via SmartyStreets            │   │
│  │      Fail action: Flag | Severity: Medium               │   │
│  │                                           [Edit] [Test]  │   │
│  ├─────────────────────────────────────────────────────────┤   │
│  │  [ ] Distance Analysis                      Weight: 0.8  │   │
│  │      Flag when employer >100mi from residence           │   │
│  │      Threshold: 100mi | Severity: Low                   │   │
│  │                                           [Edit] [Test]  │   │
│  └─────────────────────────────────────────────────────────┘   │
│                                                                 │
│  Identity Vectors                                               │
│  ════════════════                                              │
│  ...                                                           │
└─────────────────────────────────────────────────────────────────┘

Integration Points

Airtable Integration

Input: Export CSV from Airtable → Upload to Sentinel Output: Export flagged records → New Airtable base for review 
// Export format for Airtable
interface AirtableExport {
  recordId: string;
  submissionId: string;
  applicantName: string; // Redacted
  riskScore: number;
  flags: string[]; // Human-readable flag descriptions
  reviewPriority: 'low' | 'standard' | 'high' | 'critical';
  reviewLink: string; // Link back to Sentinel for details
}

Hub Integration

Fraud assessments sync to Hub for unified applicant view: 
// Sync to Hub
await syncFraudAssessment({
  applicantId: assessment.applicantId,
  programId: batch.programId,
  riskScore: assessment.overallScore,
  flags: assessment.flags,
  status: assessment.reviewDecision,
});

Terra Integration

Read submissions directly from Terra for analysis: 
// Query Terra submissions
const submissions = await getSubmissions({
  formId: 'era-2024',
  dateRange: { start: '2024-12-01', end: '2024-12-31' },
  status: ['submitted', 'under_review'],
});

// Create batch for analysis
const batch = await createBatch({
  name: 'ERA December 2024',
  source: 'terra',
  submissions,
});

Implementation Phases

Phase 1: Batch Upload + Basic Vectors

  • CSV upload from Airtable
  • Data normalization pipeline
  • IP clustering detection
  • Duplicate detection (SSN, email)
  • Basic risk scoring
  • Export to Airtable

Phase 2: Advanced Vectors

  • Document analysis (template detection, metadata)
  • Bank verification integration
  • Geographic analysis
  • Behavioral patterns

Phase 3: Automated Workflows

  • Scheduled batch processing
  • Terra direct integration
  • Hub sync
  • Configurable alert thresholds

Next Steps

Fraud Vectors Deep Dive

Detailed documentation for each vector type

Risk Scoring Model

How scores are calculated and calibrated

Workflow Configuration

Building automated detection pipelines

Bias Mitigation

Ensuring fair treatment of legitimate applicants