OPENID SSF · CAEP · RISCComing soon

Detect once. Protect everywhere. In milliseconds.

Sovio Sanket exchanges identity threat signals across organisational boundaries in real time. When one entity detects an account takeover, every other entity in the network acts on it automatically — using the OpenID Shared Signals Framework.

Get notified at launch Join waitlist

SET · v1

VERIFIED

ECDSA signature · live

Publisher

BANK.A ✓

Consortium member

Time to ecosystem block

ManualTI feedSanket

sanket.sovio.id / stream

v1.2

Home

Streams

Publish

Audit

Settings

Active stream

consortium.fraud.v1

live

SANKET · SECURE_EVENT_TOKEN

evt-xyz789

event type

account-takeover

delivered

12 / 12 subs

SET signatureECDSA-P256 · valid

jti:urn:uuid:abc-123-deftamper-evident

Cross-org fraud cut

94%

attacker blocked ecosystem-wide

Delivery latency

< 1 s

publish to subscriber

Detection lag

0 HRS

vs 6–48h without Sanket

Built on open standards — not proprietary protocols.

SSF defines the framework. CAEP covers access events. RISC covers risk events. SECURE_EVENT_TOKEN secures every signal. No vendor lock-in.

OpenID Shared Signals (SSF)CAEP · Continuous AccessRISC · Risk & Incident SharingSECURE_EVENT_TOKEN (SET)JWT · RFC 7519Webhook DeliveryOAuth 2.0ISO 27001ISACs & ConsortiaOpenID Shared Signals (SSF)CAEP · Continuous AccessRISC · Risk & Incident SharingSECURE_EVENT_TOKEN (SET)JWT · RFC 7519Webhook DeliveryOAuth 2.0ISO 27001ISACs & ConsortiaOpenID Shared Signals (SSF)CAEP · Continuous AccessRISC · Risk & Incident SharingSECURE_EVENT_TOKEN (SET)JWT · RFC 7519Webhook DeliveryOAuth 2.0ISO 27001ISACs & Consortia

01 · The problem

The attacker is shared. The defence is not.

The silo problem

6–48 haverage detection lag at the next organisation

Identity threats cross organisational boundaries. Defences do not.

When an attacker compromises an account at one bank, the same credential is immediately tested across every other bank, fintech and platform the user touches. The attack is cross-organisational by nature — but defences are siloed. Each org detects the same attacker independently, hours or days apart, while the attacker moves freely between targets.

Threat intel is wrong-shaped

0IAM systems can automate on a static IOC feed

Existing threat intelligence was not designed for identity signals.

Traditional feeds share IPs, domains and file hashes — not identity events. They do not carry subjects, sessions or token references. They are built for SOC analysts, not for IAM systems that must block a login in real time. Identity threat signals need a different architecture: event-driven, subject-centric, machine-actionable.

How Sanket Works

An organisation detects an identity threat

Bank A's fraud system flags an account takeover — unusual login, new device, hostile IP. The signal is real, the subject is known.

Detection happens inside the publisher; Sanket starts at the next millisecond.

04 · End-to-end flow

One detection. Six seconds. Whole ecosystem protected.

00:00
Bank A detects ATO
Unusual login from new device and hostile IP. Fraud engine confirms account compromise.
00:01
SET minted
Event wrapped as SECURE_EVENT_TOKEN — subject, event type, timestamp, signed by Bank A.
00:02
Published to stream
POST /rest/events hands the SET to consortium.fraud.v1.
00:03
Subscribers notified
Bank B, Bank C and Fintech X receive the SET on authenticated webhook endpoints.
00:04
Signature verified
Each receiver verifies ECDSA-P256 against Bank A's public key. Freshness and subject confirmed.
00:05
Automated response
Sessions revoked, tokens invalidated, accounts challenged across the ecosystem.
00:06
Attacker blocked everywhere
Audit trail closed. Tamper-evident. Regulator-ready.

05 · Why this works at ecosystem scale

Six guarantees. Not policy — properties.

01Every signal is a signed SECURE_EVENT_TOKEN — verifiable by any subscriber.
02Streams support subject-level filtering and per-subscriber authorisation.
03Delivery is sub-second, authenticated and retried on failure.
04Response is automated — sessions, tokens and accounts act on signals natively.
05Built on open standards: OpenID SSF, CAEP, RISC. No proprietary lock-in.
06Issuance, delivery, verification and response are logged to an immutable audit trail.

06 · Standards & protocols

Built on open identity standards — end to end.

Framework

Title

How Sanket applies it

OpenID SSF

Shared Signals Framework

The publish/subscribe substrate for cross-organisational signal exchange.

CAEP

Continuous Access Evaluation

Session revocation, token invalidation, device change and other access events.

RISC

Risk & Incident Sharing

Account takeover, credential compromise and suspicious activity events.

SECURE_EVENT_TOKEN

Signed JWT envelope

Every signal is a signed SET — verifiable by any subscriber, no central authority.

Webhook Delivery

HTTPS · authenticated

Authenticated callbacks with guaranteed delivery and retries.

Audit & Reporting

Immutable ledger

Publish, deliver, verify and respond events logged for regulator reconciliation.

Extension Events

Ecosystem-defined

Custom events on top of CAEP/RISC for sector-specific signals.

Threat signal exchange engineered for every regulated ecosystem.

08 · Technical depth

For security architects, IAM engineers and integration leads.

sanket · secure_event_token.jsonCAEP · RISC

{
  "iss":  "https://bank-a.example",
  "jti":  "urn:uuid:abc-123-def",
  "iat":  1758103800,
  "events": {
    "https://schemas.openid.net/secevent/risc/event/type/account-takeover": {
      "subject": {
        "subject_type": "email",
        "email": "user@example.com"
      },
      "reported_timestamp": "2025-09-17T10:30:00Z"
    }
  }
}

// publish · POST /rest/events
stream = "consortium.fraud.v1";
ok = verify_set(token, issuer_pubkey);
if (ok && fresh(token)) → REVOKE sessions · CHALLENGE account
else → DROP (audit logged)

Delivery

< 1 s

sub-second to subscribers

SET size

≈ 1 KB

self-contained JWT

Publishers

Any RE

bank · fintech · telco

Events

CAEP · RISC

+ extension taxonomy

automated response orchestration

Configure downstream actions — session termination, token revocation, step-up auth, transaction blocking — per signal type, severity and organisational policy.

Sub-second delivery Cryptographic SET verification Consortium-governed Interoperable by spec

DETECT · SHARE · RESPONDComing soon

See Sovio Sanket
in your ecosystem.

Sovio Sanket is launching soon. Join the waitlist to get early access, launch updates and direct line to our team for design-partner conversations.

Join the waitlist Get launch updates

Detect once. Protect everywhere. In milliseconds.

The attacker is shared. The defence is not.

Identity threats cross organisational boundaries. Defences do not.

Existing threat intelligence was not designed for identity signals.

An organisation detects an identity threat

One detection. Six seconds. Whole ecosystem protected.

Six guarantees. Not policy — properties.

Built on open identity standards — end to end.

Threat signal exchange engineered for every regulated ecosystem.

For Banks & Financial Institutions

For Fintech Platforms

For Telecommunications

For Enterprise & Regulators

For security architects, IAM engineers and integration leads.

See Sovio Sanket
in your ecosystem.

Detect once. Protect everywhere. In milliseconds.

The attacker is shared. The defence is not.

Identity threats cross organisational boundaries. Defences do not.

Existing threat intelligence was not designed for identity signals.

An organisation detects an identity threat

One detection. Six seconds. Whole ecosystem protected.

Six guarantees. Not policy — properties.

Built on open identity standards — end to end.

Threat signal exchange engineered for every regulated ecosystem.

For Banks & Financial Institutions

For Fintech Platforms

For Telecommunications

For Enterprise & Regulators

For security architects, IAM engineers and integration leads.

See Sovio Sanket in your ecosystem.

See Sovio Sanket
in your ecosystem.