Pillar 1 — Protect

Security Alerts.

Alerts are the fast-twitch nervous system of SHIELD. When something out of pattern happens — an unfamiliar login, a Trust Score drop, a KYB sanctions hit in monitoring, a consent revocation, a counterparty you have an open deal with losing verified status — an alert fires with full audit context and routes to whoever can act on it. Nothing is silently dismissed; every alert is resolved explicitly, and every resolution is retained.

Design principle

SHIELD alerts are audit-first. Every alert has a sender (the subsystem that raised it), a receiver (the user or role it was routed to), a severity, an evidence blob, and a resolution trail. You can always answer "who knew what, when, and what did they do about it?" — the question every post-incident review starts with.

The six alert categories

1Access anomaly

Login from a country your org has never logged in from, login at an unusual hour for your session baseline, too many failed authentication attempts (≥5 in 10 minutes), or a session fingerprint change mid-session. Evidence blob includes source IP, ASN, geolocation, user-agent, and the baseline the anomaly was measured against.

2Trust Score drop

A 10+ point drop in a single day, any transition across a band boundary (e.g., 72 → 68 crosses from Trusted to Monitoring), or sustained downward drift of 20+ points over 30 days. Evidence includes the full sub-score decomposition before and after — so the recipient sees exactly which dimension moved.

3KYB event

Sanctions hit found in nightly monitoring, PEP match, adverse media flag above severity threshold, or KYB expiring within 30 days. Sanctions hits at Critical severity automatically freeze the org pending review — the alert notifies admins but the platform has already acted.

4Compliance gap

A mandatory consent revoked (which freezes the user's account), 2FA disabled on an admin account, retention policy left unset for more than 30 days post-onboarding, or the compliance export endpoint failing a scheduled health check. These are preventable misconfigurations; the alert text always includes the remediation action.

5Partner signal

A counterparty you have an active pipeline deal with experiences a material event — their Trust Score drops, their KYB expires, they appear in an adverse Market Signal, or a leadership transition at a key contact. Partner alerts are routed to both the deal owner and the admin who approved the partnership.

6Data export

Any bulk data export — compliance zip, messages archive, CCPA data export, directory CSV — triggers an informational alert for audit transparency. The actor is identified; if the export is unexpected relative to their role, escalation to admins happens automatically.

Severity levels and SLAs

Every alert has a severity. Severity drives routing and expected resolution time:

Critical

Immediate action required. Blocks related platform actions (matches, messaging) until resolved. Notifies all admins + (for partner signals) the counterparty admin. Banner on every app screen.

High

Resolve within 24 hours. Banner at top of SHIELD dashboard. Email to primary admin.

Medium

Resolve within 7 days. Listed in SHIELD alerts inbox.

Low / informational

Log-only. Visible when "all alerts" filter is active.

Resolution workflow

Every alert has a three-state lifecycle:

Raised — the alert exists, unacknowledged. Counts against your SLA clock.
Acknowledged — an admin has seen it and taken ownership. The SLA clock pauses on the initial receipt but continues for final resolution.
Resolved — the admin has documented what happened in a resolution note (minimum 20 characters). The alert is archived.

Resolutions are immutable — once marked, they cannot be edited. If a follow-up action reveals the original resolution was wrong, the right pattern is to mark the original correctly-but-provisional and raise a new alert for the follow-up. This keeps the audit trail linear and honest.

Notification surfaces

In-app banner — for Critical and High severities, a banner appears at the top of every screen until acknowledged.
Notification center — the bell icon in the top nav shows an unread count.
Email — configurable per severity in Settings; defaults: Critical and High always email, Medium daily digest, Low weekly digest.
Webhooks (Enterprise) — POST to a configured URL with the full alert envelope for integration into Slack, PagerDuty, or a SIEM.
Audit trail — every alert, acknowledgement, and resolution writes to ComplianceLog regardless of user-facing surface.

Retention

Alerts are retained for seven years from resolution date for Enterprise plans and six years for Professional and Starter — long enough to cover FINRA Rule 4511 retention and BSA recordkeeping requirements. The alert inbox UI defaults to the last 90 days; older records are available through the compliance export.

Compliance

Alert raise, acknowledgement, investigation notes, and resolution are all logged with timestamp, actor, and IP under ComplianceLog. FINRA-, SEC-, and CCPA-relevant alerts additionally emit archival records to the SHIELD audit trail and appear in the compliance export.

API surface

GET /shield/alerts/

Paginated active alerts with severity filter

GET /shield/alerts/stats/

Counts by severity + status + time-to-resolve

POST /shield/alerts/<id>/resolve/

Mark resolved with a required note (≥20 chars)

Inbox Zero for risk

Open SHIELD and clear your alerts queue.

The alerts inbox is the second screen in SHIELD. Start with Critical and work down — most queues clear in under 10 minutes per week once the baseline settles.

Open SHIELD →