Session anomaly detection — Haversine distance + credential-stuffing density
Two signals do most of the work for detecting compromised sessions: impossible travel between consecutive logins, and credential-stuffing density across an IP range. The Go implementation.