Knogin
[Developers]

Bayesian Changepoint Detection

Intelligence analysis depends on spotting when an entity's behaviour fundamentally shifts. Traditional threshold alerting flags individual events but misses the underlying pattern change that makes a sequence of events s

Back to All Modules
Category: ModulesLast Updated: Apr 14, 2026
modules

Overview#

Intelligence analysis depends on spotting when an entity's behaviour fundamentally shifts. Traditional threshold alerting flags individual events but misses the underlying pattern change that makes a sequence of events significant. A person of interest who gradually increases contact frequency, an organisation that abruptly changes communication patterns, or a network node that shifts from passive to active at a specific moment in time -- these transitions are the signals that matter. Detecting them reliably, with quantified uncertainty, is what separates operational intelligence from noise.

The Bayesian Changepoint Detection module uses the BEAST algorithm (Bayesian Estimator of Abrupt change, Seasonality, and Trend) to analyse entity event time series and return full posterior probability distributions over changepoint timing and count. Unlike point-estimate methods that return a single candidate date, BEAST returns the probability that a structural break occurred at each point in time, along with credible intervals around each estimate. Analysts see not just where a change likely occurred, but how confident the model is and how wide the uncertainty band is.

Last Reviewed: 2026-04-14 Last Updated: 2026-04-14

Key Features#

  • Full Posterior Distributions: Rather than a single changepoint date, BEAST returns a probability value for every point in the time series, showing the complete distribution of plausible changepoint locations. Analysts can see not just where the most probable change occurred but how sharp or diffuse the evidence is across the surrounding period.

  • Credible Interval Reporting: Each detected changepoint includes a credible interval in days, giving analysts a quantified range of uncertainty around the estimated change date. A narrow credible interval reflects high confidence in the timing; a wide interval indicates the model sees a gradual transition rather than an abrupt one.

  • Trend Direction Classification: In addition to changepoint detection, BEAST estimates the posterior trend slope, allowing the module to classify the entity's activity trajectory as INCREASING, DECREASING, or STABLE. This supports both point-in-time change detection and longer-horizon trajectory analysis.

  • Seasonality-Aware Modelling: The algorithm supports harmonic and dummy seasonality modes in addition to no seasonality, allowing the model to account for weekly or other cyclical patterns in event data before estimating structural breaks. This prevents seasonal fluctuations from being misclassified as behavioural changepoints.

  • HITL Integration: Changepoints with posterior probability above 0.7 are automatically routed to the human-in-the-loop review queue before being used to update an entity's behavioural profile. Changepoints with confidence above 90 percent are auto-approved. This threshold-based routing ensures high-confidence changes are actioned quickly while lower-confidence detections receive analyst verification.

  • Batch Analysis: The batch detection endpoint runs parallel analysis across multiple entity identifiers in a single request, supporting bulk re-evaluation of entity populations when new event data arrives.

Use Cases#

  • Behavioural Shift Detection: Identify when a monitored person or organisation abruptly changes the frequency, type, or pattern of their recorded events, indicating a possible change in intent or circumstance.
  • Threat Trajectory Assessment: Classify whether a target's activity level is increasing, decreasing, or stable over the analysis window, supporting early warning and prioritisation decisions.
  • Campaign Boundary Detection: Identify the start and end of operational periods in event data, demarcating when a coordinated activity pattern began and when it subsided.
  • Baseline Drift Monitoring: Detect gradual baseline shifts in communication or activity metrics that accumulate over weeks or months, which threshold-based alerting would miss entirely.

Integration#

  • Entity Intelligence: Changepoint results feed directly into entity behavioural profiles, providing a temporal structure layer on top of event counts and relationship maps.
  • HITL Review Queue: High-confidence changepoints enter the human review queue for analyst confirmation before profile updates are applied.
  • Investigation Timeline: Detected changepoints surface as annotated markers on investigation timelines, providing structural anchors for analyst narratives.
  • Temporal Decay Scoring: The EWMA and Hawkes Process temporal decay module uses the BEAST-detected trend direction to calibrate decay rates for entities showing sustained activity changes.

Open Standards#

  • ISO 8601: Defines date and time representations used for all event timestamps and changepoint interval reporting in the module's outputs.
  • STIX 2.1 (OASIS): Structured threat intelligence format used to serialise behavioural indicators and changepoint-derived threat signals for downstream intelligence consumers.
  • TAXII 2.1 (OASIS): Transport protocol for exchanging STIX bundles, enabling changepoint-derived intelligence to be shared across federated platforms.
  • OpenAPI 3.x: Industry-standard specification for the module's REST endpoints, covering both single-entity and batch detection interfaces.
  • W3C PROV-DM: Provenance data model standard used to record the analytical lineage of changepoint decisions, including human-in-the-loop review actions and profile update events.

Ready to Build?

Get started with our APIs or contact our integration team for support.