Suspicious Activity & Server Health

The console continuously watches your telemetry for two kinds of trouble: players behaving impossibly (cheat detection) and servers behaving abnormally (health anomalies). Both surface in the Live Ops Console and can push you a notification — see On-call & Push. Citadel Cloud feature.

Suspicious Activity (cheat detection)

Citadel scores players on humanly-impossible patterns over a rolling window and surfaces a ranked feed. Today's rules:

Each rule contributes to a 0–100 suspicion score. Thresholds are tuned to flag the impossible, not the merely skilled — and every flag is reviewed by you, never auto-actioned.

The review loop

For each flagged player you can:

• Watch — keep an eye on them; they stay in the feed.
• Dismiss — you've judged them clean; they won't be re-flagged.
• Act — click through to kick or ban via the player action menu.

Your decisions are sticky — a dismissed player isn't re-flagged on the next scan — which also means they become labels that improve detection over time. A scan runs automatically every few minutes on connected servers, and you can trigger one on demand with Scan now.

Line-of-sight / wall-bang detection is on the roadmap; it needs map elevation data Citadel doesn't yet collect.

Server Health (metric anomalies)

Citadel learns each server's baseline (mean ± standard deviation over the last 7 days) and flags statistically-significant deviations in the harmful direction:

• Low FPS — recent FPS well below the 7-day norm (e.g. "20% below baseline").
• AI / entity spikes — counts far above baseline, which often precede a crash.
• Player drop — a sharp drop below baseline.
• Restart loop — repeated uptime resets in a short window.

These appear as the Server Health panel in the console, and a critical anomaly can push the server owner a notification. Detection needs a few samples of history before it has a baseline to judge against.