This section outlines how Bayesian Networks (BNs) are constructed for each alert typology (e.g., Insider Dealing, Spoofing) in Kor.ai. It includes network principles, file structure, node connections, CPT design, and test harnesses.

• Use causal reasoning from root causes → behaviors → risk outcome

• Reuse modular components across models via shared node library

• Ensure each model is explainable, testable, and API-compatible

• Support partial evidence input, non-linear propagation, and latent variables

Access to Info + Role Sensitivity + Negative News
→ Intent to Trade
→ Price Spike + High PnL
→ RiskNode (Insider Risk)

Algo Use + Desk Type
→ Quote Behavior + Cancel Rate
→ Price Move Before Fill
→ RiskNode (Spoofing Risk)

Each model is:

• Checked in Agena UI for CPT logic

• Validated via /validation/ test cases

• Compared against known case patterns

python run_test.py --model models/SpoofingModel.json --input payloads/spoofing_case_high.json

• Contributors to RiskNode are returned per inference

• Contributors are mapped (Qx → Label) in UI

• Each alert logs risk score, evidence, contributors, and rationale

1. Draft causal graph with input from SMEs

2. Identify nodes to reuse from components/

3. Define any new CPTs (manual or flat)

4. Save JSON to /models/

5. Create test payloads in /payloads/

6. Validate model via CLI or Agena

7. Attach to alerting pipeline with evidence map

• CPT templates for common logic (e.g., 2-of-3 cause effect)

• Graphical UI builder for SMEs

• Auto-learning from reviewed alerts (Phase 3)