RaidPulse — Real-Time Raid Detection for Reddit

RaidPulse detects coordinated raids before moderators notice — then protects your community automatically. Real-time threat intelligence with a live pulse on every attack, built natively on Devvit.

Comment

Inspiration

Large Reddit communities do not usually collapse all at once.

It starts with something small.

A normal thread becomes unusually aggressive. The same phrase begins appearing across unrelated comments. Accounts that have never interacted with the community suddenly arrive together. Reports accelerate faster than moderators can review them. By the time the moderation team realizes the subreddit is being targeted, the attack has already shaped the discussion.

That delay is the real failure point.

Most moderation systems on Reddit operate after damage has already happened. AutoModerator reacts to individual posts. Report queues grow only after users begin flagging content. Moderators are forced into cleanup mode while the attack is already spreading through the community.

What was missing was not another keyword filter.

What was missing was infrastructure capable of recognizing coordinated behavior while it was still forming.

RaidPulse started from a simple question:

What would moderation look like if subreddits were defended more like live systems under attack instead of forums waiting to be cleaned up afterward?

The project focuses on detecting behavioral coordination early enough that moderators can respond before communities become overwhelmed.

What It Does

RaidPulse is a real-time raid detection and automated protection system built entirely on Devvit.

Instead of evaluating isolated rule violations, the system continuously analyzes how activity patterns evolve across a subreddit in real time.

The detection engine monitors signals including:

  • sudden posting velocity changes relative to normal subreddit behavior
  • repeated hostile phrase patterns across unrelated accounts
  • abnormal surges of newly created accounts
  • concentrated first-time poster activity
  • clustered toxicity patterns
  • report spikes occurring faster than moderators can process them

No single signal is treated as evidence of a raid on its own.

That distinction became important very early in development. Viral posts, breaking news, or rapidly trending discussions can produce large traffic spikes naturally. Treating high activity alone as malicious would create constant false positives in active communities.

RaidPulse only escalates risk when multiple suspicious behaviors begin correlating within compressed time windows.

Each signal contributes to a live Community Health Score ranging from 0–100.

When the score falls below a configurable threshold, the system activates Protection Mode automatically.

Depending on moderator settings, that response can include:

  • temporarily restricting participation from newly created accounts
  • alerting moderators through ModMail
  • pinning a community warning thread
  • persisting a complete incident state for later review
  • increasing monitoring sensitivity during active attacks

One design decision mattered throughout the project:

The system explains why it believes a raid is happening.

Moderators operating under pressure should not have to reverse-engineer invisible scoring systems during an incident. Every escalation includes contextual reasoning tied directly to observed behavior.

For example:

“50 accounts under 30 days old became active within minutes while repeated hostile phrases appeared across unrelated threads.”

The goal is not replacing moderators.

The goal is surfacing coordinated threats early enough that moderators can regain control before communities destabilize.

What RaidPulse Pays Attention To

Detecting coordinated attacks is not as straightforward as identifying “bad” content.

Some of the hardest problems in moderation involve distinguishing malicious coordination from legitimate community activity.

A large gaming subreddit reacting to breaking news may suddenly receive thousands of comments from first-time users. Political communities often experience intense reporting spikes during controversial events. Meme phrases naturally repeat during viral moments.

Those patterns can resemble raids even when they are completely organic.

RaidPulse tries not to collapse those situations into the same category.

The system does not treat toxicity alone as sufficient evidence. It does not lock communities because of isolated spikes. It does not assume all new accounts are malicious.

Instead, it evaluates whether multiple independent behaviors begin escalating together in ways that resemble coordinated disruption rather than normal community growth.

The project also intentionally stops at defensive moderation infrastructure rather than autonomous enforcement.

RaidPulse can:

  • surface suspicious coordination
  • activate temporary protections
  • preserve incident evidence
  • reduce moderator response time

It does not:

  • permanently ban users autonomously
  • replace moderator judgment
  • decide community policy
  • classify intent with certainty

That boundary mattered architecturally.

A moderation system aggressive enough to stop every possible raid would also harm legitimate participation. The project tries to reduce operational pressure on moderators without removing human control from the moderation process itself.

How We Built It

RaidPulse is built with:

  • Devvit
  • TypeScript
  • Hono
  • Redis-backed KV storage
  • React-based WebView UI

The architecture is fully event-driven.

Every PostSubmit, CommentSubmit, PostReport, CommentReport, PostDelete, and moderation event feeds directly into the detection pipeline in real time.

One of the largest engineering constraints was maintaining stable trigger performance during high-volume attack bursts.

Early versions performed synchronous metadata enrichment during ingestion. Under simulated raid conditions, hundreds of events arriving simultaneously created execution bottlenecks that risked slowing trigger processing itself.

The final pipeline was split into two phases:

  1. immediate lightweight event ingestion
  2. asynchronous metadata enrichment and correlation

That separation allowed ingestion to remain stable even during rapid attack simulations.

The detection engine uses rolling adaptive baselines rather than fixed moderation thresholds.

This became necessary because subreddit behavior varies dramatically across Reddit. A posting spike that is normal inside a massive sports community may indicate severe disruption inside a smaller niche subreddit.

Static thresholds consistently failed across different traffic scales.

The frontend was designed specifically around operational clarity during stressful moderation events.

The dashboard includes:

  • live threat-state visualization
  • incident replay timelines
  • phrase repetition tracking
  • account-age distribution analysis
  • moderator response guidance
  • persistent incident history
  • configurable protection sensitivity controls

The interface also changes state visually during escalation.

Healthy communities remain visually neutral. Active attacks shift the dashboard into alert mode. Once automated protection activates, the system transitions again into containment state so moderators can understand subreddit status immediately without needing to interpret raw metrics first.

Challenges We Ran Into

Distinguishing raids from legitimate viral activity

This became the hardest problem in the project.

Large traffic spikes are not inherently malicious. Viral content can produce many of the same surface-level behaviors as coordinated attacks.

Early versions produced far too many false positives because activity volume alone was weighted too heavily.

The solution was moving toward correlated behavioral escalation rather than isolated thresholds. Risk only rises meaningfully when multiple independent signals begin aligning within short time windows.

That dramatically improved detection reliability during testing.

Real-time performance under burst load

Raid behavior is extremely bursty.

Hundreds of comments, reports, and moderation events can arrive within seconds during coordinated attacks. Synchronous enrichment pipelines quickly became unstable under stress.

Separating ingestion from enrichment turned the detection system into a non-blocking pipeline and significantly improved operational stability.

Designing for moderators under pressure

Moderation dashboards become unusable surprisingly quickly once too much information appears simultaneously.

Several interface iterations failed because they optimized for data density rather than fast comprehension.

The final design prioritizes immediate situational awareness first and deep inspection second.

Moderators should understand the state of the community within seconds of opening the dashboard.

Accomplishments We’re Proud Of

Detection before manual intervention

During raid simulations, RaidPulse consistently detected coordinated attack patterns and activated protection workflows before moderators manually intervened.

One stress test included:

  • 230+ coordinated posts and comments
  • 50 attacking accounts
  • simultaneous report spikes
  • repeated hostile phrase propagation

The system detected, classified, explained, and responded to the incident in under 30 seconds.

Adaptive detection instead of hardcoded rules

One of the strongest parts of the project became the adaptive baseline system.

Instead of requiring moderators to tune dozens of static thresholds manually, RaidPulse continuously learns what “normal” activity looks like for each individual community.

That reduced configuration complexity substantially.

Explainable escalation

Moderation systems become difficult to trust when they behave like black boxes.

The explanation layer ended up mattering as much as the detection itself. Moderators consistently responded better to alerts that included operational reasoning instead of opaque risk scores.

Reliability-focused architecture

A large amount of engineering time went into operational stability rather than visible features.

That included:

  • non-blocking ingestion
  • Redis recovery handling
  • typed API contracts
  • fetch deduplication
  • incident persistence
  • state-safe dashboard synchronization

The goal was building something capable of surviving sustained attack bursts without manual babysitting.

What We Learned

Building RaidPulse changed how we thought about moderation systems entirely.

At scale, coordinated disruption behaves much closer to security engineering than traditional content moderation.

The difficult part is not identifying individual bad comments.

The difficult part is recognizing coordinated behavioral shifts early enough that moderators still have time to respond before communities lose control of the conversation.

We also learned that explainability matters just as much as detection accuracy.

Moderators are unlikely to trust systems that silently intervene without context, especially during stressful incidents. Clear operational reasoning became essential to making automated protection feel usable rather than intrusive.

Perhaps the biggest lesson was realizing how much moderation tooling still operates reactively.

Most systems clean up damage after communities have already absorbed it.

RaidPulse explores what moderation infrastructure looks like when the priority shifts toward early detection and containment instead.

What’s Next

The current version focuses on detecting coordinated attacks inside individual subreddits.

The next step is identifying where those attacks originate before they fully arrive.

Future work includes:

  • cross-community behavioral correlation
  • configurable automated response playbooks
  • long-term threat trend analysis
  • expanded incident replay tooling
  • cross-subreddit threat intelligence systems

Long term, the goal is not building another moderation bot.

The goal is building defensive infrastructure that helps communities remain stable during coordinated disruption events without forcing moderators into permanent reactive cleanup.

Built With

Share this project:

Updates