Veriloop scores every login, API call, payment, and admin action against a behavioral model that is private to your workspace — and gets sharper every time your team labels an event. No external AI APIs, no shared models, no data leaving your tenant boundary.
{
"userId": "u_8821",
"ip": "185.220.101.7",
"deviceId": "d_a1f0",
"action": "login"
}{
"riskScore": 78,
"decision": "STEP_UP_AUTH",
"confidence": 88,
"reasonSignals": [
"tor_suspected",
"new_device",
"off_hours_user",
"sequence_anomaly"
]
}Every response carries the signals that fired — and feedback flows straight back into them.
Most security tools are rule engines wearing AI hats. Veriloop is the opposite: a small, transparent core whose weights are mutated only by events that actually happened inside your environment. Nothing is hardcoded as intelligence.
Read the full model →One IP, many usernames, all login. We count distinct identities per IP in a 10-minute window and surface credential_stuffing.
Same user, two countries, ninety seconds apart. Profile remembers the last IP prefix and timestamp per user.
Known exit-node prefix lists, separated so Tor weighs heavier than consumer VPNs. Tunable per workspace.
Same device, same action, sub-second apart. Caught before they hit your DB.
A first-time payment from an account that has never done anything but login? The per-user Markov table notices.
Three devices in an hour, four IPs, a bot-like User-Agent — all stacked into a single high-confidence score.
A single HTTPS POST is enough. Block on BLOCK, challenge on STEP_UP_AUTH, queue on REVIEW, pass on ALLOW.
app.use(async (req, res, next) => {
const r = await fetch("https://YOUR-APP/api/public/v1/evaluate", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.VERILOOP_KEY}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
userId: req.user?.id,
ip: req.ip,
deviceId: req.headers["x-device-id"],
action: "api_call",
userAgent: req.headers["user-agent"],
}),
}).then(r => r.json());
if (r.decision === "BLOCK") return res.status(403).end();
if (r.decision === "STEP_UP_AUTH") return res.redirect("/verify-2fa");
next();
});Every workspace has its own weight vector and behavior profiles. Your labels never train someone else's model.
Every decision returns the signals that fired and their intensities. No black box, no vendor mystique.
The model version auto-bumps as feedback accumulates. Your detection accuracy compounds with usage.
| Generic WAF | CAPTCHA vendor | Veriloop | |
|---|---|---|---|
| Learns from your traffic | Static rules | Global model | Per-workspace |
| Blocks credential stuffing | IP rate limits | Prompt user | Signal + feedback loop |
| Bot proof without UX friction | — | Puzzles / audio | Invisible PoW |
| Explains every decision | Rule id | Score only | Signals + contributions |
| Model updates without redeploy | No | Vendor-owned | Auto per workspace |
| Data leaves your tenant | Depends | Yes | No |
No. Every signal, weight, and decision is computed in your workspace. There is no third-party inference in the request path.
Under 40ms p95 in production. All work is in-process — one Supabase RPC + local scoring.
Hit 'False positive' in Events. The engine decays the exact signals that fired on that request, tuned to your workspace.
It ships a tiny script that solves a proof-of-work in a background thread. Users see nothing. Bots have to spend CPU to submit.
The engine is open source in your codebase. The desktop agent and hosted SaaS are optional.