Adaptive trust engine · v1

A security layer that learns from every action.

Veriloop scores every login, API call, payment, and admin action against a behavioral model that is private to your workspace — and gets sharper every time your team labels an event. No external AI APIs, no shared models, no data leaving your tenant boundary.

23
behavioral signals
<40ms
p95 decision
0
external AI calls
POST /v1/evaluateworkspace-v14
request200 OK
{
  "userId": "u_8821",
  "ip": "185.220.101.7",
  "deviceId": "d_a1f0",
  "action": "login"
}
evaluate
response200 OK
{
  "riskScore": 78,
  "decision": "STEP_UP_AUTH",
  "confidence": 88,
  "reasonSignals": [
    "tor_suspected",
    "new_device",
    "off_hours_user",
    "sequence_anomaly"
  ]
}

Every response carries the signals that fired — and feedback flows straight back into them.

The loop

Four steps.
Closed by design.

Most security tools are rule engines wearing AI hats. Veriloop is the opposite: a small, transparent core whose weights are mutated only by events that actually happened inside your environment. Nothing is hardcoded as intelligence.

Read the full model →
Eventrequest arrivesScoresignals + weightsDecisionallow / review / blockFeedbackteam labels outcomeupdates weights
What it catches

Concrete attacks, concrete responses.

credential_stuffing
Credential stuffing

One IP, many usernames, all login. We count distinct identities per IP in a 10-minute window and surface credential_stuffing.

impossible_travel
Impossible travel

Same user, two countries, ninety seconds apart. Profile remembers the last IP prefix and timestamp per user.

tor_suspected
Tor / commercial VPN

Known exit-node prefix lists, separated so Tor weighs heavier than consumer VPNs. Tunable per workspace.

replay_burst
Replay & burst

Same device, same action, sub-second apart. Caught before they hit your DB.

sequence_anomaly
Sequence anomaly

A first-time payment from an account that has never done anything but login? The per-user Markov table notices.

device_churn
Device & UA churn

Three devices in an hour, four IPs, a bot-like User-Agent — all stacked into a single high-confidence score.

Integrate

One call. Any stack.

A single HTTPS POST is enough. Block on BLOCK, challenge on STEP_UP_AUTH, queue on REVIEW, pass on ALLOW.

· Express, Next.js, Cloudflare, Hono
· Python, PHP, Go via raw HTTP
· Browser test page included
Recipes →
express middleware200 OK
app.use(async (req, res, next) => {
  const r = await fetch("https://YOUR-APP/api/public/v1/evaluate", {
    method: "POST",
    headers: {
      Authorization: `Bearer ${process.env.VERILOOP_KEY}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      userId:   req.user?.id,
      ip:       req.ip,
      deviceId: req.headers["x-device-id"],
      action:   "api_call",
      userAgent: req.headers["user-agent"],
    }),
  }).then(r => r.json());

  if (r.decision === "BLOCK")        return res.status(403).end();
  if (r.decision === "STEP_UP_AUTH") return res.redirect("/verify-2fa");
  next();
});
Principles

Built for teams that take security seriously.

Tenant-isolated learning

Every workspace has its own weight vector and behavior profiles. Your labels never train someone else's model.

Transparent by default

Every decision returns the signals that fired and their intensities. No black box, no vendor mystique.

Self-improving

The model version auto-bumps as feedback accumulates. Your detection accuracy compounds with usage.

Why Veriloop

Not a WAF. Not a CAPTCHA. Something new.

Generic WAFCAPTCHA vendorVeriloop
Learns from your trafficStatic rulesGlobal modelPer-workspace
Blocks credential stuffingIP rate limitsPrompt userSignal + feedback loop
Bot proof without UX frictionPuzzles / audioInvisible PoW
Explains every decisionRule idScore onlySignals + contributions
Model updates without redeployNoVendor-ownedAuto per workspace
Data leaves your tenantDependsYesNo
FAQ

Answers, up front.

Still curious? Read the docs.

+Does Veriloop call any external AI service?

No. Every signal, weight, and decision is computed in your workspace. There is no third-party inference in the request path.

+How fast is the decision?

Under 40ms p95 in production. All work is in-process — one Supabase RPC + local scoring.

+What if the model over-blocks?

Hit 'False positive' in Events. The engine decays the exact signals that fired on that request, tuned to your workspace.

+How is Bot Shield different from a CAPTCHA?

It ships a tiny script that solves a proof-of-work in a background thread. Users see nothing. Bots have to spend CPU to submit.

+Can I self-host?

The engine is open source in your codebase. The desktop agent and hosted SaaS are optional.

Ship a smarter perimeter this afternoon.

Create a workspace, mint a key, paste five lines. The loop closes itself from there.