The closed loop

A security layer that learns from every action — without external AI.

Veriloop is not a static rules engine. Every workspace gets its own adaptive model. Signal weights, behavior clusters, and per-user trust priors all evolve from the events flowing through your account and the labels your team applies.

The five-step loop

  1. 01
    Event arrives
    Your backend calls POST /v1/evaluate with the user, IP, device, and action.
  2. 02
    Signals extracted
    Velocity, geo jump, device churn, off-hours-for-this-user, action entropy, novelty, sensitive-action combos.
  3. 03
    Weighted score
    A logistic combination of per-workspace weights × signal intensity, minus the user's trust prior.
  4. 04
    Decision returned
    ALLOW · REVIEW · STEP_UP_AUTH · BLOCK with a confidence score.
  5. 05
    Feedback loop
    Your team labels events. Weights of contributing signals move up or down by intensity.

Signals we extract

Each signal is observed from event history — never hardcoded. Weights start at sensible defaults and drift to match your traffic.

new_device / new_ip
First time we see this device or IP in your workspace.
new_ip_prefix
Per-user — a /24 we have never seen this user from before.
geo_jump
IP prefix changed for a user within an impossible time window.
velocity_burst
Request rate is multiple standard deviations above the workspace baseline.
device_churn
Same user, three or more distinct devices in the last hour.
off_hours_user
The user historically never acts at this hour of day.
vpn_suspected / tor_suspected
Seed prefix match — weights evolve with your labels.
bot_like_ua
User-agent matches automation tooling.
new_user_combo
Unknown device + unknown IP + sensitive action (payment / admin).
repeat_threat_user
This user already has labeled true-threat events.
action_entropy_spike
Recent action mix is sharply different from the workspace baseline.

The math (plain English)

Scoring

For each fired signal we take its current workspace weight, multiply by how strongly the signal fired (its intensity, between 0 and 1), and add it to a logit. The user's trust prior is subtracted. The logit is squashed through a sigmoid so the final 0–100 score saturates cleanly — five medium signals can't be quietly out-weighed by one extreme signal, and vice versa.

Feedback

When you label an event as TRUE_THREAT, only the signals that fired on that event move — proportional to how much they contributed. FALSE_POSITIVE decays them. This prevents the model from punishing signals that had nothing to do with the call.

Trust priors

Every per-user profile tracks an hour-of-day histogram, common IP prefixes, devices seen, and a (safe vs threat) counter. Long safe history pulls the score down. Repeat threats pull it up.

Model versioning

Every 5 feedback events your workspace's model version increments. Every scored event records the version it was scored under, so you can audit how a decision was made even after the model has evolved.

See it on your own data

Create a workspace, generate an API key, send a few events from the API Playground or your app, and watch weights drift in the Learning view as you label.