Veriloop is not a static rules engine. Every workspace gets its own adaptive model. Signal weights, behavior clusters, and per-user trust priors all evolve from the events flowing through your account and the labels your team applies.
Each signal is observed from event history — never hardcoded. Weights start at sensible defaults and drift to match your traffic.
For each fired signal we take its current workspace weight, multiply by how strongly the signal fired (its intensity, between 0 and 1), and add it to a logit. The user's trust prior is subtracted. The logit is squashed through a sigmoid so the final 0–100 score saturates cleanly — five medium signals can't be quietly out-weighed by one extreme signal, and vice versa.
When you label an event as TRUE_THREAT, only the signals that fired on that event move — proportional to how much they contributed. FALSE_POSITIVE decays them. This prevents the model from punishing signals that had nothing to do with the call.
Every per-user profile tracks an hour-of-day histogram, common IP prefixes, devices seen, and a (safe vs threat) counter. Long safe history pulls the score down. Repeat threats pull it up.
Every 5 feedback events your workspace's model version increments. Every scored event records the version it was scored under, so you can audit how a decision was made even after the model has evolved.