The Platform
The complete checkpoint
layer for your platform.
Anti Social Engine is not a single feature — it's a complete risk interception infrastructure. Every component is production-ready, fully audited, and designed to stop manipulation before the action completes.
Real-time risk scoring on every event.
Every inbound event is scored against a configurable risk model. Signals include event type, account age, device fingerprint, behavioral patterns, and historical context. The engine returns one of three outcomes: allow, delay_verify, or block_escalate — within milliseconds.
Capabilities
- Per-event risk score (0–100)
- Configurable threshold policies
- Signal-based scoring model
- Outcome: allow / delay_verify / block_escalate
- Zero latency on the critical path
Universal backend. Any platform. One schema.
The Checkpoint API is the core of Anti Social Engine. Platforms send normalized events via a thin connector. The backend handles risk scoring, challenge issuance, intent verification, OTP delivery, response validation, decision token issuance, and audit logging — without any platform-specific logic in the core engine.
Capabilities
- POST /events/ingest — normalize, score, and create session
- /challenge/[sessionId] — hosted challenge page (redirect or SDK embed)
- POST /checkpoint/intent — independent intent check
- POST /checkpoint/respond — validate OTP
- POST /decisions/verify — server-side decision token verification
- Stateless, idempotent, horizontally scalable
One question that breaks a social engineer's script.
At the moment of the sensitive action, users answer a single direct question: is anyone on a call, chat, or screen share guiding you to do this? A legitimate user confirms in one click and proceeds. A social-engineered user cannot honestly answer no — triggering the Break Contact flow, which warns them, blocks the action, and routes them to official support. The company's policy statement is displayed before the question, reinforcing that no real support agent would instruct them here.
Capabilities
- Single binary question — confirmed or guided
- Break Contact flow on "yes / not sure"
- Company policy statement on challenge page
- Official support routing in break contact state
- Optional scam report capture for incident intelligence
- Fully audited — intent response logged per session
Cryptographic proof of every outcome.
When a challenge session resolves, Anti Social Engine issues a signed decision token — a short-lived HMAC-SHA256 JWT containing the session ID, outcome, and expiry. Your backend calls /decisions/verify with the token before completing the protected action. No polling. No trust on the frontend. The token proves the outcome was issued by ASE for your org.
Capabilities
- Signed HMAC-SHA256 token on every resolution
- POST /decisions/verify — server-side verification
- Token contains: session_id, outcome, org_id, expires_at
- 10-minute expiry enforced server-side
- used_at recorded on verification (replay enforcement planned)
- Org-scoped — cross-org use rejected
Identity confirmation. Not just presence.
For risk levels that warrant it, users who confirm independent intent are issued a one-time code delivered to their registered contact. Attempts are tracked per session. Failures are logged. Maximum attempts are enforced. The final response triggers an allow or block decision that is immediately persisted.
Capabilities
- 6-digit OTP via email (SMS ready)
- Attempt tracking and throttling
- Per-session expiry enforcement
- Remaining attempts surfaced in UI
- Every attempt logged to audit_logs
Every decision. Immutably recorded.
Anti Social Engine logs every action taken in a session — checkpoint creation, intent check submission, OTP issuance, email delivery, response acceptance or rejection, and final resolution. Each entry includes actor, timestamp, and full metadata. SOC-ready, compliance-friendly.
Capabilities
- Chronological timeline per session
- Actor and actor_type on every entry
- Full metadata on each log event
- Supabase/PostgreSQL persistence
- Accessible via dashboard and API
Thin connectors. Universal backend. No lock-in.
Platform-specific code lives only in connectors. Each connector does three things: ingest platform events, normalize them into the shared schema, and trigger the Checkpoint API. The core engine never sees Shopify-specific or Stripe-specific logic. This means new connectors can be added without touching the engine.
Capabilities
- Shopify connector (orders, accounts)
- Stripe connector (payments, disputes)
- Generic webhook connector
- Embedded Web SDK (popup mode, no redirect)
- Zero core engine contamination
Tamper-proof verification. No frontend changes required.
The challenge page is fully hosted by Anti Social Engine. Your platform redirects the user — no JavaScript required. The page handles the full intent check + optional OTP flow, manages state, and issues a signed decision token on resolution. Works as a full-page redirect or in an embedded popup via the Web SDK.
Capabilities
- Hosted at /challenge/[sessionId]
- No frontend dependency on your stack
- Full intent check + optional OTP in one page
- Signed decision token returned on resolution
- Branded, mobile-responsive
- Tamper-resistant: server-validated at every step
Full visibility over every security decision.
The operations dashboard gives security teams real-time visibility into events, sessions, risk scores, and outcomes. Drill into any session to see the full audit timeline — from event ingest to final resolution. Built for SOC analysts and operations teams.
Capabilities
- Live event and session overview
- Per-session audit timeline
- Risk score visualization
- Intent check and OTP response breakdown
- Scam report list and incident review
- Outcome analytics
Ready to see it in action?
Book a 30-minute live demo against your actual platform.