Fair play, verified by cryptography. No kernel drivers. No surveillance. Just proof.
We've all been in that F2P FPS lobby. Someone's snapping through walls, pre-firing every angle, and the report button does nothing. You close the game frustrated. Nothing changes.
The systems built to stop this are either easy to bypass or require installing software on your PC that has no business being there. Riot's Vanguard runs at ring-0, the deepest privilege level on your operating system, before Windows even fully loads. BattlEye and Easy Anti-Cheat do the same. Security researchers have called these tools rootkits. Vanguard was banned in China over national security concerns. GDPR complaints have been filed in the EU. Hardware has been bricked by driver conflicts. The deal offered to every player is trust us or don't play.
It still doesn't work. Kernel-level cheats exist specifically to beat kernel-level anti-cheats. The arms race has been running fifteen years and the cheaters are winning.
We asked a different question: what if the detector lived somewhere the cheater can never reach, not on their machine at all? Aegis is fully server-side. No driver. No process scanner. Nothing installed on the player's PC. Two custom AI models, a Midnight zero-knowledge proof layer, and a cryptographic guarantee of clean play that any tournament or game server can verify in one function call, without seeing a byte of raw telemetry.
What it does
Game developers drop Aegis into their game server in under 10 lines of code via REST or WebSocket. Their server sends us lightweight tick data, aim angles, positions, input events, and our pipeline does the rest. The player installs nothing.
The Behavioral Mesh
Most anti-cheats watch one player at a time. We watch the whole match.
Every player in a match becomes a node in a live graph. We connect those nodes based on distance and line-of-sight calculations, updated every server tick. We call this the Behavioral Mesh. Our Graph Attention Network (GAT, ~2M parameters) then analyzes how those relationships shift over time, looking for patterns no single-player view would catch.
Wallhacking is a relational behavior, not an individual one. The cheat isn't in how you aim, it's in what you know. A wallhacker's crosshair tracks an enemy through solid geometry for 18 consecutive ticks, correlating with positions they have no legitimate way of seeing. That signature is invisible if you're only watching one player. The Behavioral Mesh catches it because we're watching the whole graph.
Sequential Aim Analysis
A separate Transformer model (~5M parameters) processes each player's input stream as a sequence over time. Human aim has noise, hesitation, overshoot, natural variance. Aimbot aim is smooth in exactly the moments that matter, then snaps with micro-corrections no human wrist produces. The model was trained on a fully synthetic dataset built from physics simulations covering the full range of cheat configurations: reaction time, smoothing curves, FOV lock range, triggerbot thresholds. No real cheat software. No scraped footage. Physics simulations of human motor control and cheat mechanics, built from scratch.
Both models produce confidence scores. A fusion layer combines them into a single isHuman verdict per session.
Zero-Knowledge Verification on Midnight
The verdict is private. Raw telemetry, positional data, and model confidence scores never leave our pipeline. What gets submitted to the Midnight network is a ZK proof generated by our Compact smart contract, a cryptographic receipt that the player passed, revealing nothing about how or why. In plain terms: a tournament or game server can confirm a player is clean without us ever handing over the underlying data. Midnight makes that possible because it lets you prove something is true without showing the evidence that proves it.
The Midnight ledger mints a VerificationRecord for each verified session. Tournament organizers and game servers call one function:
isVerified(sessionId) → bool
Boolean back. Nothing else.
The Overlay
Players get a frameless Electron app floating over their game. Translucent dark panel, live graphs of cursor acceleration, aim smoothness, wall raycast counts, input latency. Collapses into a floating pill when not in focus. When the AI flags someone in the match, their node in the Behavioral Mesh lights up in the overlay in real time.
Game Server (Valorant / Apex / R6 / OW2)
│
└── Tick Telemetry (REST / WebSocket)
│
▼
FastAPI Backend
│
┌─────────┴──────────┐
│ │
Transformer (~5M) GAT (~2M)
Aim sequences Behavioral Mesh
Aimbot / triggerbot Wallhack detection
│ │
└─────────┬──────────┘
│
Fusion Layer
│
isHuman (bool)
│
▼
Compact Smart Contract
(Midnight DSL)
│
ZK Proof: isHuman == true
bound to sessionId
│
▼
VerificationRecord
(Midnight ledger)
│
▼
isVerified(sessionId) → bool
← Tournament / Game Server
How we built it
AI pipeline — Python 3.11 + FastAPI handles telemetry ingestion. The Transformer and GAT run in PyTorch, trained from scratch on synthetic data. We had no access to real cheat software and no clean labeled dataset, so we built one by simulating human motor behavior and cheat mechanics from physics first principles.
Smart contracts — Written in Compact, Midnight's DSL for ZK circuits. isHuman goes in as a private input. sessionId goes in as public. The proof comes out. The VerificationRecord gets minted. Writing in Compact means thinking constantly about what the verifier knows versus what the prover knows, which is a fundamentally different mental model than standard smart contract development.
Overlay — React 18 + Vite + TypeScript inside Electron, frameless and always-on-top. A local WebSocket server streams model output to the UI live. For the demo, a match simulation script feeds both clean and hacked mock telemetry into the pipeline so we can show detection clearly without needing a live game server running.
Current game targets: Valorant, Apex Legends, Rainbow Six Siege, Overwatch 2.
Challenges we ran into
Dynamic graph topology. Player counts change mid-match constantly. People disconnect, die, spectate, reconnect. A GAT trained on a fixed-size graph breaks immediately when match size changes mid-session. We built a dynamic node-masking scheme to handle variable player counts so the model doesn't mistake topology changes for behavioral signals.
Making synthetic data actually generalize. The real risk with physics-simulated training data is the model learns surface patterns instead of genuine ones. Getting the human motor noise simulation realistic enough that the model couldn't just learn smooth equals bot, noisy equals human required a lot of iteration on how we modeled natural human variance. That was most of the training time.
Compact's proof architecture. ZK circuit logic in Midnight's DSL requires thinking about information boundaries at every step. What's private, what's public, what leaks through the proof structure itself. We redesigned the contract twice after realizing that confidence score metadata could potentially be inferred as a side channel from the proof output.
Overlay vs. fullscreen games. Exclusive fullscreen mode on Windows actively blocks floating overlay windows. Getting consistent rendering across all four titles meant per-game launch configuration and Electron window compositor tuning for each one separately.
Accomplishments that we're proud of
The GAT detecting wallhacks from coordinate data alone is the one we'll remember. No memory reads, no packet inspection, nothing on the client. Six hours in we genuinely didn't know if it would work. When the simulated wallhacker lit up from spatial correlation alone, the whole team went quiet for a second. That was the moment the project felt real.
The Midnight integration landing as a clean single boolean query from a tournament operator's backend, backed by a ZK proof that requires zero trust in us, is exactly what we set out to build. That combination, technically hard and a genuinely different take on what anti-cheat verification can be, is what we think makes this project hit the judging criteria on technology and originality at the same time.
The overlay looks like something you'd actually pay for. Polished UI at demo time means judges can see the product, not just the concept.
What we learned
Server-side detection changes the dynamic completely. When the detector runs on infrastructure the cheater can't touch, the bypass cycle breaks down. There's no client-side binary to reverse engineer and patch around. The model just gets better over time.
Synthetic data generation has a ceiling you have to engineer around. The dataset gave us breadth across the full cheat parameter space. Making it give us depth, models that generalize instead of memorize, came down entirely to how realistically we modeled human variance. Not how many cheat configurations we covered.
ZK proofs change what you build, not just how you build it. We didn't add Midnight at the end for a privacy angle. The proof architecture determined what data the pipeline even needed to store. That changed the design from the beginning.
What's next for Aegis
- Native SDK for Unity and Unreal Engine so integration is one import and a callback, not a REST endpoint wired manually
- Live retraining pipeline on flagged sessions with a human review step in the loop
- Expanding to CS2 and Fortnite, the two largest remaining competitive player bases we aren't covering yet
- Tournament operator dashboard for querying and auditing VerificationRecord at scale, the infrastructure layer competitive integrity has needed for a while
Log in or sign up for Devpost to join the conversation.