About Verus

Inspiration

Verus began with a problem that affected our own school community. Our school faced a sophisticated phishing attack that impersonated our superintendent using convincing language and identity cues. Two members of our team were successfully phished, showing us that even technically aware students can be manipulated when a message appears urgent, familiar, and authoritative.

That experience exposed a major weakness in existing cybersecurity tools. Most scam detectors simply label content as “safe” or “suspicious,” but modern attackers can spoof phone numbers, imitate writing styles, clone voices, and use publicly available information to appear legitimate. We realized that detecting suspicious content was not enough. A system also needed to independently verify the person behind a high-risk request before the victim acted.

What Verus Does

Verus is a risk-adaptive verification platform designed to stop impersonation scams before money, credentials, or sensitive information are shared. When a suspicious request is submitted, Verus extracts five explainable threat signals:

$$ \mathbf{r} = [u,s,p,c,n] $$

Here, $u$ represents urgency, $s$ represents secrecy, $p$ represents payment demands, $c$ represents credential requests, and $n$ represents changed contact information or identity inconsistencies.

The system highlights the exact phrases that triggered each signal and passes the structured evidence into a deterministic policy engine. Low-risk requests receive an explanation, while high-risk combinations—such as payment plus urgency or secrecy—require independent confirmation through a pre-enrolled trusted contact. The AI can explain the threat, but it can never declare an identity verified.

How We Built It

We built the frontend using React, TypeScript, Tailwind CSS, and Vercel, creating an accessible interface that works across laptops, tablets, and mobile browsers. The analysis layer uses an LLM to convert unstructured messages into a strict JSON schema containing risk signals, confidence values, and supporting text spans. Zod validates the output, while deterministic keyword rules provide a fallback for phrases involving gift cards, passwords, verification codes, secrecy, and changed phone numbers.

For dual-model analysis, Verus conservatively combines outputs using:

$$ \tilde{r}_j = \max\left(r_j^{(1)}, r_j^{(2)}\right) $$

This ensures that a critical signal detected by either model cannot be averaged away. The resulting evidence is processed by deterministic TypeScript rules that assign a verification level from L0 to L3.

Supabase powers our PostgreSQL database, Row Level Security, Edge Functions, and live status updates. High-risk requests follow a controlled state machine:

$$ \text{RECEIVED} \rightarrow \text{PAUSED} \rightarrow \text{PENDING} \rightarrow \left{ \text{VERIFIED}, \text{DENIED}, \text{EXPIRED} \right} $$

Verification links use cryptographically secure, single-use tokens. Only the SHA-256 hash of each token is stored, and atomic database operations prevent replay attacks or conflicting responses. We also integrated Twilio to support users without smartphones through a signed, press-one landline workflow.

Challenges We Faced

Our largest challenge was separating threat detection from identity verification. It was tempting to let the AI produce a final “safe” or “scam” verdict, but model confidence is not proof of identity. We redesigned the system so that AI only extracts evidence, deterministic code determines the required friction, and only a pre-enrolled trusted channel can verify the requester.

We also faced platform and accessibility constraints. Continuous monitoring is limited by operating-system permissions, and not every user owns a smartphone. Instead of pretending the prototype could silently monitor every application, we built permissioned message submission, supported browser-based workflows, and added a real landline pathway.

Another challenge was handling system failure safely. Invalid model output, low confidence, expired tokens, and network failures can never reduce protection. Verus therefore fails closed: uncertainty increases verification requirements, and no response is ever treated as approval.

What We Learned

We learned that the strongest security systems do not depend on a single classifier. Effective protection requires explainable AI, deterministic rules, secure backend infrastructure, accessible interfaces, and human trust relationships working together.

Most importantly, we learned that cybersecurity is not only about identifying malicious content. It is about changing what happens next. Verus interrupts the moment between receiving a convincing request and making an irreversible decision.

Detection warns. Verus verifies.