Vitreous

Inspiration:

cmd-f's theme this year was Wonderland, a place where we don't know what is "behind the looking glass", full of wacky things we don't understand. We realized that sometimes, our app connections can look like this; with unclear connections and data links. We wanted to tackle the issue of cybersecurity at the awareness level, showing every user where they've given their data to and giving them the appropriate recommendations.

What it does:

Vitreous is a web application that gives you clarity over your own cybersecurity through your different accounts.

Login with OAuth
Display connected accounts and services that have your email and possible personal data
Identify data breaches
Identify dormant accounts that may still have personal data
Accessible design
Gives personalized security recommendations for every user using our risk-assessment algorithm

How we built it:

We designed Vitreous in Figma, then built the frontend with React, TypeScript, and Tailwind CSS. The backend runs on Python with FastAPI, deployed on Railway. Vitreous connects to your Gmail via OAuth and scans your inbox metadata, never actual email bodies, only sender and subject lines, searching for every service that has ever contacted you. Six parallel queries run simultaneously, and the raw results are sent through Gemini 2.5 Flash, which extracts structured data from the email headers, identifying service names, domains, and account types. A second Gemini call performs risk analysis and scoring algorithm based on three factors multiplied together: data sensitivity, company reliability, and account recency. A HaveIBeenPwned API call identifies every breach associated with your email. We cross-reference breach domains with your discovered service list to find exactly which of your accounts were exposed and what data was possibly compromised. Dormant accounts such as services with no contact in over a year, are flagged separately as ghost accounts, since forgotten credentials are vulnerable too.

Challenges we ran into:

Gmail's privacy model blocks direct access to account connections, so we had to reverse engineer a user's digital footprint through inbox metadata instead
Sequential Gmail fetches initially took 60+ seconds
Gemini's free tier rate limits
Risk scoring went through multiple broken iterations before reaching a data sensitivity × company reliability x recency model
Time pressure forcing hard tradeoffs between polish and functionality as there were features we built fully on the backend that never made it into the frontend demo

Accomplishments that we're proud of:

We built a fully functional end-to-end pipeline that takes a real Gmail account and produces a real, personalized security audit in under 30 seconds from the actual inbox. We are especially proud to have solved a hard privacy constraint creatively, finding a way to map a user's digital footprint using only email metadata without ever reading a single email body. Risk scoring model that actually means gives specific, contextual recommendations based on what each service actually holds and how likely they are to protect it, making it a simple, intuitive and helpful service.

What we learned:

Real user data is quite messy and building for clean test cases and building for actual Gmail inboxes are completely different problems. Also, AI output needs to be constrained with explicit details, only with a clear framework it became genuinely useful.

What's next for Vitreous:

We hope to create clarity and awareness of data connections so that we can match cybersecurity needs to every user. While we have a consumer app at the moment, we could implement additional features for households and organizations to view shared information risks. The immediate next step is continuous monitoring, running scans in the background (browser extension is a possibility) and alerting users when new services appear or when a known service gets breached. We also want to add simple one-click account revocation so users can directly and immediately act on what they find. It would also be best to expand beyond Gmail to cover all major inbox providers, adding real OAuth grant scanning for GitHub and Google accounts, and possibly a browser extension that scores a service's risk before you sign up. We also want to fully build out the transparency log, giving users a complete, exportable record of every API call Vitreous has made on their behalf, as transparency is a key in cybersecurity.

Check out our pitch and demo video!

Note: some loading were cut for video conciseness, come see our live demo :)

Why is your team interested in the incubation program and further developing your idea?

Vitreous is strongly aligned with the mission of CS Project Hub, because we believe that cybersecurity is one of the most important disciplines of our time. As AI continues to advance at an unprecedented pace, the lack of transparency in cybersecurity becomes not just obvious, but inexcusable. The development of accessible and transparent services demands attention, because the absence has real consequences on people. Cybersecurity is a human right. Our data is the most fundamental part of our digital identity, and yet most people don't have any visibility into how it's collected, shared, or exposed. With its simple idea, Vitreous aims to grow into an infrastructure that protects users' data and privacy at every level.

What are you interested in learning through the CS Project Hub?

The incubation programs offers valuable resources and mentorship opportunities that have the ability to scale Vitreous from a hackathon project to a product with meaningful, real-world impact. Armed with the experience and guidance of industry professionals, we aim to improve our algorithm and develop a deeper, more practical understanding of cybersecurity. So far we've only explored the potential of Vitreous in a controlled environment, so having access to expert knowledge would allow us to build with more confidence and ambition. Most importantly, our team seeks to learn and challenge ourselves to take Vitreous to the next level.

github repo: https://github.com/ada1027/vitreous.git