9 layers protect every request.

Password check, brute force, MFA, token signing, SDK verification, eBPF enforcement, cloud conditions, AI detection, audit trail. Every request. Every time.

Every request passes through 9 checks · <200ms total

Password Checked against HIBP breached database on register + reset

Brute force 5 failed attempts → 30min lockout. Configurable per tenant.

MFA TOTP / passkey challenge. Enforced per tenant, org, or route.

Token signing Per-tenant RSA keypair. Not shared. Not reused.

Token rotation Every refresh issues new token. Family detection blocks reuse.

SDK verification JWKS cached. Signature verified on every API call.

eBPF enforcement Kernel validates JWT before request reaches app. ~45μs.

Cloud conditions MFA + IP + time checked before issuing cloud credentials.

Audit trail Who, what, when, from where, allow/deny. Every decision.

Real attacks

What happens when they try.

Stolen password, MFA on 3:02 AM · Brazil

Password Correct — real stolen credential

PASS

Brute force First attempt from this IP

PASS

MFA TOTP required — no device

BLOCKED

AI Anomaly 0.92 — flagged

FLAGGED

Stopped at MFA. Attacker never gets in.

Stolen password, MFA off 3:02 AM · Brazil

Password Correct credential

PASS

MFA Not enabled

SKIP

AI Anomaly 0.92 — step-up

STEP-UP

OTP Phone + email. Fails both.

BLOCKED

AI forced OTP + email verification. Blocked.

Brute force attack 47 attempts · Tor exit node

Password Wrong #1...#5

FAIL x5

Lockout 30min lockout triggered

LOCKED

AI Tor + automation pattern

IP BLOCKED

Audit All 47 attempts logged

LOGGED

Locked after 5. AI blocked the IP entirely.

Ex-employee, 2 days later Offboarded · all access

DENIED

AWS/GCP No token → federation rejected

DENIED

SSH PAM → account disabled

DENIED

eBPF No valid JWT → all denied

DENIED

One disable → locked out of everything.

Built-in

Every tenant gets these. Zero config.

Per-tenant RSA keys

Every tenant gets its own RSA keypair for JWT signing. One compromise doesn't affect others.

Breached passwords

Every password checked against HIBP on register and reset. Compromised passwords blocked.

Brute force protection

5 failed attempts → 30min lockout. Configurable per tenant. Every attempt logged.

Token rotation

Every refresh issues new token. Family tracking detects reuse — revokes the chain.

PKCE (S256)

All SPA and mobile flows require PKCE. No implicit flow — ever.

Rate limiting

Per-tenant and per-endpoint. Applied at API gateway. No config needed.

Encrypted in transit

✓ TLS 1.3 everywhere
✓ HTTPS enforced on custom domains
✓ Secure cookies (SameSite, HttpOnly)
✓ HSTS on all responses

Encrypted at rest

✓ Passwords: bcrypt (cost 12)
✓ Client secrets: hashed, never plaintext
✓ API keys: SHA-256 with prefix
✓ Database: AES-256 at rest

Zero-Trust Kernel

Every request validated at the kernel.

The eBPF agent checks JWTs at the Linux kernel — before your app sees the request. No VPN. No reverse proxy. ~45μs.

L7 HTTP JWT verified in kernel. Method + path + roles checked.

L4 TCP Unauthorized database/cache connections dropped before SYN.

API discovery Agent learns your APIs from live traffic. Suggests policies.

Every decision logged Allow/deny with user, IP, method, path, latency.

manage.authfi.app/access

IDENTITY

Users

Groups

SECURE

eBPF Access

Cloud Access

Infra

MONITOR

Access Log

Analytics

Nodes

Services

Routes

Services — production

api-gateway :8080 protected

user-service :8081 protected

order-service :8082 protected

legacy-erp :3000 monitor

Live Log

2,847 req/s

GET /api/users alice@acme.com ✓

DELETE /api/admin agent-ml-01 ✗

POST /api/orders bob@acme.com ✓

manage.authfi.app/security

SECURE

eBPF Access

Cloud Access

MONITOR

Access Log

Analytics

SETTINGS

Billing

284K

Requests

1,247

Blocked

Alerts

Score

HIGH

Impossible travel

India → Brazil in 2h

3m ago

MED

Brute force on staging

47 failed in 10min

12m ago

LOW

Dormant admin account

No login in 90 days

1h ago

AI Detection

Three layers of AI. Always on.

Rules catch known threats instantly. ML catches unknown patterns by learning your data. LLM explains findings and suggests next steps.

Rules Engine All plans

Credential stuffing, brute force, dormant accounts, infrastructure risks

ML Models Pro+

Impossible travel, login anomaly, behavior clustering, risk scoring

LLM Intelligence Pro+

Natural language policies, explain findings, auto-suggest, weekly digest

Compliance

Audit everything. Prove everything.

Audit trail

Every auth decision — who, what, when, where, allow/deny
Cloud access — who opened which console, when
eBPF — every service request logged at kernel level
SSH sessions — every command captured, replayable
Export to Splunk, Datadog, Elastic, any SIEM
Multi-tenant isolation — zero data leakage

Frameworks

SOC 2 Type II — audit trail, access controls, encryption
HIPAA — SMART on FHIR, consent management, PHI audit
GDPR — data residency, right to deletion, consent
ISO 27001 — information security management
PCI DSS — token security, encryption, access logging

Security you don't configure.

All 9 layers. Every plan. Start free.

Start free See all features