DEV Community

Cover image for Building a Local-First ATO Risk Scorer: Looking for Security-Minded Feedback
Refilwe Ledwaba
Refilwe Ledwaba

Posted on

Building a Local-First ATO Risk Scorer: Looking for Security-Minded Feedback

I’ve been working on a lightweight, zero-dependency middleware for Node.js (Express, Next.js, Fastify) designed to solve a specific pain point: the trade-off between securing login flows and maintaining low-latency infrastructure.

Instead of relying on heavy, third-party fraud APIs that introduce latency and require sending sensitive user telemetry off-server, I’ve built a local, tunable rules engine to handle ATO (Account Takeover) and SIM-swap detection natively.

The Architecture:

  • Zero-Latency: The logic runs entirely within the local request/response cycle.
  • Privacy-First: All data stays within your private network.
  • Fail-Open Design: Your authentication flow remains uninterrupted, even if the scorer encounters a logic exception.

Why I’m opening this up:
I’ve reached a point where I want to pressure-test the rules engine against real-world scenarios. I’ve just open-sourced the project under the DevGuard Labs banner and am currently looking for developers to help beta-test the logic.

How you can help:
If you're building auth-heavy applications, I’d love for you to take a look at the repo, see how the sliding-window velocity checks are handled, and let me know if you spot any edge cases.

Check out the repo here:
https://github.com/blacksanddesignsandbranding-dot/account-takeover-risk-scorer
Any feedback—or even a Star if you find the approach useful for your own stack—would be greatly appreciated as I work on the next phase of the rules engine!

Top comments (0)