AdaptiveSec
AdaptiveSec is a cybersecurity awareness and behavioral risk analysis platform delivered through a Chrome Extension and a web-based dashboard. The system periodically deploys controlled phishing simulations designed around well-known psychological manipulation triggers, including urgency, authority, scarcity, and social proof. These simulations help organizations evaluate user susceptibility to social engineering tactics while providing insights that support targeted security awareness training and improved human risk management.
Most successful cyberattacks exploit human behavior rather than technical vulnerabilities. Despite this reality, most enterprise cybersecurity awareness programs remain static, compliance-driven, and one-size-fits-all. Training is typically delivered annually or after a user has already made a risky decision, which breaks the connection between the user's action and the lesson intended to prevent it. As a result, retention is low and the same mistakes continue to occur. Traditional awareness platforms also focus primarily on blocking threats silently at the system level, missing the opportunity to explain to users why an action was risky and how similar attacks operate. Without real-time feedback or behavioral insight, users are unable to build practical intuition against modern phishing and social engineering tactics. This creates a significant disconnect between rapidly evolving social engineering attacks and outdated awareness models that do not adapt to individual behavior, cognitive biases, or emerging threat patterns.
Cognitive Vulnerability Profiling
We model each user's susceptibility across four dimensions — Urgency Bias, Authority Bias, Social Proof, and Scarcity — and build a personalized vulnerability profile.
Adaptive Just-in-Time Training
Training nudges fire at the moment of risky behavior (e.g., clicking an unverified link), delivering context-aware lessons matched to the user's active vulnerability profile.
Live Security Dashboard
Users see their risk score, 30, 90, or all-time trend, score change explanations, and training progress in one unified dashboard.
Requirements & UX (PRD)
Who: Organizations and universities responsible for managing cybersecurity awareness and reducing human-related security risks across employees, staff, and students.
Goal: Implement an adaptive security awareness program that continuously evaluates human risk, strengthens user decision-making, and improves overall organizational security posture.
Pain Point: Traditional security awareness programs are static, compliance-driven, and provide limited insight into real user behavior or evolving social engineering threats.
Key Vulnerability: Limited visibility into behavioral risk patterns, making it difficult to identify high-risk users or tailor training to emerging phishing and social engineering tactics.
| Priority | As a… | I want to… | So that… |
|---|---|---|---|
| P0 | User | The Chrome Extension to analyze my browser interactions in the background | My risk profile is built on my actual daily habits without interrupting my workflow. |
| P0 | User | To see my Risk Score (0-100) update on my dashboard shortly after if I make a risky decision | I can understand the impact of my actions. |
| P0 | User | If my score drops, I want to see a plain-English explanation generated by the system | I understand exactly why I am considered high risk and how to change my behavior. |
| P1 | User | Receive training modules that specifically target my detected weaknesses | My training feels relevant and respects my time. |
| P1 | User | View my historical event history and score trends on my dashboard | I can visualize my risk level and track my improvement over time. |
| P1 | User | The system to automatically categorize my score into Vulnerability Profiles | I can understand the specific types of risks prevalent across the organization. |
| P2 | User | My risk score to immediately improve upon the successful completion of an assigned training module | I feel tangibly rewarded for actively participating in my cybersecurity education. |
| P2 | User | Receive a short, localized training nudge shortly after clicking a risky link or failing a simulation | I can learn from my mistake while the context is still fresh in my mind. |
| P2 | User | Access a unified dashboard view that consolidates my Risk Score, training progress, alerts, and explanations | I can instantly understand my overall security posture without clicking through multiple pages. |
Architecture & High-Level Design
| Layer | Technology | Why We Chose It |
|---|---|---|
| Frontend | React + TypeScript | Component-based UI, strong typing for risk data models, rich dashboard component ecosystem |
| Backend API | FastAPI (Python) | High-performance async endpoints, native Pydantic validation, seamless ML model integration |
| Risk Engine | XGBoost | Gradient-boosted decision trees optimized for high-accuracy behavioral risk scoring with built-in feature importance for explainability. |
| Database | Neo4j | Graph databases excel at querying patterns like 'which users are vulnerable to authority-based attacks who haven't completed related training' |
| Auth | JWT + OAuth2 | Stateless auth for API, SSO integration for enterprise IdP environments |
| Browser Layer | Chrome Extension (MV3) | Passive behavioral signal collection without proxying all traffic |
All API endpoints require JWT bearer tokens. RBAC enforces separation between Employee, Manager, and Admin views. OAuth2 PKCE flow for SSO.
User behavioral data stored encrypted at rest (AES-256). Risk scores are user-owned; org-level aggregation is opt-in. GDPR & CCPA data deletion supported.
Browser extension events are HMAC-signed to prevent spoofing. Rate limiting prevents score manipulation. All audit events are append-only logs.
TLS 1.3 enforced throughout. HSTS headers set. Content-Security-Policy prevents XSS. Pydantic schema validation on all API inputs before processing.
Detailed Component Design
org_id
baseline_risk_score
baseline_caution
fatigue_factor
created_at
trigger_type
template
phishing_link
delivery_schedule
FK user_id
FK simulation_id
url_hash
page_context
timestamp
risk_delta
threat_score
FK user_id
dominant_trait
urgency_score
authority_score
social_proof_score
scarcity_score
updated_at
title
bias_target
content_url
estimated_duration
FK user_id
FK module_id
progress
due_date
completed
completed_at
FK event_id
cognitive_bias_tag
plain_english_text
generated_at
USER ||--o{ CLICK_EVENT · USER ||--|| VULNERABILITY_PROFILE · USER ||--o{ TRAINING_ASSIGNMENT
SIMULATION ||--o{ CLICK_EVENT · TRAINING_MODULE ||--o{ TRAINING_ASSIGNMENT · CLICK_EVENT ||--|| EXPLANATION
Triggered by the Chrome Extension when a risky link is clicked. Drops the event payload into a RabbitMQ message queue for background processing. Returns 202 immediately to prevent browser lag.
{
"user_id": "uuid-1234",
"url": "https://update-payroll-now.com",
"page_context": "URGENT: Verify your credentials",
"timestamp": "2026-03-10T14:00:00Z"
}{ "status": 202, "message": "Event queued for background processing" }| Code | Meaning |
|---|---|
| 400 | Missing required fields |
| 401 | Missing or expired JWT token |
| 500 | RabbitMQ queue unavailable |
# Step 1 — Sanitize PII from payload
DataPreprocessor.sanitize(payload)
→ Strips PII from URL, hashes user_id → Output: sanitized dict
# Step 2 — Build feature vector
FeatureVectorBuilder.extract(sanitized_data)
→ Output: [URL_length: 25, Domain_age: 2, prior_click_count: 0, ...]
# Step 3 — XGBoost risk scoring
RiskScoringEngine.predict(feature_vector)
→ Output: { threat_score: 92, risk_delta: +15 }
# Step 4 — NLP cognitive trigger classification
CognitiveModel.tag_trigger(page_context)
→ Output: { cognitive_trigger: "Urgency_Bias" }
# Step 5 — MAB training assignment
RecommendationEngine.assign_training(user_id, cognitive_trigger)
→ Output: { assigned_module: "TM-URG-01" }
# Step 6 — Neo4j graph update
Neo4jClient.update_graph(user_id, trigger, module_id)
→ Writes [VULNERABLE_TO] and [ASSIGNED_TRAINING] edges
# Step 7 — Counterfactual explanation (Gemini API)
ExplanationGenerator.generate(event_context)
→ Publishes alert to Redis Pub/Sub → pushed via WebSocket to user# Click probability (Protection Motivation Theory)
click_probability = (
trigger_susceptibility
× (1 − baseline_caution)
× fatigue_multiplier
+ noise # ±0.05
)
# Susceptibility reduction after training completion
new_susceptibility = current_susceptibility × (1 − learning_rate)
# Final risk score clamped to 0–100
return clamp(ema_update(raw_score), 0, 100)Testing & Validation
| Test Case | Method / Endpoint | Input | Expected Output |
|---|---|---|---|
| Risk score calculation | RiskScoringEngine.predict() | [URL_length: 25, Domain_age: 2] | { threat_score: 45, risk_delta: +15 } |
| Cognitive trigger tagging | CognitiveModel.tag_trigger() | 'URGENT: Verify your credentials' | { cognitive_trigger: 'Urgency_Bias' } |
| Training assignment (Urgency) | RecommendationEngine.assign_training() | user_id, 'Urgency_Bias' | { assigned_module: 'TM-URG-01' } |
| Training assignment (Authority) | RecommendationEngine.assign_training() | user_id, 'Authority_Bias' | { assigned_module: 'TM-AUT-01' } |
| Data sanitization (PII removal) | DataPreprocessor.sanitize() | Raw click event payload | Sanitized dict, user_id hashed |
| Feature vector extraction | FeatureVectorBuilder.extract() | Sanitized URL and context | Array of floats [F1…F8] |
| Module completion scoring | POST /api/v1/users/{id}/training/{id}/complete | userId, moduleId | UpdatedRiskScore, ScoreImprovement |
Note: Because developers possess prior knowledge of the system, unbiased testing uses synthetic user agents that emulate realistic behavioral patterns. Each agent is initialized with a persona profile defining its susceptibility across all four trigger types.
| Persona | Urgency | Authority | Social Proof | Scarcity | Caution | Purpose |
|---|---|---|---|---|---|---|
| The Rushed Employee | 0.85 | 0.40 | 0.30 | 0.60 | 0.20 | Validates urgency-trigger detection and TM-URG-01 assignment |
| The Rule Follower | 0.30 | 0.80 | 0.35 | 0.25 | 0.40 | Validates authority-trigger detection and IT/management spoofing scenarios |
| The Social User | 0.25 | 0.30 | 0.85 | 0.45 | 0.30 | Validates social proof detection and peer influence scenarios |
| The Cautious User | 0.15 | 0.20 | 0.15 | 0.20 | 0.85 | Validates false-positive rate — must NOT be over-assigned training |
| The Vulnerable User | 0.85 | 0.80 | 0.85 | 0.80 | 0.10 | Validates multi-dimensional vulnerability detection and critical-risk flagging |
Management & Ethics
AdaptiveSec operates exclusively on organization-owned platforms and systems. Organizations are legally permitted to monitor their own infrastructure, including email and web activity, for activity that may jeopardize their cybersecurity posture.
No human reviewer will access the contents of monitored interactions under normal operation. Manual review is reserved strictly for critical escalation scenarios, such as detecting an active threat actor or a confirmed security breach.