hoaxeyehoaxeyedocs
Detection

Detection families

hoaxeye groups detections into families. Each family decides when to run, which verdicts it can emit, and how the operator can configure its mode. The card grid below links to the per-family page.

Live

Anti-VPNlive
Network-side identification of VPN, proxy, datacenter and Tor traffic at connect time. Residential-VPN endpoints are scored separately so legitimate consumer-privacy users aren't bucketed with commercial VPNs.
Backdoor scannerlive
Scheduled audits of every started resource against a curated whitelist. The current version is whitelist-driven after the first iteration produced too many false positives on framework internals.
Discord verifylive
Hardcoded Discord-membership gate at connect time. Includes an audited emergency bypass for the case where Discord itself is down or the bot got removed.

Roadmap

NUI / trigger / native abuseroadmap
Client-UI injection, server-event hijacking and entity-rate abuse families. Threat-modelled in detail, not yet shipped. Coming online in phases — the first card lights up here when the first family ships.

How to read each family page

Every live family page is structured the same way:

  • What it protects against. One paragraph, generic — no signal internals.
  • Modes. What observe / score / enforce mean for this family.
  • Verdicts. The verdict strings you'll see in dashboard logs.
  • Latency / cadence. Measured numbers with the methodology footnote.
  • False-positive history. What used to misfire, how we fixed it, why it's better now.
  • Operator recommendation. Which mode to start in for typical server types.