HCAD Early Threat Detection
HCAD (Host & Context Anomaly Detection) collects behavioural signals from authenticated HTTP requests, scores them, and starts the asynchronous AI analysis pipeline before the request ever reaches a protected resource (@Protectable). HCAD itself never blocks or challenges — it only decides whether the LLM pipeline should start analysing early.
Overview
HCAD early threat detection runs before controllers or @Protectable methods are reached by having HCADFilterConfigurer insert HCADFilter before Spring Security's AuthorizationFilter. The current configurer order is SecurityConfigurer.HIGHEST_PRECEDENCE + 115, followed by AuthenticatedPendingAnomalyTriggerFilter at HIGHEST_PRECEDENCE + 116. HCAD is not a final risk decision engine. It is an early gate that decides whether an authenticated request is worth sending to the LLM analysis path before a protected resource is reached.
SHADOW: a candidate can start LLM analysis, but runtime side effects are suppressed at the event boundary. Enforced actions are still owned by the normal Zero Trust decision path.
From request arrival to decision
When analysis begins
Without HCAD early detection, AI analysis begins only when a protected resource is reached. With HCAD enabled, requests that already carry strong anomaly signals get their analysis scheduled at the filter stage — before any controller code runs.
Trusted fast context projection
HCAD scoring is now based on TrustedHcadContextProjection, created by TrustedHcadContextProjectionFactory. Only fields with TRUSTED_SERVER, BRIDGE_VERIFIED, or STORE_DERIVED provenance can influence pre-trigger scoring. Client-provided simulation headers, official-inspection override slots, RAG/vector/MCP data, and external threat-pack inputs are excluded from the hot-path decision.
- userId · sessionId
- requestPath · httpMethod
- remoteIp
- clientIp
- impossibleTravel
- trusted server time
- contextBindingHash
- tenantId
- organizationId
- authenticationMethod
- failedLoginAttempts
- hasValidMFA
- requestBurst
- rapidSequence
- previousPath
- baselineConfidence
- baselineEstablished
- STORE_DERIVED source
- normalizedPath
- httpMethod
- verificationRequired
- authorizationPolicyId
- authorizationPrivileged
- recentPermissionChanges
- RAG / vector / MCP
- simulation headers
- client risk overrides
Signal weight model
Signals fall into two classes. Anchor signals are heavy enough that a single anchor can push the request into the early-analysis path. Corroborating signals carry meaning only when several accumulate. The final rule is "at least one anchor AND total ≥ 70".
Anchor signals
Corroborating signals
Risk score bands
The aggregated score on a 0–100 scale is classified into four bands. Early analysis kicks in once the request enters the RED band and an anchor signal is present.
| Band | Score range | Meaning | Triggers early analysis |
|---|---|---|---|
| LOW | 0 – 29 | Normal | No |
| MEDIUM | 30 – 49 | Mild anomaly | No |
| HIGH | 50 – 69 | Worth watching | No (existing path handles it) |
| REDLINE | 70 – 100 | Inspect now | Yes, provided an anchor signal is present |
contexa.hcad.high-risk-score = 50, contexa.hcad.medium-risk-score = 30, contexa.hcad.low-baseline-confidence-threshold = 0.35. When a user's normal-behaviour baseline confidence is below 0.35, the corroborating signal BASELINE_UNCERTAIN is added automatically.
Assessment record structure
The scorer output is stored in an immutable record — HcadPreProtectablePromotionAssessment — and attached to HTTP request attributes for the pending-anomaly trigger chain. Candidate, trigger, duplicate, and LLM-outcome state is persisted separately in hcad_detection_evaluation. The runtime audit log keeps only summary trace data; monitoring statistics are computed from the dedicated evaluation table.
Trusted projection assessment and evaluation persistence
Example code illustrating the current hot-path shape before a request reaches the protected controller:
// Simplified from HCADFilter.
// 1. Build a canonical fast projection from trusted sources only
TrustedHcadContextProjection projection =
trustedProjectionFactory.project(request, authentication);
// 2. Score only trusted fields; ignoredInputs are kept for explanation, not scoring
HcadPreProtectablePromotionAssessment assessment =
hcadPreProtectablePromotionScorer.score(projection);
// 3. Attach the assessment to request attributes for the trigger chain
HcadPreProtectablePromotionRequestProjector.project(
request,
assessment,
hcadProperties.getPreTrigger().effectiveMode());
// 4. The orchestrator persists hcad_detection_evaluation and coordinates LLM dedup
if (assessment.eligible()) {
pendingAnomalyTriggerOrchestrator.maybeTrigger(request, authentication);
}
Early-analysis trigger chain
Placed right after the HCAD filter, AuthenticatedPendingAnomalyTriggerFilter publishes an event only when a request passes the sequential gates below. Any gate can stop the flow independently — the original request path is never affected. HCAD and @Protectable triggers share an idempotency key so the same request does not produce duplicate LLM analysis.
PendingAnomalyEligibilityGate (1), PendingAnomalyEvidenceCheckService (2), HcadLlmTriggerCoordinator and AnalysisTriggerStateRepository (3 & 4), PendingAnomalyEventTriggerService (5). Requests passing all gates are forwarded to ZeroTrustEventPublisher.publishPreProtectableThreat().
Normal-behaviour baseline learning
Before HCAD can decide what is abnormal for a user, it has to learn what is normal. BaselineLearningService observes high-trust requests and incrementally updates two baselines — one per user, one per cohort — across IP ranges, access hours, paths, User-Agents, operating systems, and authentication methods.
Learning mechanics
Exponential Moving Average (EMA)
- newTrust = α·current + (1-α)·old
- Weights recent observations more
- Absorbs gradual drift naturally
Least-Frequently-Used eviction
- IP · path · UA · OS sets
- Drops the least-frequent element first
- Keeps set sizes bounded
Personal baseline
- Activates after 10+ samples
- Confidence tier rises gradually
- Stored per user
Organisational baseline
- Fallback when personal data is absent
- Cohort-level statistics
- Protects brand-new users
Event payload fields
Requests that clear all five gates are published as PRE_PROTECTABLE_REDLINE events and then consumed by the existing asynchronous LLM pipeline and audit system. The payload contract carries every judgement input, so the same structure can later be reused by external verifier scenarios.
| Field | Type | Description |
|---|---|---|
hcadEvaluationId |
string | Primary evaluation identifier persisted in hcad_detection_evaluation |
hcadMode |
enum | OBSERVE, SHADOW, or ENFORCE; default is SHADOW |
decisionBoundaryMode |
enum | Set to SHADOW for HCAD shadow candidates so enforcement side effects are skipped |
hcadEscalationScore |
integer | Risk score between 0 and 100 |
hcadEscalationBand |
enum | LOW · MEDIUM · HIGH · REDLINE |
hcadEscalationEligible |
boolean | Whether early analysis fired |
hcadEscalationReasons |
string[] | Reason codes for each detected signal |
hcadEscalationSummary |
string | One-line summary for operator alerts |
hcadEscalationVersion |
string | Scorer version — ensures reproducibility |
rawSignalSnapshot |
object | Raw signal values for verifier replay |
duplicateSuppressed |
boolean | True when the coordinator suppresses a duplicate HCAD/@Protectable trigger |
action |
enum | Always PENDING_ANALYSIS. Enforcement action is decided by the LLM pipeline later |
Infrastructure modes & wiring
HCAD's session metadata, request counters, and device records live in a storage layer that swaps implementations based on the infrastructure mode. Both implementations satisfy the same HCADDataStore contract, so application code is unaffected.
STANDALONE
Default mode for development and testing. All state lives in-process.
InMemoryHCADDataStore
- Backed by
ConcurrentHashMap TreeMap5-minute request window- Zero external dependencies
DISTRIBUTED
Multi-instance deployments. State is shared through Redis.
RedisHCADDataStore
- Hash · Set · Sorted Set structures
- Session TTL 24 h · device TTL 30 d
- Consistent judgement across all instances
Wiring points
HCADFilter before Spring Security's AuthorizationFilter (configurer order=HIGHEST_PRECEDENCE + 115)Shadow monitoring and qualification
HCAD pre-trigger evaluation is observable through the IAM admin page /contexa/admin/security-monitor/hcad. The page reads from hcad_detection_evaluation and provides day, week, month, and year windows for candidate count, LLM trigger count, precision, false positives, observable false negatives, unknown ratio, average LLM latency, duplicate suppression, signal performance, resource performance, user/session repeats, and estimated wasted cost.
| Qualification setting | Default | Meaning |
|---|---|---|
contexa.hcad.pre-trigger.qualification.shadow-min-precision | 0.80 | Minimum precision for considering shadow data meaningful |
contexa.hcad.pre-trigger.qualification.limited-enforce-min-precision | 0.90 | Minimum precision before limited enforce is recommended |
contexa.hcad.pre-trigger.qualification.default-enforce-min-precision | 0.95 | Minimum precision before default enforce is recommended |
contexa.hcad.pre-trigger.qualification.minimum-sample-size | 100 | Minimum sample count for evaluating promotion readiness |