Conviction Engine

The Conviction Engine is VouchCore's primary intelligence layer — a Gemini-powered analysis system that enriches raw DNS and threat feed signals with trust context, generates composite scores, and surfaces plain-language findings.

What the Conviction Engine Does

Raw signals from passive DNS — SPF records, DMARC policies, IP addresses, mail server configurations — are data points without context. The Conviction Engine turns them into intelligence:

• Intent Analysis — Classifies whether observed signals indicate legitimate configuration, misconfiguration, or malicious intent
• Trust Enrichment — Correlates DNS signals with threat intelligence feeds (AbuseIPDB, ThreatFox) to identify known-bad infrastructure
• Vendor Resolution — Identifies sending infrastructure by vendor (Microsoft 365, Google Workspace, Proofpoint, Mimecast) from IP ranges
• Composite Scoring — Produces a 0–100 Conviction Score representing the inverse of malicious confidence

Signal Sources

The Conviction Engine ingests signals from multiple sources on each enrichment request:

• Passive DNS (dnspython) — SPF, DMARC, DKIM, MX, A/AAAA records
• AbuseIPDB — IP reputation and abuse history
• ThreatFox — Malware C2 and IOC correlation
• DMARC RUA reports — Authoritative mail-flow data (when enrolled)
• Certificate Transparency — SSL issuance for brand surface monitoring

Caching and Performance

The Conviction Engine caches enrichment results in Redis/Memorystore to minimize redundant DNS queries and provide sub-second response times for dashboard loads. Cache TTL is calibrated to balance freshness with query efficiency.