๐Ÿ“„ Security Whitepaper โ€” v2.1

Attest Security Whitepaper

A technical overview of the Attest architecture, threat model, cryptographic protocols, and privacy guarantees.

Version 2.1.0ยทPublished May 2026ยทAttest Security Ltd.

1. Executive Summary

Business Email Compromise (BEC) caused over $2.9 billion in losses in 2023 (FBI IC3). The root cause is not weak passwords โ€” it is the absence of verification that a real human sent the email. Attest introduces a mandatory out-of-band verification step that proves a real human sent the email, using frictionless behavioral dynamics (mouse movement patterns), without ever accessing email content.

2. Threat Model

Attest is designed to defend against:

Session Hijacking

Attacker steals browser session cookie and sends emails from victim's account. Attest blocks this โ€” the attacker cannot mimic the victim's physical human interaction dynamics.

AI-Generated Phishing

AI writes convincing emails from compromised accounts. Attest ensures every sent email has cryptographic proof of being sent by a real human.

Malware-Driven Sending

Malware on the victim's machine attempts to send emails silently. The extension intercepts all send actions, including programmatic ones.

Insider Threats

An employee sends unauthorized emails. The audit log provides a timestamped, cryptographically signed record of every verified send action.

3. Cryptographic Protocol

The verification flow uses standard, auditable cryptographic primitives:

Hash Function

SHA-256 (NIST FIPS 180-4)

Behavioral Dynamics

Local mouse movement & click vector analysis

Verification Log

Secure backend verification & Trust Record

Transport

TLS 1.3

Storage Encryption

AES-256-GCM

Key Exchange

ECDH P-256

4. Privacy Architecture

Attest is designed with a zero-knowledge architecture. The extension has no Gmail API permissions and cannot read email content. The server receives only a cryptographic hash โ€” never the email itself. This is enforced at the protocol level, not just by policy.

Data Minimization Principle

We collect the minimum data required to prove a real human sent the email. The four stored fields (hash, timestamp, name, result) are the irreducible minimum for a verifiable audit trail. No additional data is collected, inferred, or retained.

For security disclosures, contact security@attest.com. For the full technical specification, see the Documentation.