ZeroTrust IAM monitors how your users behave — not just what credentials they provide. Every login is scored against the user's unique behavioural fingerprint, and anomalies are blocked in real time.
A three-step pipeline from behavioural data collection to intelligent access control — all happening transparently during the standard login flow.
When a user logs in, ZeroTrust IAM silently captures 8 behavioural signals using a lightweight JavaScript collector embedded in the login page. These signals — keystroke dwell time, flight time, typing rhythm, mouse speed, acceleration, path deviation, click patterns, and movement jitter — form a rich multi-dimensional profile of how the real user interacts with their device. No hardware. No friction. No visible change to the login experience.
The collected behavioural data is sent to ZeroTrust IAM's Python ML API, where an Isolation Forest algorithm compares it against the user's established behavioural baseline. The Isolation Forest is an unsupervised model — it learns what normal looks like for each individual user without requiring any labelled attack data. When a session's behavioural profile deviates significantly from baseline, it receives an anomaly score flagging it as a potential threat.
ZeroTrust IAM's custom Java authenticator plugin intercepts the Keycloak login flow via the Service Provider Interface (SPI) and queries the ML API before granting access. If the behavioural score is anomalous, the login is blocked — automatically, instantly, and without requiring manual security team intervention. Legitimate users experience no friction. Impostors never get in.
JavaScript collector captures 8 behavioural signals silently during login
Isolation Forest model scores behavioural data against user baseline
Java SPI plugin blocks anomalous logins before access is granted
| Component | Technology |
|---|---|
| Behavioural Data Collection | JavaScript (vanilla, no dependencies) |
| ML Anomaly Detection API | Python · Flask · scikit-learn |
| ML Algorithm | Isolation Forest (unsupervised) |
| Identity Provider Integration | Keycloak (open-source IAM platform) |
| Custom Auth Plugin | Java (Keycloak Service Provider Interface) |
In a Zero-Trust model, no user, device, or session is trusted by default — not even inside your own network. Every access request must be continuously earned, not just granted once at login and forgotten.
This is the standard that modern enterprise security demands. Regulatory frameworks including NIST SP 800-207 and the UK's NCSC Zero Trust guidance now explicitly recommend continuous verification as best practice for protecting sensitive systems.
ZeroTrust IAM makes this achievable for any organisation running Keycloak-based IAM infrastructure — without ripping out existing systems or introducing user friction.
The US National Institute of Standards & Technology defines Zero-Trust as a security model that assumes no implicit trust — requiring verification of every access request regardless of network location.
The UK National Cyber Security Centre recommends continuous verification and least-privilege access as foundational pillars of modern enterprise security architecture.
ZeroTrust IAM achieves 90% anomaly detection accuracy in formal testing — validating the Isolation Forest approach as enterprise-viable for continuous identity verification.
Watch ZeroTrust IAM intercept an anomalous login attempt in real time. No slides. No theory. Just the system working.