Flash Alerts
When a sender is flagged by 3 or more AgentProof users, a Flash Alert is issued network-wide. Every user who receives an email from that sender sees an immediate warning — before any local signals fire. Alerts escalate from Watch → Warn → Block as the reporter count rises.
Coordinated campaigns — multiple agent identities sharing platform infrastructure or sending patterns — are automatically detected and their constituent senders promoted to Flash Alert status. A campaign that targets 10 users simultaneously is exposed as a campaign, not 10 individual nuisances.
Flash Alerts expire after 7 days unless new evidence arrives. If the sender goes quiet, the alert clears automatically. If they keep sending, the window extends. Alerts are never permanent — the system self-cleans.
Honeypot Network Propagation
When a Pro user's honeypot probe fires — meaning an AI agent retrieved the hidden probe URL embedded in a sent email — that event is instantly shared across the network. Other users who receive email from the same agent identity see an immediate Flash Alert. The trap one person set catches for everyone.
Each honeypot fire is attributed to the automation platform that triggered it — identified from 25+ known agent platforms, orchestration frameworks, and sending infrastructure signatures. Outreach, Salesloft, Apollo, Instantly, LangChain, and more. You see what caught the agent, not just that it was caught.
Pro users can now view their complete probe fire history: which probes fired, when, from what platform, and whether the triggering sender has been seen by other users on the network.
Deep Analysis upgrade
The Claude deep analysis engine now scores eight independent signals — linguistic perplexity, vocabulary contamination, personalization authenticity, thread coherence, structural artifacts, intent clarity, authorship consistency, and response pressure — and returns a structured breakdown of what was found, not just a number. The verdict now includes specific indicator phrases and a confidence rating.
When a sender has previously triggered a honeypot probe, that information is surfaced to the deep analysis engine as a strong prior. Prior-confirmed agents receive an elevated score floor regardless of how well the email is written.
When deep analysis returns a score of 60 or above, the sender's infrastructure fingerprint is automatically contributed to the network intelligence layer. High-confidence detections by one Pro user immediately enrich the reputation data available to all users.
Network API
Pro users gain access to a real-time feed of what's being detected network-wide: which platforms are most active in the last 48 hours, new Flash Alert issuances, and honeypot fire activity by platform. Situational awareness for your inbox.
The cross-user reputation endpoint now returns a richer picture: honeypot fire count (weighted heavily), active flash alert level, platform attribution, and distinct reporter counts from fingerprinting — alongside the existing confirmation signals. The score formula now elevates honeypot-confirmed senders to 95.
New signals
Detects the research-hook → pivot → CTA formula that Clay, Apollo, and Instantly generate for every cold email. "I noticed your company recently... I'd love to connect... Would you be open to a 15-minute call?" Fires when 3+ of 5 formula components are present in the opening paragraph.
The Reply-To header routes to a different domain than the From address. Outreach platforms (Outreach.io, SalesLoft, Apollo) funnel replies into a CRM while the email appears to come from the rep personally. Confidence 80 for known CRM Reply-To domains, 65 for any mismatch.
"Hope this email finds you well." "Looking forward to hearing from you." "Please don't hesitate to reach out." Phrases real people stopped using. LLMs never stopped. Fires when 2+ patterns are found across greeting and closing.
Detects 1×1 tracking pixels, UTM-tagged links, and known outreach tracker domains (track.instantly.ai, trk.klenty.com, trk.lemlist.com, and 7 others). Fires on 2+ tracking indicators — legitimate personal emails don't have open-tracking infrastructure.
Sophisticated HTML formatting (table layouts, custom fonts, background colors, high HTML-to-text ratio) in an email from a free provider address. Real personal emails are almost always plain text.
AI SDR subject line formulas: "Quick question", all-lowercase subjects, fake Re: on cold emails, numeric value props ("3 ways to..."), first-name-comma-hook patterns. Fires on 2+ patterns — these formulas are statistically uncommon in genuine personal email.
Systematic point-by-point response to every item in the previous message, in order, with no tangents or new topics introduced. A behavioral pattern of LLM inference — humans don't respond this consistently.
UX improvements
Confirm Human / Confirm Agent / Block Sender buttons now show a visual feedback state before closing. Previously they closed silently — you had no way to know if the action registered.
Header now shows the sender email and signal count ("3 signals fired") so you know who you're acting on and how much evidence there is.
On install, AgentProof scans your last 30 inbox emails in the background so the popup shows data immediately. The activity feed in the popup shows the last 10 scored emails with tier, score, and time.
Bug fixes
CONFIRM_HUMAN, CONFIRM_AGENT, and BLOCK_SENDER messages were sending empty strings as the sender email due to a fragile rawData lookup. Fixed — actions now correctly identify the sender.
New signals
Detects the classic AI cold email formula: personalization opener → value proposition → CTA, 80–250 words, no casual language. Every AI SDR tool uses this structure. Now we recognize it.
Humans write with high sentence-length variance — short punchy sentences mixed with longer ones. LLMs cluster tightly around 15–20 words per sentence. We now measure the coefficient of variation to catch this. CV < 0.25 with 6+ sentences fires the signal.
Detection improvements
Klaviyo, Mailchimp, ActiveCampaign, ConvertKit, Customer.io, Drip, and Brevo/Sendinblue are now detected and classified as Sequence (human-initiated automation) rather than falling through unidentified.
Role Disclosure: embeds a hidden system note instructing autonomous agents to include a canary word to "confirm receipt." Agents following their coordination instructions comply; humans never see it. Context Bait: exploits LLMs' compulsion to answer questions they weren't explicitly asked — an invisible logic puzzle that only gets solved if you're an LLM.
A fully autonomous system sent this with no human involvement per-send. This is the signal that matters — the one worth acting on.
A real person configured a sales sequence (Apollo, Outreach.io, SalesLoft, Klaviyo). Automated delivery, but deliberate human intent behind it. Not the same as an agent — and we won't tell you it is.
Receipts, login alerts, shipping notifications. No human was involved and none intended to reach you personally.
Precision improvements
Outreach.io, SalesLoft, and Apollo are used by human sales reps every day. These platforms were incorrectly at zero-FP (auto-flag at 90% confidence). Fixed: now low-FP, requiring corroboration from other signals before flagging. Only agent-specific platforms — Instantly.ai, Smartlead, Lemlist, GMass — remain zero-FP.
"John Smith <john.smith@gmail.com>" was triggering as a ghost-sender indicator. Common names now only count when the email local part is also algorithmically generated — e.g. jsmith7749x@gmail.com. A real person with a common name using Gmail is not suspicious.
"I'd be happy to help" and "here's a draft" were incorrectly in the zero-FP tier (auto-flag). Humans write these phrases. Both moved to LLM vocabulary markers (medium-FP, score booster only). Zero-FP prompt leakage now only triggers on things humans cannot write: unfilled template placeholders {{company_name}}, AI self-identification, and the LLM-distinctive opener "Certainly! Here..."
Early access signups captured on the landing page, stored with deduplication.
Technical deep-dive explaining every signal, the four-phase detection architecture, and how we protect privacy. Written for the curious user who wants to understand what's happening under the hood.
Upgrade from the welcome screen was silently failing — the Stripe session request was missing its request body. Fixed.
Zero-FP ESP fingerprint, prompt leakage, honeypot, agent metadata
Low-FP Superhuman speed, heartbeat cadence, cross-user pattern, send-time anomaly, API fingerprint, ghost sender, follow-up cadence
Medium-FP LLM vocabulary, personalization ratio, structural template, sentence uniformity, no-human-artifacts
Prior conversation, Google Contacts, user-confirmed senders, calendar correlation (Pro), reply-chain human markers. Whitelists always reduce score — they never increase it.
Free: unlimited local scans, all signals, Gmail badges. Pro ($7/mo or $59/yr): Claude Haiku deep analysis, honeypot, auto-archive, auto-label, cross-user network intelligence.