Dyno | Devpost

Dashboard
Agent Customization
AI Agent Pipeline
Mitigation Detection

Inspiration

APIs are the backbone of every modern app — yet they’re also one of the easiest attack surfaces to exploit. From brute-force login attempts to automated scraping and credential stuffing, most API defenses are still static: rate-limiters and blacklists that can’t adapt. Even larger companies, such as Discord, are not immune to these attacks - recently, over 8 million tickets full of private information were scraped through a compromised admin account.

We wanted to build a self-learning layer of defense — something that doesn’t just detect suspicious traffic, but understands why it’s suspicious, adapts in real-time, and learns from every incident. That’s how Dyno was born.

What it does

Dyno is an AI-powered security middleware that sits in front of any FastAPI-based backend and continuously monitors API traffic for threats. It logs all incoming API requests and detects anomalies like brute-force logins, web scraping, and excessive query behavior — and reacts intelligently using a progressive mitigation system:

Adds small request delays for mild anomalies
Challenges users with CAPTCHAs for moderate suspicion
Temporarily blocks
Fully bans repeated offenders

How we built it

Dyno is built on a sophisticated multi-layered architecture that combines three specialized databases, an intelligent AI agent pipeline, and a self-learning RAG system.

Backend Architecture & Middleware

The core of Dyno is a FastAPI middleware that intercepts every API request before it reaches the application layer. The middleware follows a three-step process:

Redis Check: First, it performs a lightning-fast lookup in Redis to check if there's an active mitigation for the incoming IP or user. If found, it immediately applies the mitigation (delay, CAPTCHA, or block) without processing the request further.
Request Processing: If no mitigation exists, the request is allowed to proceed normally to the API endpoint.
Asynchronous Logging: After the request completes, the middleware non-blockingly adds the request details to both an internal queue and Elasticsearch. This ensures zero performance impact on legitimate traffic.

The internal queue batches requests and triggers the AI agent pipeline either every 5 seconds or when 100 requests accumulate — whichever comes first.

Three-Database Architecture

We engineered Dyno to leverage three different databases, each optimized for its specific role:

1. Redis – The first line of defense. Redis stores active mitigations with sub-millisecond lookup times, enabling us to block attacks instantly without consulting slower databases. Every mitigation decision made by the AI agents is written here with TTLs for automatic expiration.

2. Elasticsearch – The comprehensive audit log. Every single API request (with metadata like IP, user, endpoint, headers, response time, status code) is indexed in Elasticsearch. This provides:

Full-text search across all historical traffic
Complex aggregation queries for pattern detection
Time-series analysis of attack trends
The data source for our AI agents to investigate suspicious behavior

3. ChromaDB – The memory layer. ChromaDB is a vector database that powers our RAG (Retrieval-Augmented Generation) system. It stores semantic embeddings of past mitigation decisions along with their outcomes and human feedback. When the Calibration Agent needs to make a decision, it queries ChromaDB to find similar historical cases and learns from them.

AI Agent System

We built a multi-agent system using Fetch.AI's uAgents framework, where specialized agents collaborate to detect threats:

Orchestrator Agent – The traffic controller. It receives batches of API requests from the middleware queue and intelligently routes them to the appropriate specialist agent based on endpoint type (e.g., /auth/* → Auth Agent, /search → Search Agent).

Specialized Detection Agents – We created three specialist agents, each with domain-specific knowledge:

Auth Agent: Detects brute-force login attempts, credential stuffing, account enumeration
Search Agent: Identifies scraping behavior, excessive queries, suspicious search patterns
General Agent: Catches anomalies in all other endpoints

Each specialist agent receives custom rules (loaded from agent_rules/ directory) that define what patterns to look for. The agents use Groq's LLM API (specifically Llama models) to analyze batches of requests and use tool calling to query Elasticsearch for historical context about IPs or users. After analysis, they suggest a mitigation level for suspicious actors.

Calibration Agent – The learning layer. This agent takes the raw mitigation suggestions from specialists and refines them using historical knowledge:

Queries ChromaDB using RAG to find semantically similar past incidents
Amplifies or downgrades the mitigation based on what worked before
Saves the final decision back to ChromaDB with reasoning for future reference
Incorporates human feedback from the dashboard to continuously improve

The calibrated mitigation is then written to Redis, completing the loop.

RAG + Feedback System

The RAG (Retrieval-Augmented Generation) system is what makes Dyno adaptive:

Historical Storage: Every mitigation decision is embedded and stored in ChromaDB along with:
- The request patterns that triggered it
- The mitigation level applied
- Whether it was effective
- Any human feedback (thumbs up/down from the dashboard)
Semantic Retrieval: When the Calibration Agent evaluates a new threat, it performs a semantic search in ChromaDB to find similar past cases — not just exact matches, but situations with similar characteristics.
Context-Aware Decisions: The agent uses retrieved examples as context in its LLM prompt, asking: "Given these similar past cases, should I increase or decrease the suggested mitigation?"
Human-in-the-Loop: Security engineers can mark mitigations as correct or incorrect through the dashboard. This feedback is immediately incorporated into ChromaDB, so the system learns from mistakes in real-time.
Rule Customization: The dashboard also allows live editing of agent rules, which are hot-reloaded into the agents without requiring restarts.

Frontend & Real-Time Communication

The dashboard is built with React + TypeScript using shadcn/ui components and TailwindCSS for styling. It connects to the backend via WebSocket for real-time streaming of:

Live API request logs
Threat detection alerts
Mitigation applications
Agent decision explanations

We also implemented a security chatbot agent that lets users query the system in natural language (e.g., "Show me all blocked IPs from the last hour") by translating queries to Elasticsearch DSL.

Infrastructure

Everything is containerized with Docker and orchestrated via docker-compose, making deployment a single command. The entire stack — FastAPI backend, 6 AI agents, Redis, ChromaDB, and the React frontend — spins up together with automatic service discovery.

Accomplishments that we're proud of

Fully automating BOTH detection AND acting on malicious API requests
Using the Fetch.ai ecosystem for fast, asynchronous communication between agents in real-time
Implementing ChromaDB for calibration through human-in-the-loop and agentic memory of previous decisions
Using Groq to get < 5 second full end-to-end pipeline speed

What we learned

Multi-agent orchestration introduces both incredible flexibility and complex failure modes — message passing and trust boundaries matter.

RAG-based calibration can make AI decisions more explainable and consistent when paired with structured reasoning logs.

Human-in-the-loop feedback isn’t just a bonus — it’s essential for avoiding over-blocking legitimate users.

Security visibility is just as important as security action: clear dashboards empower developers to intervene intelligently.

What's next

Multi-Framework Support: Extend beyond FastAPI to support Express.js, Django, Rails, and other popular web frameworks
Behavioral Fingerprinting: Build user behavior profiles over time to detect subtle account takeovers and anomalous sessions
Edge Deployment: Deploy lightweight detection agents at CDN edge locations for sub-10ms global mitigation response times
Threat Intelligence Integration: Automatically incorporate external threat feeds (malicious IPs, compromised credentials) into agent decisions
Enterprise Multi-Tenancy: Enable multiple organizations to use shared Dyno infrastructure with isolated data and configurations