Inside Glance's 4-Tier Detection Engine: How 99.8% of Threats Are Caught

Most email security tools run a single check: does this sender match a blocklist? If yes, block. If no, deliver. That binary model worked well enough when threats were bulk spam from known bad actors. It does not work well against targeted phishing from fresh domains, AI-generated content, and attacker infrastructure that has never been seen before. Glance runs four sequential tiers of analysis — each one catching what the previous one cannot.

Why One Layer Is Not Enough

A blocklist alone fails against unknown threats. An attacker who registers a fresh domain, sends from clean cloud infrastructure, and has never targeted any Glance user before will score zero hits on any blocklist. They do not exist in any threat database yet.

AI analysis alone is too slow and too expensive to run on every email. The average protected inbox sees 80–120 emails per day. Running a full AI semantic scan on every one would cost more than the subscription and add latency that makes the product unusable. The vast majority of those emails — newsletters, receipts, messages from known contacts — are obviously safe or obviously dangerous within milliseconds using cheaper signals.

The answer is a pipeline: run the cheapest, fastest checks first, escalate only the cases that need deeper analysis. Each tier exists to handle a specific class of threat at the right cost.

Tier 1: Deterministic (0ms, $0)

Before any analysis runs, every incoming email is checked against two lists: your personal allowlist and the global blocklist. These checks take zero milliseconds because they are pure lookups — no computation, no network call.

If the sender is on your allowlist — a contact you or your gatekeeper have previously approved — the email is delivered instantly. No further processing. If the sender appears on the global blocklist — a continuously updated database of confirmed malicious senders, domains, and infrastructure — the email is blocked instantly. No further processing.

Tier 1 handles roughly 40–45% of all incoming email. For that fraction, the cost and latency are zero. Every email that reaches Tier 2 is genuinely ambiguous.

Tier 2: Heuristic Analysis (<100ms, $0)

Tier 2 is where most threats are actually caught. This tier runs six independent checks against the email's technical metadata — signals that attackers cannot easily forge, no matter how convincing their message content is.

• SPF / DKIM / DMARC validation: Email authentication protocols verify that the sending server is authorized to send on behalf of the claimed domain. A failure here is a strong indicator of spoofing or impersonation.
• Domain age analysis: Fresh domains — registered within the last 30 days — are a hallmark of phishing campaigns. Attackers provision new domains per campaign to avoid reputation blocklists. Glance checks domain registration date on every unknown sender.
• Brand lookalike detection: Jaro-Winkler string similarity and homoglyph substitution checks catch paypa1.com, arnazon.com, and micosoft.com — visually indistinguishable variants that human eyes miss but algorithms catch in microseconds.
• Reply-to vs. from domain mismatch: A common business email compromise (BEC) signal: the from address looks legitimate, but replies go to an attacker-controlled address. This mismatch is invisible in most email clients but trivially detectable at the header level.
• Redirect chain analysis: Embedded links are followed through their redirect chains before delivery. Legitimate services use clean, direct URLs. Credential-harvesting pages are almost always reached through multi-hop redirectors.
• Urgency language patterns: Phrase-level pattern matching on urgency triggers: "act within 24 hours," "your account will be suspended," "verify immediately." These patterns correlate strongly with social engineering attempts.

Tier 2 catches approximately 95% of the threats that reach it. The remaining emails — those that pass all six heuristic checks despite being unknown senders — proceed to Tier 3.

Tier 3: Reputation and Intel Feeds (<200ms)

Tier 3 cross-references the sender and any embedded links against eight external threat intelligence feeds, all checked in parallel to keep total latency under 200ms:

In addition to external feeds, Tier 3 draws on Glance's community-sourced sender reputation network. Every time a Glance user marks a sender as a threat, that signal contributes to a cross-user reputation score. A sender who has never appeared in any external threat database but has triggered blocks across fifteen Glance accounts will have a degraded reputation score — and will be flagged on Tier 3 before they ever reach a new target.

This network effect is the structural advantage of a shared-reputation platform: the first victim's signal protects the next 10,000.

Tier 4: AI Deep Scan (2–5s, Grey Zone Only)

Tier 4 activates only for emails with a threat score between 21 and 79 — the grey zone where the evidence is ambiguous. These are the emails that pass technical authentication, come from domains with some age, are not in any external feed, and have no community reputation signal — but still feel wrong in ways that are difficult to quantify mechanically.

For these cases, Glance sends a redacted version of the email to Claude AI for semantic analysis. Before the API call, all personally identifiable information is stripped from the body. The AI does not receive your name, contact details, or any information that could identify you. It receives an anonymized text and returns an intent classification: URGENT, SCAM, PHISHING, WORK, or PERSONAL — along with a confidence score and a plain-language explanation of its reasoning.

The explanation matters. Glance never just says “blocked.” Every AI decision comes with a reason — the specific signals that caused concern. This is what the gatekeeper sees when reviewing a grey-zone email, and it is what allows a non-technical family member to make a confident decision in seconds.

Frequently Asked Questions