Challenge by Veraproof

1. How does Challenge work?

Challenge provides identity verification and user-facing ChatOps through multiple integration methods:
Slack ChatOps: Use the /challenge slash command or programmatic API to reach a user with interactive challenge cards that combine IdP step-up authentication and optional justification capture.
Webhook API: Create challenges and trigger response actions programmatically from your SIEM, ITSM system, SOAR playbooks, or automation tools.
IdP SSO: Users verify identity through SAML 2.0 or OIDC authentication with your identity provider.
Response Actions: Revoke SaaS app sessions and contain devices automatically via webhook API or MCP when a challenge fails, a user reports an incident, or other signals in your security workflow indicate risk.

2. What integrations are supported?

Challenge supports multiple integration methods:

• Slack Integration - Use slash commands, challenge cards, incident reporting, and configurable justification capture in ChatOps
• SAML 2.0 - Full SAML support for identity provider authentication
• OIDC - OpenID Connect support for broader IdP compatibility
• Session Revocation - Revoke sessions across SaaS apps like Okta, Entra, Google Workspace, Slack Enterprise, and Miro
• Device Containment - Trigger endpoint containment (EDR) or lock (MDM) actions as part of incident response
• Webhook API - REST API for creating challenges and running response actions programmatically
• MCP (Model Context Protocol) - AI agents and MCP clients can create challenges, check status, and trigger response workflows via OAuth 2.1

3. What are common use cases?

Challenge is designed for security operations and business workflows:

• Verified context from a user: When a SOAR playbook or analyst needs to challenge someone and gather justification or reason for an event, Challenge posts an interactive Slack card with IdP step-up authentication so you know it's really them
• Automated containment: SOAR playbooks call the webhook API or MCP to revoke SaaS sessions (Okta, Entra, Google Workspace, Slack Enterprise, Miro) and contain devices when a challenge fails, a user reports an incident, or other workflow signals are met
• ITSM Workflows: Verify user identity before granting access to sensitive systems or processing high-risk requests
• Impersonation & deepfake defense: Detect and prevent impersonation attacks and account takeovers by challenging users that show suspicious behavior, with device fingerprinting and IdP authentication
• Financial Transactions: Require identity verification for large money transfers or payment approvals and prevent fraud
• Access Requests: Verify identity before granting elevated permissions or access to critical resources and prevent lateral movement

4. How does pricing work?

Challenge uses metered usage with graduated tiers:

• Each tier includes a flat monthly fee covering a base number of usage events
• Usage events include identity verification challenges and completed response actions (including session revocation and device containment)
• Overage charges apply per usage event beyond the included amount
• Unlimited tier includes fair use policy of 20,000 usage events per month
• Customers exceeding fair use limits can discuss custom enterprise pricing with our sales team

To upgrade your pricing tier, contact support as subscription changes must be processed manually for metered usage products.

5. What security features are included?

Challenge includes comprehensive security features:

• Device Fingerprinting: Collects browser, OS, screen resolution, timezone, geolocation, and IP address metadata
• IdP SSO Authentication: Users authenticate through your existing identity provider (SAML or OIDC)
• Incident Reporting: Slack users can report suspicious activity directly from challenge cards
• Justification Capture: Optional context fields capture why users selected verify or incident report
• Response Actions: Automate SaaS session revocation and device containment via webhook API or MCP when challenges fail, users report incidents, or your workflow detects other risk signals
• Challenge Expiration: Verification links expire after 15 minutes for security
• Audit Logging: All challenge events are logged for security and compliance
• Webhook Signatures: Optional HMAC SHA256 signatures for webhook callbacks

6. How does the webhook API work?

The webhook API allows you to create challenges, run response actions programmatically, and receive callbacks when actions complete:

• Create challenges via REST API with API key authentication
• Receive webhook callbacks when challenges complete (verified, failed, expired, or incident reported) and chain response actions based on the outcome
• Trigger SaaS session revocation and device containment automatically when challenges fail or other workflow signals are met
• Check challenge and response-action status via API at any time
• Support for both standard URL-based challenges and Slack-based challenges via API

See the Webhook Integration Guide for complete API documentation and examples.

7. What data does Challenge store?

Challenge stores minimal data required for identity verification:

• Challenge metadata (challenge ID, status, timestamps)
• Target user email and identifier
• Device fingerprinting data (browser, OS, IP address, etc.)
• Integration configuration (Slack tokens, IdP settings, webhook secrets - all encrypted)

We never store passwords, and all sensitive data is encrypted at rest and in transit. See our Privacy Policy for details.

8. Can I customize success and error pages?

Yes. Challenge provides customizable success and error pages that display support contact information configured in your admin console. See the Success and Error Pages guide for details.

9. Does Challenge support MCP for AI agents?

Yes. Challenge exposes a Model Context Protocol (MCP) server so AI-powered tools, SOAR playbooks, and MCP clients (for example Cursor and n8n) can create identity verification challenges, check status, and trigger response actions—including SaaS session revocation and device containment—using OAuth 2.1. Your workflow can automate containment when a challenge fails or other signals are met. See the MCP Integration guide for setup, OAuth flows, and security practices.