UCP Ready TAP Compatible

TAP Verifies Who.
We Analyze What They're Doing.

Google's Universal Commerce Protocol opens your checkout to AI agents. Identity verification tells you it's Gemini. It doesn't tell you Gemini is enumerating your catalog.

Talk to Us Read the Technical Deep-Dive

The Three-Layer Security Stack

UCP isn't a standalone security solution. It's one layer of a complete protection stack.

Layer 1

UCP Protocol

The Handshake

Standardizes how agents and merchants communicate. Checkout sessions, OAuth identity linking, embedded checkout.

Provided by: Google, Shopify

Layer 2

TAP Identity

The ID Card

Cryptographic agent verification. Proves Gemini is actually Gemini. Edge-based behavioral intelligence.

Provided by: Visa, Akamai

Layer 3

Intent Analysis

The Behavior Layer

Session-level intent scoring. Cross-session pattern detection. Agent reputation over time.

Provided by: WebDecoy

The Problem

Verified Agents Can Still Attack

TAP proves identity. It doesn't monitor intent. A verified Gemini agent can still:

  • Enumerate your catalog

    Create sessions for every SKU to extract real-time pricing and availability

  • Hold your inventory

    500 verified sessions during a limited drop = effective DoS

  • Test stolen cards

    Identity verification doesn't prevent payment fraud attempts

  • Harvest shipping rates

    41,000 zip codes x 50,000 SKUs = 2 billion data points

Catalog Enumeration Attack
# Verified agent, malicious intent
for product_id in catalog:
    session = create_checkout_session({
        "line_items": [{
            "item": {"id": product_id},
            "quantity": 1
        }]
    })

    # Extract pricing data
    pricing[product_id] = {
        "price": session["totals"]["subtotal"],
        "available": session["status"] != "unavailable"
    }

    # Never complete - just harvest
    # TAP sees: "Verified Gemini agent"
    # WebDecoy sees: "Enumeration pattern"

What WebDecoy Provides

The intent layer that TAP doesn't include. Behavioral analysis purpose-built for UCP traffic.

Intent Classification

Session-level scoring distinguishes shopping from reconnaissance. Detect enumeration, inventory holding, and card testing in real-time.

Completion rate Access entropy Geographic spread

Agent Reputation

Track agent profiles over time, not just per-request. Build reputation scores based on historical behavior across your merchant network.

30-day history Cross-merchant Pattern changes

API Honeypots

Fake product IDs, honeypot pricing, decoy endpoints. Catch reconnaissance before it touches your real catalog.

Zero false positives Real-time alerts

Fraud Platform Bridge

Connect UCP signals to Sift, Signifyd, Forter, and Riskified. Native integrations that normalize agent profiles, risk scores, and JA4 fingerprints.

Sift Signifyd Forter

JA4+ Fingerprinting

Server-side TLS fingerprints reveal the true client behind UCP requests. Catch Python scripts claiming to be Gemini.

TLS fingerprint HTTP/2 signals

Escalation Triggers

Automatically trigger requires_escalation based on behavioral signals. Force suspicious agents to human-in-the-loop.

Configurable rules Real-time
Intent Score Response
{
  "agent_profile": "https://gemini.google.com/agent",
  "session_id": "chk_1234567890",
  "intent_score": {
    "classification": "reconnaissance",
    "confidence": 0.94,
    "signals": {
      "completion_rate_24h": 0.02,
      "product_access_entropy": 0.12,
      "geographic_spread": 847,
      "avg_session_duration_sec": 3.2
    }
  },
  "reputation": {
    "score": 23,
    "first_seen": "2026-01-10T14:32:00Z",
    "total_sessions": 12453,
    "flags": ["rapid_enumeration", "no_completions"]
  },
  "recommendation": "requires_escalation"
}
The Solution

Real-Time Intent Scoring

Every UCP session gets an intent score. Know what the agent is doing, not just who they claim to be.

  • Session-level classification

    Shopping, browsing, reconnaissance, or fraud attempt

  • Behavioral signals

    Completion rate, access patterns, geographic consistency

  • Actionable recommendations

    Allow, challenge, escalate, or block

Works With Your Existing Stack

WebDecoy integrates with your current fraud tools and security infrastructure.

Sift

Fraud Platform

Signifyd

Fraud Platform

Forter

Fraud Platform

Riskified

Fraud Platform

Stripe Radar

Payment Fraud

Adyen

Payment Fraud

Shopify

Platform

BigCommerce

Platform

Cloudflare

Edge/CDN

Akamai

Edge/CDN

Datadog

Observability

Splunk

SIEM

Built for UCP-Native Merchants

Whether you're on Shopify, building custom, or migrating to UCP, we've got you covered.

Shopify Plus

Native integration with Shopify's UCP implementation. Drop-in protection for agentic checkout.

  • Shopify Flow integration
  • Automatic requires_escalation
  • Checkout UI Extensions

Custom Implementation

REST API and webhooks for custom UCP implementations. Full control over scoring and response.

  • Synchronous scoring API
  • Async webhooks
  • Custom rule engine

Enterprise

Dedicated infrastructure, custom models, and white-glove onboarding for high-volume merchants.

  • Dedicated reputation network
  • Custom ML models
  • SLA guarantees

Ready for Agentic Commerce?

Talk to us about protecting your UCP endpoints with intent classification and behavioral analysis.

Get in Touch

UCP Opens the Door. We Watch Who Walks Through.

The shift to agentic commerce is happening. Make sure you're protected from day one.

Schedule a Demo Read the Deep-Dive