Root & jailbreak
The TillPulse mobile SDKs report device-integrity failures at runtime — a rooted Android or jailbroken iOS device is a compromised trust boundary, and TillShield treats it as one.
Device integrity, TLS pinning, overlay abuse, web + desktop tamper — collected by the SDKs, scored by severity and confidence.
› Read the docsWatch security signals; when a trigger crosses its threshold, take one action — automatically. Test-mode and cooldowns included.
› Read the docsA real triage workflow — status, severity, an assignee, and an append-only timeline of every note, change, and action taken.
› Read the docsPrivacy-preserving sha256 indicators shared across every org. A binary caught attacking others surfaces for you first.
› Read the docsTillShield doesn’t ask you to instrument anything new. It reads the security telemetry your TillPulse SDKs already send, scores it, and puts it in front of a rule.
The TillPulse mobile SDKs report device-integrity failures at runtime — a rooted Android or jailbroken iOS device is a compromised trust boundary, and TillShield treats it as one.
A pinned connection that doesn’t match its expected certificate is a man-in-the-middle in progress. The failure the SDK reports becomes a signal you can act on before the session continues.
Foreign windows drawn on top of your app are the classic tap-jacking and credential-capture vector. TillShield flags overlay abuse the moment the SDK detects it over a sensitive screen.
Web and desktop runtimes report their own tamper indicators. Same pipeline, same scoring, same rules — so a single policy can span every surface you ship on.
Every detection carries privacy-preserving sha256 indicators. A package, certificate, or binary caught attacking another TillDev customer surfaces for you before it reaches you.
Every signal lands with a security type, a severity, and a confidence score. Rules trigger on those numbers — so you decide how sure and how serious a threat has to be before anything happens.
A rule watches a set of security types and fires when they cross a threshold — a minimum severity, a minimum confidence, and a count within a time window. When it does, it takes exactly one action.
Run a new rule in test-mode first — it logs what it would have done without doing it. A per-rule cooldown keeps one bad actor from firing the same action a hundred times a minute.
Writing rules →raise_incidentOpen a triage record with the triggering events attached.
quarantine_sessionCut off the offending session without touching the rest of the account.
revoke_sessionsKill every auth session for the user — TillShield asks TillAuth to do it.
alertNotify the channel you already route TillPulse alerts to.
When a rule raises an incident, you get a record you can actually work — a status, a severity, an assignee, and an append-only timeline that captures every note, every status change, and every action TillShield took automatically.
Every incident has an owner. Assign it to a teammate and it shows up on their plate — no separate ticketing tool to reconcile.
The timeline is append-only. Notes, status changes, and the actions a rule already took are all one ordered record — nothing gets quietly edited away.
Move it open → investigating → contained → resolved. The severity and the triggering events stay attached the whole way through.
When a malicious package, certificate, or binary is seen attacking one TillDev customer, its indicator is shared across every org — so it can surface for you before it ever reaches your users.
The catch is that we never share the thing itself. Indicators are sha256 hashes only — a fingerprint you can match against, carrying no raw identifier, no user data, and nothing that ties a threat back to the org that first saw it.
Indicators are sha256 digests — one-way, no reversible payload.
No org name travels with an indicator. You see the threat, not the victim.
Contribution is on by default and can be turned off; you still consume the shared feed.
A shared indicator is just another signal — the same rules and actions apply.
TillShield isn’t a separate product to integrate — it’s the security layer of the TillDev workspace you already have. It reads what TillPulse collects and acts on what TillAuth controls, and every move lands in the one audit log.
The device-integrity, pinning, and overlay signals TillShield reacts to are the ones your TillPulse SDKs already send. Nothing new to install.
revoke_sessions and quarantine work because TillShield can reach into TillAuth and end a session — the same sessions your users authenticate against.
Every rule fire, incident change, and automated action writes to the shared TillDev audit log, next to your Pulse and Auth events — one history, not three.
TillShield reacts to signals after they’re reported. It does not sit in the request path today. Two things are coming — and we’ll say so plainly until they ship.
A request-time worker that blocks or challenges traffic on the hot path — turning a detection into a decision before the request is served, not after. In design.
Dedicated packages — @tilldev/shield-node and @tilldev/shield-cloudflare — to enforce rules at your own edge and origin. Not published yet.
If TillPulse is already watching your projects, TillShield is one workspace away from watching for the attacks.
You don't have to use the rest. But they fit together — same workspace, same audit log, same shortcut to switch between them. Add what you need when you need it.