Human-in-the-Loop Configuration
The HumanInTheLoop section controls when and how Vectra intercepts requests for manual operator review.
Class: Vectra.BuildingBlocks.Configuration.HumanInTheLoop.HumanInTheLoopConfiguration
Properties
| Property | Type | Default | Description |
|---|---|---|---|
Enabled | bool? | true | Enable / disable the HITL interception system |
Threshold | double? | 0.8 | Risk score threshold (0–1). Requests with a score above this are intercepted |
TimeoutSeconds | int | 3600 | How long (in seconds) a suspended request remains reviewable before auto-expiry |
NotificationWebhookUrl | string? | null | Optional webhook URL — Vectra will POST a payload when a new HITL request is created |
MaxPendingRequests | int | 100 | Maximum number of concurrently pending HITL requests. 0 = unlimited |
Example
"HumanInTheLoop": {
"Enabled": true,
"Threshold": 0.75,
"TimeoutSeconds": 7200,
"NotificationWebhookUrl": "https://hooks.example.com/vectra-hitl",
"MaxPendingRequests": 50
}
How It Works
- The
DecisionEnginecomputes a risk score for every proxied request. - If the score exceeds
Threshold, the engine returns aDecisionResult.Hitl(...). HitlService.SuspendRequestAsync()stores the full request in the cache with a TTL ofTimeoutSeconds.- The gateway responds with
202 Acceptedand aLocationheader pointing to/hitl/status/{id}. - An operator polls
/hitl/{id}or is notified via the webhook. - The operator calls
POST /hitl/{id}/approveorPOST /hitl/{id}/deny. - On approval,
HitlService.ReplayAsync()re-executes the original request against the upstream.
See Human-in-the-Loop for the full operator workflow.
Webhook Payload
When NotificationWebhookUrl is configured, Vectra sends a POST request with a JSON body:
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"agentId": "...",
"method": "DELETE",
"url": "https://api.example.com/users/all",
"reason": "High risk score: 0.92",
"timestamp": "2025-01-01T12:00:00Z",
"expiresAt": "2025-01-01T14:00:00Z"
}