We had a working Python script. Here is why we rewrote it as a native sf plugin, and the design decisions that made 22 parallel security checks practical.
TL;DR: A layered architecture, a cache dependency system to avoid redundant API calls, and a configurable scoring model.