Light WAF inspects every request, scores it against your rules, and blocks when the score crosses the line — with a control panel that shows you exactly why.
Every module that matches contributes points by severity. When the cumulative anomaly score crosses your block threshold, the request is denied. Tuning the WAF is tuning that one relationship — not editing rules by hand.
Connection, headers, body — native detectors and CRS rules examine each request as it's read, in order.
A critical adds 6, a warning 3, a notice 2. Two weak signals together weigh as much as one strong one.
At the threshold the verdict flips to blocked — and the full breakdown is stored for the drill-down.
Everything below the core is opt-in and default-off — turn it all off and you have exactly the standalone OPEN WAF.
SQLi, XSS, RCE, path traversal, SSRF, LDAP/NoSQL/SSTI and more — plus the CRS rule engine — score every request cooperatively.
One token-bucket budget shared across every node via Redis, with atomic server-side accounting. No node over-allows.
Score client IPs from your blocklists; a single-writer feed keeps the shared reputation fresh and self-expiring.
Hitless ACME certificates (TLS-ALPN-01 or DNS-01 wildcards), plus mutual-TLS client auth. Fail-closed, never a silent downgrade.
Validate every GraphQL and gRPC operation against your app's real schema — a field the real client never sends is a probing signal.
Extend detection with your own WASM modules, gated by a detached minisign signature. A plugin that fails verification never loads.
A single pane over the whole cluster: block rate, traffic disposition, denied-event volume and per-node latency.
Open any blocked request and see the accumulated score broken down per rule and severity — exactly why it was stopped.
Fire on per-IP or per-rule bursts within a window, with cooldowns, and push to a webhook. Attack signatures surface themselves.
Publish and roll back ruleset versions from the dashboard; a per-node agent validates and hot-reloads, and you watch convergence.
Viewer / operator / admin roles, local accounts, and OpenID Connect single sign-on backed by HttpOnly session cookies.
Every action is written to a hash-chained, Ed25519-signed log — tamper-evident and verifiable on demand.
Generate a signed SOC2 / PCI evidence bundle for any period — access control, audit integrity, WAF effectiveness, incidents.
Push denied verdicts, audit records and alerts to your SIEM as versioned ECS-like NDJSON, at-least-once, with visible lag.
A React dashboard over the whole cluster: monitor traffic, drill into any blocked request, manage rules, and produce compliance evidence.



The enterprise tier plugs into the core's extension seams through the builder — the same physical shape as a separate repository.
A complete, standalone WAF — on GitHub and crates.io.
At-scale and governed capabilities on top — available commercially.
The open core is on GitHub and crates.io. The enterprise tier — control panel, governance, compliance, SIEM — is available commercially.