A European Cloudflare alternative — honest about the gaps
Why people search for an alternative at all
Most “Cloudflare alternative” searches come down to two motivations: data residency — keeping traffic and metadata inside the EU, outside US jurisdiction — and wanting a WAF without the overhead and lock-in of an all-in-one global platform. Smart WAF is built for the first motivation and sized for the second. It is not an attempt to out-feature a hyperscaler.
Where Smart WAF fits
We are a EU-based managed web application firewall. Your DNS points at our edge nodes in the EU (Hetzner, OVH, Scaleway); requests are filtered and forwarded to your origin. The filtering is real engineering you can name:
- Dual Coraza engines (proxy-wasm 0.5.0 and libcoraza FFI) running OWASP CRS 4.26 — the same open rule-set lineage a serious WAF should stand on.
- A challenge ladder — proof-of-work, then CAPTCHA, then Web Bot Auth (RFC 9421, Ed25519) — instead of an all-or-nothing block.
- ML entity-scoring that graduates through detection → verify → enforce, so a new signal proves itself before it is ever allowed to block a request.
- Per-tenant Let’s Encrypt certificates issued automatically, and EU data residency as an architectural default rather than a paid add-on.
Where it deliberately does not compete
An alternative that pretends to match every incumbent feature is not credible. So, plainly:
- No global CDN. We are not selling hundreds of edge points of presence or a content cache. If your primary need is worldwide static delivery, a CDN is the right tool and we are not it.
- No free self-serve tier. Our model is managed onboarding — we bring domains under the edge by hand. That is a fit for teams who want a person accountable for the config, not a fit for spin-up-and-forget.
- No fabricated trust signals. We do not display compliance badges we have not earned or customer counts we cannot verify. For a security vendor, an empty wall beats a fake one. What we can show is the architecture, the audit log, and this very site running behind the product.
The honest comparison
The incumbents describe latency as “virtually zero” with no number behind it. We hold to a ≤5 ms added-latency design budget and label any measured figure as staging-measured until production hardware proves otherwise. That restraint is the differentiator — a EU WAF that tells you exactly what it is.
If that trade is the one you want, tell us your domain.