What a managed WAF actually does — and what "managed" should mean

The term “managed WAF” hides a lot

Search for managed WAF and you land mostly on managed-security-service pages: a provider runs a firewall in front of your site and tunes it so you do not have to. That framing is right, but it is vague about the part that matters — what is actually running, and who keeps it correct. This is our answer to both.

What runs in front of your site

Smart WAF is a cloud web application firewall. You point your domain’s DNS at our EU edge nodes, and every request passes through a filtering pipeline before it reaches your origin server. That pipeline is not a black box:

  • Dual Coraza engines. We ship two Coraza builds in one dataplane image — proxy-wasm 0.5.0 and a libcoraza FFI engine — and select per route. The wasm engine is sandbox-isolated for tenant-authored rules; the FFI engine gives a richer audit trail for ops-trusted routes.
  • OWASP Core Rule Set 4.26. Both engines run the pinned community rule set, so you inherit the maintained baseline for SQL injection, cross-site scripting, and remote code execution without hand-writing signatures.
  • A graduated challenge ladder. Suspicious clients escalate through proof-of-work, then a CAPTCHA, then Web Bot Auth (RFC 9421 / Ed25519). Real humans and verified bots pass; automated abuse stalls. Nothing gets a blanket block on a hunch.
  • Kernel-level early-drop. Traffic confirmed malicious is dropped in the kernel via nftables before it ever reaches the WAF, so volumetric floods are shed cheaply.

What “managed” means here

The managed part is the sales model, not a mystery. We onboard early partners by hand: you tell us the domain, we bring it under the edge, verify certificates issue, and watch the first traffic together. Certificates are per-tenant Let’s Encrypt, issued automatically from the first DNS change through the nginx-acme module — no shared-cert blast radius, no manual PEM juggling.

Configuration changes propagate from our control plane to the edge in under a second via an etcd watch, so a policy change is live almost immediately rather than on a deploy cycle. Every write is recorded in an immutable, append-only audit log — you can see what changed, when, and by whom.

What we do not pretend to be

Honesty is the point of this page. Smart WAF is not a global CDN with hundreds of points of presence, and there is no free self-serve tier. Our edge runs in the EU (Hetzner, OVH, Scaleway) with GDPR-native data residency — that regional focus is deliberate, not a limitation we are hiding. Our added-latency target is a ≤5 ms design budget; we do not quote production-fleet numbers we have not earned on production hardware.

If a managed WAF for a EU-hosted site is what you need, tell us your domain and we take it from there.

See it running on your own domain

We onboard early partners by hand. Tell us your domain and we take it from there.

Apply for Early Access