Dual Coraza WAF engines
Two Coraza engines — proxy-wasm 0.5.0 and libcoraza FFI — ship in one dataplane image and are selectable per route.
Sandbox-isolated wasm for tenant-authored rules, richer FFI audit for ops-trusted routes — you are not locked into one trade-off.
OWASP CRS 4.26
Both engines run the pinned OWASP Core Rule Set 4.26 against every request.
You inherit the community-maintained baseline for SQLi, XSS, and RCE without hand-writing signatures.
PoW → CAPTCHA → Web Bot Auth ladder
Suspicious clients escalate through proof-of-work, then CAPTCHA, then Web Bot Auth (RFC 9421 / Ed25519).
Graduated friction stalls automated abuse while letting real humans and verified bots through — no blanket block.
ML entity-scoring
Per-entity risk scoring graduates through detection → verify → enforce before it is ever allowed to block.
A new signal observes and proves itself first, so scoring tightens without false-positive blocking on day one.
L3/L4 edge early-drop
Confirmed-malice traffic is dropped in the kernel via nftables/netdev before it reaches the WAF.
Volumetric floods are shed cheaply at the edge, keeping the request pipeline free for legitimate traffic.
Per-tenant Let's Encrypt
The nginx-acme module issues and renews a dedicated Let's Encrypt certificate for each tenant domain.
TLS is automatic from the first DNS change — no manual certs, no shared-cert blast radius.
EU data residency
Edge nodes run in the EU (Hetzner, OVH, Scaleway) with GDPR-native residency, configurable retention, and right-to-deletion.
Your traffic metadata stays in-region by architecture — not as an add-on you have to configure around.