Every capability, traceable to running code

No superlatives, no invented benchmarks — one honest sentence per capability, each mapped to code that runs at the edge today.

Dual Coraza WAF engines

Two Coraza engines — proxy-wasm 0.5.0 and libcoraza FFI — ship in one dataplane image and are selectable per route.

Sandbox-isolated wasm for tenant-authored rules, richer FFI audit for ops-trusted routes — you are not locked into one trade-off.

OWASP CRS 4.26

Both engines run the pinned OWASP Core Rule Set 4.26 against every request.

You inherit the community-maintained baseline for SQLi, XSS, and RCE without hand-writing signatures.

PoW → CAPTCHA → Web Bot Auth ladder

Suspicious clients escalate through proof-of-work, then CAPTCHA, then Web Bot Auth (RFC 9421 / Ed25519).

Graduated friction stalls automated abuse while letting real humans and verified bots through — no blanket block.

ML entity-scoring

Per-entity risk scoring graduates through detection → verify → enforce before it is ever allowed to block.

A new signal observes and proves itself first, so scoring tightens without false-positive blocking on day one.

L3/L4 edge early-drop

Confirmed-malice traffic is dropped in the kernel via nftables/netdev before it reaches the WAF.

Volumetric floods are shed cheaply at the edge, keeping the request pipeline free for legitimate traffic.

Per-tenant Let's Encrypt

The nginx-acme module issues and renews a dedicated Let's Encrypt certificate for each tenant domain.

TLS is automatic from the first DNS change — no manual certs, no shared-cert blast radius.

EU data residency

Edge nodes run in the EU (Hetzner, OVH, Scaleway) with GDPR-native residency, configurable retention, and right-to-deletion.

Your traffic metadata stays in-region by architecture — not as an add-on you have to configure around.

See it running on your own domain

We onboard early partners by hand. Tell us your domain and we take it from there.

Apply for Early Access