An open-core product raises a fair question: what's free, what's paid, and is the open part real? Here's the honest map — and the rules that keep the line from moving.
The core is the security datapath. It must be fully useful on a single node, and it must be inspectable — in security, trust requires open code.
The enterprise sells scale, governance, and team operability — never baseline detection.
Understanding and inspecting a protocol is core. Managing it at scale, with governance, is enterprise.
Every detection module is open, including gRPC and GraphQL inspection — precisely so the core is never a gutted demo. A single node runs standalone: proxy, phased pipeline, normalization, anomaly scoring, TLS from file, single-node rate limiting, config and hot reload.
Every paid capability plugs into a public trait through the embedding builder. The open core is used unmodified, as a published crate — no fork, no patched core. Turn every enterprise seam off and you have exactly the open proxy.
Read it as: the open core gives you the whole datapath; the enterprise adds scale, governance and evidence around it.
| Area | Open core · Apache-2.0 | Enterprise adds · BSL 1.1 |
|---|---|---|
| Detection & inspection | Every module — SQLi, XSS, RCE, SSRF, … — plus gRPC & GraphQL inspection and the CRS engine. | Curated premium rules, managed schema-enforcement, premium native & bot-detection modules. |
| Rate limiting & state | Single-node L7 token bucket (the StateStore trait + in-memory impl). | One budget shared across the fleet via Redis, plus IP reputation. |
| TLS | Termination from file (rustls, HTTP/1.1 + HTTP/2 via ALPN). | ACME issuance & hitless rotation, mTLS with managed PKI, multi-node certs. |
| Rules | seclang / ModSecurity parser + evaluation engine. | Curated premium content, and governed publish / rollback with a per-node agent. |
| Observability | Prometheus /metrics + a structured JSON decision log. | Dashboards, long-term retention, blocked-request drill-down, alerting. |
| Access control | A single static bearer token. | RBAC, SSO (OIDC), server-side sessions, revocable service tokens. |
| Audit & compliance | — | A signed, hash-chained audit log and on-demand SOC2 / PCI evidence bundles. |
| SIEM | Raw logs (your own shipper). | A push forwarder — normalized, at-least-once, with visible lag. |
| WASM plugins | The runtime (Proxy-Wasm on wasmi). | Signature verification & marketplace. |
For every enterprise feature, the core defines a public trait; the enterprise provides an at-scale implementation and injects it through the builder. Nothing is patched into the core.
// build against the published core as a library — no fork let proxy = Proxy::builder(&config) .state_store(Arc::new(RedisStore::connect(&url)?)) // impl of a public trait .cert_source(Arc::new(AcmeCertSource::new(..))) // impl of a public trait .module_factory(move || Ok(build_premium_modules())) // extra modules, survive reload .build().await?; // every seam has a default → an empty builder equals the plain proxy.
StateStore, TlsCertSource and WafModule are public, SemVer-frozen traits. The enterprise implements them — and so can you.
The boundary is a written, normative policy — these are the parts that protect you.
The control plane reads telemetry off to the side. It never sits between clients and your backend — it cannot add latency or fail a request.
The enterprise builds against the published open core, unmodified, by version. An empty builder equals the plain proxy.
A capability shipped in the open core can never be moved to the paid tier later. The only permitted move is enterprise → open.
The extension traits are SemVer-frozen and evolve only additively (new defaulted methods), so external implementations never break.
One memory-safe foundation across both tiers — no C libraries dragged into a security trust boundary.
Everything runs on your infrastructure. Nothing phones home; your traffic and your telemetry stay with you.
Permissive, with an explicit patent grant.
Source-available to customers; commercial.
Run the open core today; add scale and governance when a fleet and an audit ask for it.