A control plane, governed rule management, compliance evidence and SIEM export — layered on the open core through its extension seams, without forking it. Self-hosted, off the request path.

Three things change when you move from a standalone WAF to a governed deployment across many nodes.
The core protects one node; the enterprise data-path modules coordinate across the whole cluster — one rate-limit budget, shared reputation, managed certificates.
A control plane collects every node's telemetry, shows what's blocked and why, alerts on attack signatures, and manages rules with per-node convergence.
RBAC and SSO, a signed tamper-evident audit log, on-demand SOC2/PCI evidence, and a SIEM feed — the paperwork a security program needs.
Enterprise detection modules plug into the core's seams, survive reloads, and act across the whole cluster — never a fork.
One token-bucket budget shared across every node via Redis, accounted atomically server-side. No node over-allows.
Score client IPs from your blocklists; a single-writer feed keeps the shared, self-expiring reputation fresh across the fleet.
Hitless certificate issuance and rotation (TLS-ALPN-01 or DNS-01 wildcards), coordinated across nodes so one issues for the cluster.
A maintained pack of high-signal content — Log4Shell, Spring4Shell, cloud-metadata SSRF, CISA-KEV CVEs — on top of the CRS engine.
Validate every GraphQL and gRPC operation against your app's real schema; a field the real client never sends is a probing signal.
Extend detection with your own WASM modules, gated by a detached signature. A plugin that fails verification never loads.
A separate service, off the request path, that turns every node's telemetry into one operational picture.



Who can do what, a record that can't be quietly altered, and the reports your auditors ask for.
Viewer / operator / admin roles, local accounts, and OpenID Connect single sign-on behind HttpOnly session cookies.
Every action hash-chained and Ed25519-signed — tamper-evident, and verifiable on demand from the dashboard.
Generate a signed SOC2 / PCI evidence bundle for any period: access control, audit integrity, WAF effectiveness, incidents.
Push denied verdicts, audit records and alerts to your SIEM as versioned ECS-like NDJSON — at-least-once, with visible lag.

The properties that matter when you put a vendor in front of your traffic.
The control plane never sits between clients and your backend. It reads telemetry — it cannot add latency or fail a request.
Every capability plugs into the core's typed extension seams through the builder. The open core is used unmodified, by version.
The same memory-safe, dependency-light foundation as the core — no C libraries dragged into the trust boundary.
Runs on your infrastructure — your Postgres, your Redis, your network. Nothing phones home; your traffic stays with you.
The enterprise tier is commercial, source-available to customers under BSL 1.1. Tell us about your deployment and we'll get you set up.
0x00spor3@gmail.com