Enterprise tier · BSL 1.1 · commercial

From a firewall to a security program.

A control plane, governed rule management, compliance evidence and SIEM export — layered on the open core through its extension seams, without forking it. Self-hosted, off the request path.

Self-hosted · your infrastructureZero-datapath control plane
control plane · overview
Light WAF control plane — overview dashboard
What the tier adds

The core protects a node. This runs the fleet.

Three things change when you move from a standalone WAF to a governed deployment across many nodes.

SCALE

Protection across a fleet

The core protects one node; the enterprise data-path modules coordinate across the whole cluster — one rate-limit budget, shared reputation, managed certificates.

OPERATE

One console over everything

A control plane collects every node's telemetry, shows what's blocked and why, alerts on attack signatures, and manages rules with per-node convergence.

GOVERN

Access, audit, evidence

RBAC and SSO, a signed tamper-evident audit log, on-demand SOC2/PCI evidence, and a SIEM feed — the paperwork a security program needs.

At-scale protection

Coordinated defense on the data path.

Enterprise detection modules plug into the core's seams, survive reloads, and act across the whole cluster — never a fork.

Cluster-wide rate limiting

One token-bucket budget shared across every node via Redis, accounted atomically server-side. No node over-allows.

IP reputation & threat feeds

Score client IPs from your blocklists; a single-writer feed keeps the shared, self-expiring reputation fresh across the fleet.

Managed ACME TLS

Hitless certificate issuance and rotation (TLS-ALPN-01 or DNS-01 wildcards), coordinated across nodes so one issues for the cluster.

Curated premium rules

A maintained pack of high-signal content — Log4Shell, Spring4Shell, cloud-metadata SSRF, CISA-KEV CVEs — on top of the CRS engine.

Schema enforcement

Validate every GraphQL and gRPC operation against your app's real schema; a field the real client never sends is a probing signal.

Signed WASM plugins

Extend detection with your own WASM modules, gated by a detached signature. A plugin that fails verification never loads.

The control plane

See what your fleet is doing — and why.

A separate service, off the request path, that turns every node's telemetry into one operational picture.

overview
Overview — block rate, traffic disposition, latency
Monitor. Block rate, traffic disposition, denied-event volume and per-node latency across the cluster.
event drill-down
Event drill-down — the Verdict Meter and score breakdown
Explain. Open any blocked request and see the score, broken down per rule and severity.
rules
Rule management — versions, rollback, per-node convergence
Manage. Publish and roll back ruleset versions; an agent validates and hot-reloads, and you watch convergence.
Govern & prove

Access control, and the evidence to back it.

Who can do what, a record that can't be quietly altered, and the reports your auditors ask for.

RBAC & SSO

Viewer / operator / admin roles, local accounts, and OpenID Connect single sign-on behind HttpOnly session cookies.

Signed audit log

Every action hash-chained and Ed25519-signed — tamper-evident, and verifiable on demand from the dashboard.

Compliance evidence

Generate a signed SOC2 / PCI evidence bundle for any period: access control, audit integrity, WAF effectiveness, incidents.

SIEM export

Push denied verdicts, audit records and alerts to your SIEM as versioned ECS-like NDJSON — at-least-once, with visible lag.

compliance
Compliance report — a signed SOC2/PCI evidence bundle
Compliance. A signed SOC2 / PCI evidence bundle, generated for any period and verifiable independently.
Architecture & trust

Built to sit in a security boundary.

The properties that matter when you put a vendor in front of your traffic.

Zero-datapath control plane

The control plane never sits between clients and your backend. It reads telemetry — it cannot add latency or fail a request.

Zero-core, zero-fork

Every capability plugs into the core's typed extension seams through the builder. The open core is used unmodified, by version.

Pure-Rust, no C

The same memory-safe, dependency-light foundation as the core — no C libraries dragged into the trust boundary.

Self-hosted

Runs on your infrastructure — your Postgres, your Redis, your network. Nothing phones home; your traffic stays with you.

Get access

Bring it to your infrastructure.

The enterprise tier is commercial, source-available to customers under BSL 1.1. Tell us about your deployment and we'll get you set up.

0x00spor3@gmail.com