ABOUT WAFIO

Security That Lives
On Your Infrastructure.

We are a small independent engineering team. Not a unicorn startup, not an enterprise appliance vendor. We build self-hosted security because web protection should not require a cloud subscription or an enterprise budget.

2024 Founded
No VC Self-funded
14 Semantic Engines
3 Protection Layers
Our Story

Built from direct operating experience.

WAFio started in 2024 after seeing the same problem repeatedly: teams operating on real budgets, facing real attacks, with no practical middle ground between ModSecurity's configuration complexity and SaaS WAF pricing that starts at hundreds of dollars per month.

Commercial security tools were too expensive to justify for most client projects. The alternative was ModSecurity with the OWASP CRS — free, battle-tested, widely deployed. But in practice, every new deployment came with the same problem: false positives. Legitimate traffic blocked. Applications breaking. Hours spent tuning rules, writing exclusions, adjusting paranoia levels just to make a WAF that was supposed to protect the application not break it. Every environment needed its own adjustments, and that tuning cost was never zero.

In its early form, WAFio had no dashboard, no portal, and no installer. It was deployed directly on client infrastructure — configured via files, managed over SSH, monitored through raw logs. The detection engine and eBPF subsystem were already production-grade; the operator experience was not. That version protected real traffic for real clients before a single line of frontend code was written.

The threat landscape was clear. SQL injection, XSS, and command injection remain the most common attack vectors against web applications. Web shells deployed after a successful breach go undetected for weeks. Bots exhaust backend capacity before rate limiting kicks in. These problems are solved — but the solutions were either inaccessible or infrastructure the operator does not control.

WAFio is the answer we built for ourselves and then opened to everyone.

The breach didn't come through the WAF. It came through a web shell the WAF couldn't see — because web shells don't send HTTP requests. They execute syscalls.

— The gap WAFio was built to close

How We Sustain This

WAFio software is permanently free. We sustain development through paid professional services: installation, configuration review, hardening audits, and SLA-backed support contracts for teams that need hands-on help.

The software is not a lead magnet. The services are not a paywall. Both exist independently.

Technical Architecture

From kernel to HTTP. Every layer defended.

WAFio combines three independent protection subsystems that operate simultaneously and reinforce each other.

14 Semantic Engines in Parallel

Each engine decodes, normalizes, and structurally analyzes a specific attack category. SQL, XSS, CMD, LFI, SSRF, PHP, Python, Java, NoSQL, SSTI, XXE, Deserialization, LDAP, Prototype Pollution — all running simultaneously on every request.

eBPF at the Kernel Level

XDP and TC hooks intercept and drop packets before the Linux network stack processes them. No iptables overhead, no userspace bounce. Effective against SYN floods, port scans, and volumetric attacks at wire speed.

Runtime Security via kprobes

eBPF kprobes and tracepoints observe live syscalls: process execution, file operations, outbound connections, privilege changes. A compromised web shell spawning /bin/bash is visible within milliseconds — not discovered days later.

Detection latency: <5ms p99 per request. Semantic engines run in parallel, not sequentially. OWASP CRS v4 (3,500+ rules) runs alongside semantic analysis, scored and filtered by the Decision Engine — Coraza never blocks directly.

What We Believe

Principles that shape every product decision.

Free software, sustained by services.

WAFio software is free — every feature, permanently, no conversion funnel. Development is sustained through professional services: installation, SLA support, and security audits for teams that need hands-on help.

Self-hosted is a design choice, not a fallback.

Your traffic never leaves your server. Not because we lack cloud infrastructure, but because data sovereignty is the right default for a security tool.

What it does is documented.

We do not hide detection logic behind a "proprietary intelligence" label. You can read the source, understand the scoring, and tune every parameter.

Operational simplicity is a security feature.

A WAF that requires a dedicated team to operate is not accessible security. We optimize for operators who run lean — one binary, clear config, one dashboard.

Roadmap

Where we are and where we're going.

No artificial deadlines, no vaporware. This reflects actual development status.

Shipped L7 WAF with 14 semantic engines
Shipped eBPF XDP/TC network firewall
Shipped Runtime Security via kprobes/tracepoints
Shipped Control Plane + dashboard
Shipped GeoIP blocking + bot protection
Shipped Real-time event streaming + analytics
In Progress Malware scanner
Get In Touch

We respond to real questions.

Bug Reports

Found a bug or have a feature request? Send a detailed report and we'll investigate.

Report a Bug →