Overview

Explore our guides and tutorials to get started quickly!

This is a beta test.

Bulwark is being released in an early public beta test state. It is not yet ready for production usage, but you can experiment with it and see the Roadmap to understand where the project is headed.

What is Bulwark?

Bulwark is a fast, modern, open-source web application firewall (WAF) and API security gateway. It simplifies the implementation of detective security controls while offering comprehensive visibility into your web services. Bulwark's detection-as-code approach to rule definition offers security teams higher confidence in their response to persistent and adaptive threats. Bulwark plugins offer a wide range of capabilities, enabling security teams to define and evolve detections rapidly, without making changes to the underlying application.

Detection-as-Code

With Bulwark, every detection is written in a general-purpose programming language and executed within a secure sandbox. Detections are expressive and can be customized to meet domain-specific needs. They can be tested, their behavior verified, and then easily combined to form comprehensive detection suites.

Detections can be checked into source-control and versioned like any other codebase. This makes reviewing changes straightforward and can help organizations meet their compliance obligations.

Security Detections

Bulwark is designed to address a wide range of security challenges. Detections may target unwanted scans, exploits, credential stuffing, password spraying, brute-forcing, session hijacking, and many other security use-cases. Bulwark's APIs enable a wide range of capabilities while giving plugin authors all of the tools needed to ensure decision results are accurate.

Anti-Fraud Detections

In addition to security, Bulwark can host anti-fraud functionality. Bulwark's API provides mechanisms that enable detections to operate on information that would normally only be accessible to application logic. Bulwark plugins can read encrypted cookies, make calls to internal authentication and authorization services, and even interact with third-party APIs, if granted the appropriate permissions. Permission grants provide a transparent account of exactly what plugins may do while the sandbox ensures they do not exceed their authority.

These ingredients make Bulwark very effective for hosting anti-fraud and business logic security functions. Because Bulwark can be deployed at a network ingress, interior services can be protected from high-volume fraud activity that might otherwise overwhelm anti-fraud systems embedded within an application itself.

Last updated