MULTI-LAYER APPLICATION SECURITY

Stop Attacks Before
They Reach Your App.

WAFio deploys three independent security layers — L7 Web Application Firewall, L3/L4 eBPF Network Firewall, and kernel-level Runtime Security — in a single on-premise agent. Block attacks at every layer of your stack. Fully self-hosted. Your data never leaves your infrastructure.

Get Started Read the Docs
No cloud dependency 5-minute deployment Linux & Docker ready
3 Security Layers
<5ms WAF Latency
3,500+ CRS Rules
100% On-Premise
THREE LAYERS OF DEFENSE

Complete security coverage,
kernel to application

WAFio deploys three independent security subsystems — each purpose-built for its layer of your stack. No single point of failure. No blind spots.

L7

Web Application Firewall

Every inbound HTTP request is parsed by 8 AST-based semantic engines in parallel — SQL, XSS, command injection, LFI, SSRF, Java, PHP, and Python. OWASP CRS v4 adds signature coverage on top.

  • 8 parallel AST-based semantic analyzers
  • OWASP CRS v4 — 3,500+ detection rules
  • Configurable sensitivity & score thresholds
  • GeoIP country blocking + bot protection
  • Sub-5ms p99 detection latency
L3/L4

eBPF Network Firewall

XDP and TC hooks run eBPF programs at the kernel driver level — packets are inspected and dropped before a single byte reaches userspace. Zero copy. Zero application overhead.

  • XDP/TC hooks — kernel-native, pre-userspace
  • IP, CIDR, and ASN block & allow lists
  • Protocol and port-level enforcement
  • Per-source rate limiting in BPF maps
  • Real-time rule push from control plane via gRPC
Runtime

Runtime Security

eBPF kprobes and tracepoints attach to the live kernel — no sampling, no polling. Detect code execution, privilege escalation, and data exfiltration that bypass the network layer entirely.

  • Syscall monitoring via eBPF kprobes/tracepoints
  • Process execution & binary integrity tracking
  • File system event tracing (open, write, unlink)
  • Outbound connection anomaly detection
  • Container and host runtime visibility
HOW IT WORKS

Three layers of defense,
working as one.

eBPF drops malicious packets at the kernel before they reach userspace. The WAF inspects every HTTP request with semantic analysis. Runtime monitoring catches what bypasses the network entirely.

L3/L4 eBPF Network Firewall
01

Packet Arrives at NIC

Every inbound packet triggers the XDP hook attached directly at the network driver level — before the kernel network stack allocates an sk_buff, before any socket is involved, and before any userspace process has a chance to see it. This is the earliest possible interception point in Linux.

02

BPF Map Rule Lookup

The XDP program performs a constant-time lookup against BPF hash maps holding block rules: individual IPs, CIDR ranges, Autonomous System Numbers (ASNs), and port/protocol combinations. Rules are pushed live from the WAFio control plane via gRPC — no agent restart, no rule reload delay.

03

Kernel Drop or Pass

Packets matching a block rule are returned XDP_DROP — discarded at the driver level in under 1 microsecond, never consuming kernel TCP stack resources or userspace CPU. Clean packets receive XDP_PASS and continue up the network stack as normal, with zero added latency.

L3/L4 eBPF — Firewall Pipeline
INBOUND PACKET TCP SYN 185.220.101.45:4422
XDP HOOK — KERNEL DRIVER
IP MATCH 185.220.0.0/16 rule: Tor exit block
BPF MAP LOOKUP
ActionXDP_DROP
sk_buff allocatedNO
⛔ DROPPED Packet discarded at NIC driver
Kernel drop time: <1μs
L7 Web Application Firewall
01

HTTP Request Intercepted

Packets that pass the eBPF firewall reach the WAFio WAF agent — a reverse proxy sidecar alongside your application. Every inbound HTTP request is intercepted before it reaches your app code. No code changes, no SDK, no library required. Works with any language or framework.

02

Semantic + CRS Analysis

8 AST-based semantic engines parse SQL, XSS, CMD injection, LFI, SSRF, Java deserialization, PHP, and Python payloads simultaneously. OWASP CRS v4 then adds 3,500+ signature rules on top — two independent detection layers running in parallel on every request.

03

Score & Decision Engine

The Decision Engine maps matched rules to threat categories, applies confidence weights, and sums scores. Requests above your configured block threshold are blocked instantly with HTTP 403. Below the threshold — logged with full context or allowed through silently.

L7 WAF — Detection Pipeline
INBOUND REQUEST GET /search?q=' OR 1=1--
SEMANTIC SCAN
SQLi ✓ MATCH XSS clean CMD clean LFI clean
DECISION ENGINE
Score8.5 / 10
Threshold5.0
⛔ BLOCKED HTTP 403 — Forbidden
Total decision time: 3.2ms
Runtime Runtime Security
01

Syscall Invoked

Even if an attacker bypasses the network — Runtime Security watches inside the host. Every call to execve, openat, connect, bind, and 40+ other syscalls triggers an eBPF kprobe or tracepoint on the live kernel. No kernel module, no sampling, no polling.

02

Event Enriched & Analyzed

Each kprobe capture includes: PID, parent process tree, full binary path and SHA-256 hash, effective user and group IDs, cgroup, and Linux namespace identifiers. Events are evaluated against process baseline profiles and behavioral rules — detecting anomalies like a web server spawning a shell.

03

Alert or Enforce

Anomalous events stream in real-time to the WAFio dashboard with full forensic context: process tree, binary fingerprint, syscall arguments, and container attribution. Optionally enforce via seccomp-style response — the syscall is blocked before it completes, stopping the threat at the kernel boundary.

Runtime — Security Monitor
SYSCALL INVOKED execve("/bin/bash", ["-i"])
KPROBE FIRES — sys_execve
parent: apache2 binary: /bin/bash uid: www-data
POLICY CHECK
Parent whitelistFAIL
Binary baselineUNKNOWN
⚠ ALERT Event streamed to dashboard
Detection latency: real-time
KERNEL-LEVEL PROTECTION

Beyond the WAF: eBPF-powered defense

While competitors stop at L7, WAFio reaches into the kernel. Two independent eBPF subsystems watch what the network layer can't see.

L3/L4

eBPF Network Firewall

XDP programs attach to the NIC driver — packets are inspected and dropped before the kernel network stack processes them. Sub-microsecond per-packet overhead.

XDP Hook (eXpress Data Path) Runs at driver level, before sk_buff allocation. Fastest possible packet drop path in Linux.
BPF Map Rule Store Block rules live in kernel BPF hash maps. The control plane pushes updates in real-time via gRPC — no packet processing interruption.
IP / CIDR / ASN Filtering Block individual IPs, entire CIDR ranges, or autonomous system numbers. GeoIP-aware with per-source rate limiting in kernel space.
TC Hooks for Egress Control Traffic Control hooks intercept outbound traffic — detect and block C2 beaconing, data exfiltration, and unexpected outbound connections.
Runtime

Runtime Security

eBPF kprobes and tracepoints hook directly into live kernel functions — monitoring process execution, file access, and syscalls in real-time with zero sampling overhead.

Syscall Tracing via kprobes Hooks on execve, openat, connect, and 40+ syscalls. Detects privilege escalation, container escapes, and binary substitution in real-time.
File System Event Tracing Every open, write, unlink, and chmod on sensitive paths — /etc, /bin, /usr. Catch web shells, config tampering, and log deletion.
Process Execution Tracking Every fork and exec is traced: binary hash, parent PID, user, capabilities. Identify unexpected process trees and living-off-the-land attacks.
Container & Host Visibility Namespace and cgroup-aware event attribution. Events tagged to container ID and image — works with Docker, Podman, and Kubernetes.
ON-PREMISE BY DESIGN

Your data. Your infrastructure.
Your control.

Unlike SaaS WAFs that route your traffic through their cloud, WAFio runs entirely within your network. Your request payloads, application data, and security logs never leave your servers. Full compliance. Zero trust issues.

GDPR & SOC 2 compliant deployments
Air-gapped network support
No outbound connections required
Multi-tenant: one control plane, many apps
YOUR INFRASTRUCTURE
Control Plane
↕ gRPC mTLS
WAF Agent
Host Agent
100% On-Premise
PRICING

Start with
Free Forever

WAFio is free for small infrastructure: 1 control plane, 1 WAF agent, and 1 host agent per license. Built for SMEs, schools, individuals, and software engineers who need self-hosted protection without enterprise pricing.

Free Tier

Free Forever

$0

For small infrastructure that needs real protection without procurement friction.

  • 1 control plane license
  • 1 WAF agent
  • 1 host agent
  • Core WAF features
  • Dashboard & analytics
  • Self-hosted by default
Get Started Free

Transparent licensing, no hidden fees, and no cloud lock-in. Need a larger deployment? Contact us.

GET STARTED TODAY

Deploy WAFio in
under 5 minutes.

Download the binary, configure your license, point your traffic through WAFio.
Your applications are protected before your next coffee.

Get Started Talk to an Engineer
# Quick install
$ curl -sSL https://get.wafio.cloud/install.sh | bash