Sub-millisecond decisions
Rules are compiled to an immutable, in-memory set that swaps atomically on reload. No database is touched on the path.
Rules compile to an immutable, in-memory set that swaps atomically on reload — no database is touched on the request path. The WAF decision is a tiny fraction of total request time.
Rules are compiled to an immutable, in-memory set that swaps atomically on reload. No database is touched on the path.
Every decision streams to a columnar store (ClickHouse) off the hot path — so logging never slows a request.
Ships as native systemd services (no container runtime), cross-compiled for Linux — easy to run alongside existing sites.
Five steps, each reversible. You control when every layer moves from Shadow to Enforce.
In parallel on a dedicated IP — zero risk to live traffic.
Point a domain through with everything in Shadow; watch would-block events.
Promote the rules and allowlists that look clean to Enforce.
Migrate traffic by DNS, gradually and reversibly.
Add a second node and sync configuration for high availability.
| Term | Meaning |
|---|---|
| Shadow | Logs what would have been blocked, but never blocks. A safe trial. |
| Enforce | Actually blocks matching requests on live traffic. |
| Transparent | The whole policy observes without blocking. |
| Basic / Balanced / Strict | Rules only / + URL allowlist / + URL regex & parameter learning. |
| Off / Shadow / Enforce | No enforcement / log-only / block requests outside the learned model. |
| Learning | StarkGate logs legitimate traffic to build allowlists. Observation only. |
| Auto-learn | Scheduled passes that mature and promote learned URLs/parameters automatically. |