One pipeline that terminates TLS, routes to any origin, and inspects every request — negative and positive security, traffic policy, AI, full visibility and high availability.
The first hop; forwards clean traffic to your origins.
Serves the right certificate per hostname.
Let's Encrypt issuance & renewal, or upload your own.
Per-domain routing and load balancing across backends.
Live up/down status per origin in the console.
Run in parallel on a dedicated IP; migrate by DNS.
Trusted-proxy aware — sees the true visitor, not the edge.
example.com and www.example.com treated as one site.
SQLi, XSS, traversal, command injection, SSRF, scanners and framework exposures.
Trial any rule on live traffic at zero risk, then promote in one click.
Start from a sensible bundle (e.g. WordPress) instead of a blank slate.
All patterns compile to a linear-time engine — no catastrophic backtracking.
Per-domain or account-wide (global).
Source IP/CIDR, country (GeoIP), and string matchers on path, URL, host or extension.
Route to a WAF policy, block (403), drop, switch backend, or rate-limit.
For allow-by-exception patterns, with AND/OR grouping between matchers.
Basic (rules) · Balanced (+URL allowlist) · Strict (+URL regex & params).
Aggregates the paths your real visitors hit and proposes an allowlist.
Records each parameter's name, type and size — never the values.
A path is trusted only after enough sightings across enough distinct hours.
Scheduled passes that mature and promote candidates — or approve yourself.
Off / Shadow / Enforce for URLs and params. An empty model never blocks.
AI proposes new rules from a structural-only summary of suspicious traffic.
Every proposal is validated and RE2-safe; approving adds it in Shadow.
Anthropic, Groq (cloud), or Ollama (local — free and private).
Fingerprints your stack and suggests matching rule packs.
Traffic, blocks and trends at a glance.
Search by ID, decision, IP, host, policy, path, rule and time window.
Re-run any logged request through the live pipeline, stage by stage.
See the worst offenders and block an IP instantly, in real time.
Jump straight from a policy to its own traffic.
Operator actions are recorded.
On attack spikes, unhealthy backends, or failed cert issuance.
Sent via SMTP or the PingMail HTTPS API — no mail server required.
F5-style node pairing; push, pull, or auto-accept for continuous sync.
Automatic daily backups with retention, restore, download and upload.
A down backend disables only its features; the gate keeps serving.
Waits for datastores after a reboot instead of latching into a degraded state.
Disable enforcement or apply config changes without dropping traffic.
Super-admin and tenant-admin roles.
Protect many customers' sites from one console.
Works with any authenticator app.
Account lockout on login after failed attempts.