rules
Negative security
A curated catalog of attack-detection rules — SQLi, XSS, path traversal, command injection, SSRF, scanners and sensitive-file probes. Always on, instantly tunable.
per-rule · Shadow or Enforce
StarkGate is a self-learning Web Application Firewall and reverse proxy at the edge of your sites. It terminates TLS, inspects every request in under a millisecond, and — with AI-assisted rules — flags every anomaly while it learns what your normal traffic looks like.
Negative + positive security · AI-assisted rules · full traffic visibility · high availability
every request · four layers · one explainable decision
StarkGate combines three complementary models in a single pipeline. Every layer can run in Shadow before you flip it to Enforce.
A curated catalog of attack-detection rules — SQLi, XSS, path traversal, command injection, SSRF, scanners and sensitive-file probes. Always on, instantly tunable.
StarkGate watches your legitimate traffic and gradually learns the URLs and parameters your site actually uses — then enforces that allowlist, catching novel attacks no signature knows.
Ordered, first-match rules — per-domain or account-wide — on IP, country and path that route, rate-limit, switch backends or block.
Every layer runs in Shadow first — it logs what would have been blocked, but never blocks — before you flip it to Enforce. We treat a false positive as a product failure.
flip to Enforce — same traffic, now actually blocked
From a sanitized summary of your recent suspicious traffic — structural signal only, never raw payloads. Every proposal is a candidate you review; approving adds it in Shadow first.
Run the AI in the cloud — or fully local. Nothing leaves your network.
Automatic technology detection fingerprints your stack — WordPress, PHP, nginx, IIS — and suggests the matching rule packs.
Protect many customer domains from one control plane — multi-tenant, multi-domain.
Real WAF coverage without touching the app — start from a ready template.
Every protection can run observe-only first — measure before you block.
Every decision the engine made is searchable and replayable — no black box.
The edge, the data and the AI stay on your own infrastructure — and every decision stays explainable and replayable.
| Capability | StarkGate | Cloudflare WAF | F5 BIG-IP |
|---|---|---|---|
| Deployment | Self-hosted · native | Cloud | Self-hosted · appliance |
| Traffic & data stay | On your infrastructure | On the provider's network | On your infrastructure |
| Negative security (signatures) | |||
| Self-learning positive security | URL + parameters | ~partial | ~manual policy |
| Shadow on every layer, then Enforce | ~partial | ~partial | |
| Decision Replay — re-run any request | |||
| Private, on-prem AI rule-assist | Ollama — nothing leaves | ||
| Config sync + daily DR backups | ~vendor-managed | ~HA; backups vary | |
| Starting point | Free tier (soon) | Usage / subscription | Enterprise license |
Comparison reflects StarkGate's positioning. Cloudflare and F5 BIG-IP are trademarks of their respective owners; their capabilities vary by plan and configuration.