9 weapons in one stack. Each module is a game-changer. Together, they're an impenetrable fortress built in Rust.
01 ⚡ Kernel Power · Linux Only eBPF / XDP Kernel-Level Blocking Shibuya drops an XDP hook directly in the Linux kernel. Packets from known-malicious IPs get killed before they ever reach your application or even the WAF itself. IP blacklists stored in eBPF maps for O(1) lookup on millions of IPs. SYN flood protection included. Toggle on/off at runtime via Admin API — no restart needed. XDP hook eBPF maps SYN flood O(1) lookup runtime toggle ⚡ Blocking latency: ~1 microsecond — faster than any userspace WAF possible
02 🧠 AI Security · Explainable Dual ML Engine with SHAP Explainability Two independent ML models run in parallel: an IsolationForest (via ONNX runtime) detects anomalies, and a Random Forest classifies attacks across 10 classes: SQLi, XSS, RCE, SSRF, XXE, SSTI, NoSQLi, Path Traversal, Command Injection, Benign. SHAP-like explainability shows exactly which top-5 features triggered the alert. Human-in-the-loop feedback loop. A/B model testing. Data drift detection. IsolationForest Random Forest ONNX runtime SHAP explain A/B testing drift detection 🧠 ML inference <5ms · 10 attack classes · full confidence scoring
03 🛡️ OWASP Standard · ModSec Compatible 615+ CRS Rules — Full ModSecurity-Compatible Engine Native SecRule parser with the full OWASP Core Rule Set — the enterprise-standard ruleset used worldwide. Every operator: @rx @pm @detectSQLi @detectXSS @ipMatch @validateByteRange . Anomaly scoring with 4 paranoia levels. ReDoS protection built-in. Rules hot-reload without downtime. Custom rule creation via Admin API or CLI. 942xxx SQLi 941xxx XSS 932xxx RCE 930xxx LFI 920xxx Protocol ReDoS guard hot-reload 🛡️ 615 rule files · 4 paranoia levels · hot-reload in production
04 🧩 Extensibility · Any Language WASM Plugin System — Extend in Any Language Extend Shibuya with WebAssembly plugins written in any language — Rust, Go, C, AssemblyScript, anything that compiles to WASM. Each plugin runs in a fully sandboxed environment with configurable memory limits, execution time caps, and fuel budgets. A host API lets plugins inspect and modify requests in real-time. No other open-source WAF has this. any language sandboxed memory limits time limits fuel budget host API 🧩 Any language → WASM → instant Shibuya plugin, zero core changes
05 🎭 Zero-Risk · Test in Prod Shadow Mode + Traffic Replay Engine Deploy new rules to production without any risk. Shadow mode logs what would have been blocked — without blocking anything. Configurable per-route, per-percentage (0–100%). Request replay engine captures real traffic to PostgreSQL and replays it against new policy versions, generating a full diff report: "old policy vs new policy" — with zero production impact. per-route shadow 0–100% capture PostgreSQL store replay engine diff reports 🎭 Test policy changes on real traffic — zero risk, full insight
06 📐 API-First · Schema-Driven Native GraphQL + OpenAPI Protection Import your OpenAPI 3.x spec and Shibuya auto-generates positive security rules — only documented endpoints, methods, and schemas are allowed. GraphQL gets: depth analysis, complexity scoring, alias count validation, batch size limits, and introspection blocking. JWT validation and OAuth 2.0 for API auth. Response validation to catch data leakage on the way out. OpenAPI 3.x positive security GraphQL depth complexity limit JWT/OAuth response validation 📐 Import spec → instant API protection with zero rules written manually
07 🔥 Included · Unique in the Market Ashigaru Lab — A Complete Vulnerable Attack Environment, Shipped With Shibuya No other WAF on the market ships with a built-in attack lab. Ashigaru is a full Docker-based environment with 6 deliberately vulnerable services — real exploitable vulnerabilities — so you can validate the WAF against actual attacks, not synthetic benchmarks. A Red Team Bot automates attacks. The War Room provides a full test suite dashboard. Test everything before you go live. Express REST (5 vulns) React SSR (XSS+RCE) Flask AI (Prompt Injection) Apollo GraphQL PHP Legacy (SQLi+LFI) Red Team Bot 🔥 Real vulnerabilities · Real attacks · Real WAF validation — included, free ASHIGARU — 6 VULNERABLE SERVICES SQLi × 5 Express Gateway
REST API XSS + RCE React Frontend
SSR attacks Prompt Injection Flask AI Search
... continue reading