Skip to content


This is a Beta Test

Bulwark is being released in an early public beta test state. It is not quite ready for production usage, but you can experiment with it and see the Roadmap to understand where the project is headed.

What is Bulwark?

Bulwark is a fast, modern, open-source web application and API protection (WAAP) tool. It can be used anywhere you might deploy a web application firewall (WAF) or API security gateway. It simplifies the implementation of detective and preventive security controls while offering comprehensive visibility into your web application. Bulwark’s detection-as-code approach to rule definition offers security teams higher confidence in their response to persistent and adaptive threats. Bulwark plugins offer a wide range of capabilities, enabling security teams to define and evolve detections rapidly, without making changes to the underlying application or slowing down product teams.


With Bulwark, every detection is written in a general-purpose programming language and executed within a secure sandbox. Detections are expressive and can be customized to meet domain-specific needs. They can be tested, their behavior verified, and then easily combined to form comprehensive detection suites.

Detections can be checked into source-control and versioned like any other codebase. This makes reviewing changes straightforward and can help organizations meet their compliance obligations.

Security Detections

Bulwark is designed to address a wide range of security challenges. Detections may address unwanted scans, exploits, credential stuffing, password spraying, brute-forcing, session hijacking, and many other threats. Bulwark’s APIs enable a wide range of capabilities while giving plugin authors all of the tools needed to ensure decision results are accurate.

Business Logic Attacks

In addition to exploit detection, Bulwark can host detections for business logic attacks and fraud. Bulwark’s API provides mechanisms that enable detections to operate on information that would normally only be accessible to application logic. Bulwark plugins can read encrypted cookies, session state, and JWTs, make calls to internal authentication and authorization services, and even interact with third-party APIs, if granted the appropriate permissions. Permission grants provide a transparent account of exactly what plugins may do, while the sandbox ensures they do not exceed their authority.

These ingredients make Bulwark very effective for hosting anti-fraud and business logic security functions. Because Bulwark can be deployed at network ingress, interior services can be protected from high-volume malicious activity that might otherwise overwhelm detection systems embedded within an application itself.