Web Application Firewall Platform

Web Application Firewall (WAF) Platform

Threatstealth WAF is an enterprise-grade Web Application Firewall built on ModSecurity and the OWASP Core Rule Set (CRS). It provides Layer-7 protection, bot mitigation, and virtual patching across all tenants from a single multi-tenant console.

• ModSecurity + OWASP CRS — industry-standard ruleset covering OWASP Top 10 threats including SQLi, XSS, RCE, and LFI
• Per-tenant rule isolation — custom rule sets, exclusions, and tuning per organization without cross-tenant bleed
• Virtual patching — deploy protective rules for known CVEs before upstream patches are available
• Bot mitigation — detect and block credential stuffing, scraping, and automated abuse in real time
• Layer-7 DDoS protection — request-rate limiting, geo-blocking, and IP reputation enforcement
• Real-time WAF dashboard — live traffic, blocked requests, top attack types, and alert triage

ModSecurity and OWASP CRS: How the WAF Engine Works

Threatstealth WAF is built on ModSecurity — the most widely deployed open-source WAF engine — paired with the OWASP Core Rule Set, providing over 900 detection rules that cover the complete OWASP Top 10 and advanced application attack patterns. The ModSecurity rule engine inspects all HTTP/HTTPS request and response data — URI, query parameters, request body, headers, and cookies — and applies detection rules in a configurable paranoia level that balances detection coverage against false-positive rate. CRS paranoia levels range from PL1 (high-traffic production environments prioritising availability) through PL4 (maximum detection for high-security applications tolerating more false positives).

• CRS paranoia levels 1–4 — configurable detection sensitivity from conservative production to maximum security scanning
• SQL injection coverage — multi-dialect detection across MySQL, PostgreSQL, MSSQL, Oracle, and NoSQL injection patterns
• XSS detection — reflected, stored, and DOM-based cross-site scripting detection with encoding bypass handling
• RCE and path traversal — remote code execution and directory traversal detection across multiple encoding variants
• HTTP protocol validation — malformed request, HTTP smuggling, and header injection detection rules

Virtual Patching: Zero-Day Coverage Without Code Deployment

Virtual patching allows security teams to neutralise specific vulnerabilities at the WAF layer before the vulnerable application is patched — a capability that is critical for managing exposure windows between vulnerability disclosure and patch deployment. Threatstealth maintains a curated virtual patch library covering CVEs affecting common web frameworks and applications, with new patches published within 24 hours of CISA KEV entries affecting web-accessible software. Virtual patches are targeted rules that match the specific request patterns required to exploit a particular vulnerability, blocking the attack without affecting legitimate traffic patterns for the same endpoint.

• CISA KEV virtual patches — targeted WAF rules for every KEV-flagged web vulnerability within 24 hours of publication
• Framework-specific coverage — patches for CVEs in WordPress, Drupal, Strapi, Spring, Apache, and Nginx
• Staging test mode — deploy virtual patches in detection-only mode to validate rule accuracy before blocking
• Patch retirement tracking — workflow for retiring virtual patches when official vendor patches are confirmed deployed
• Zero-day interim coverage — emergency patches deployed within hours of active exploitation disclosure

Bot Mitigation, Rate Limiting, and DDoS Protection

The Threatstealth WAF bot mitigation module distinguishes between beneficial bots (search engine crawlers, uptime monitors, legitimate API clients) and malicious automation (credential stuffing tools, vulnerability scanners, content scrapers, and DDoS botnets) using a combination of behavioural analysis, fingerprinting, challenge mechanisms, and IP reputation data. Rate limiting can be configured per-endpoint, per-tenant, per-IP, or per-user session to prevent API abuse, brute-force attacks, and volumetric DDoS. Geo-blocking and IP reputation enforcement integrate with the live threat intelligence feed to block known-malicious IP ranges in real time.

• Credential stuffing detection — velocity-based and fingerprint-based detection of automated credential testing attacks
• Scraper identification — behavioural analysis distinguishing legitimate crawlers from competitive intelligence scrapers
• Per-endpoint rate limiting — configurable request-per-second limits with burst allowances per API endpoint
• Geo-blocking — country-level traffic blocking with real-time updates from authoritative IP geolocation data
• IP reputation integration — automatic blocking of IPs in the live threat intelligence malicious IP feed

Multi-Tenant WAF Management and Per-Tenant Rule Isolation

For MSSPs and enterprises with multiple application teams, the Threatstealth WAF provides strict per-tenant rule isolation — each tenant has its own rule set, exclusion list, and tuning configuration that cannot be affected by changes in other tenants. Super-administrators can deploy platform-wide rules (such as new virtual patches) while tenant-specific exclusions remain intact. The WAF dashboard provides per-tenant traffic analytics, blocked request breakdowns, top attack source analysis, and false-positive review queues — allowing each tenant's security team to manage their own WAF operations within the guardrails set by the platform administrator.

• Per-tenant rule isolation — independent rule sets, exclusions, and paranoia levels per organization with no cross-bleed
• Super-admin policy deployment — platform-wide virtual patches deployed to all tenants with per-tenant override capability
• False-positive review queue — per-tenant reviewer interface for identifying and allowlisting legitimate blocked traffic
• WAF audit trail — complete log of rule changes, exclusion additions, and admin actions per tenant
• Compliance reporting — WAF event logs exported for PCI DSS Requirement 6.4 and SOC 2 CC7.2 evidence