IO River Uses Wasm to Run Check Point WAF Across Any CDN
IO River leverages WebAssembly to decouple WAF engines from CDN providers, starting with Check Point on Akamai. The goal: run your preferred WAF everywhere without vendor lock-in.
IO River announced a new security solution that uses WebAssembly (Wasm) to run Check Point's WAF natively across multiple CDN providers. The first integration runs on Akamai, with more CDNs to follow. The idea is straightforward: decouple the WAF engine from the CDN, so security teams can enforce one set of policies everywhere traffic lands.
The multi-CDN security gap
Organizations running multi-CDN setups for resilience have dealt with a long-standing tradeoff. Each CDN provider runs its own WAF engine with its own rule format and management console. That means fragmented visibility, inconsistent policies, and no single pane of glass for security teams.
The alternatives are not great either. Backhauling traffic to a centralized security tier adds latency and creates a single point of failure. IO River's approach sidesteps this by executing the WAF logic at the edge, right where traffic terminates, using Wasm as the portability layer.
How Wasm makes it work
Wasm was originally built for browsers, but it has evolved into a general-purpose portable binary format. IO River compiles Check Point's WAF engine into Wasm modules that can execute on any CDN edge node that supports the runtime. Rules, policies, and configurations travel with the module. No rewriting rules per provider, no vendor-specific translations.
IO River CTO Michael Hakimi put it bluntly: running the same security engine consistently across multiple edge providers was simply not possible before. Edge environments were never designed for vendor-neutral security at this level.
WAFplanet take
This is one of the more interesting architectural moves in the WAF space this year. The idea of a portable WAF engine is not new in theory, but actually shipping it via Wasm on production CDN infrastructure is a first. If IO River can expand beyond Check Point and Akamai to support more WAF engines and CDN providers, it could fundamentally change how enterprises approach multi-CDN security.
The challenge is adoption. CDN providers have no incentive to make their WAF layer replaceable. And enterprises already deep into a single-vendor stack may not feel the pain enough to switch. But for organizations running two or three CDNs for availability, and struggling with inconsistent WAF policies across them, this is a compelling solution. Watch this space.
