Overview
open-appsec is an open source web application firewall and API security solution that takes a fundamentally different approach to threat detection. Instead of relying on signatures, rules, or regex patterns, it uses a machine learning engine that learns application behavior and detects attacks based on context and intent.
The project originated from Check Point's application security technology and was open-sourced to provide the community with ML-based protection that previously required enterprise licensing. The ML model is pre-trained and continues to learn in production, adapting to each application's specific traffic patterns.
open-appsec integrates natively with NGINX, Kong Gateway, and Envoy proxy as a module or plugin, and works as a Kubernetes Ingress Controller with built-in WAF. This makes it particularly suited for cloud-native environments where teams want security integrated into their existing proxy infrastructure rather than deployed as a separate appliance.
Ratings Breakdown
Key Features
ML-Based Detection
Pre-trained machine learning engine detects threats based on context and intent, not signatures. No rule tuning required.
Automatic Learning
Continuously learns application-specific traffic patterns in production, reducing false positives over time without manual intervention.
Native Proxy Integration
Runs as a module inside NGINX, Kong, or Envoy rather than as a separate proxy, eliminating additional network hops and latency.
Kubernetes Ingress
Functions as a Kubernetes Ingress Controller with built-in WAF, providing security at the ingress layer without sidecars or service mesh.
API Protection
Protects REST APIs against OWASP API Top 10 threats using the same ML engine, with automatic API discovery and schema enforcement.
Anti-Bot
Detects and mitigates automated attacks, credential stuffing, and web scraping using behavioral analysis.
Pros & Cons
Pros
-
No rule management
ML-based detection means no signature updates, rule tuning, or regex maintenance. Protection works out of the box.
-
Native proxy integration
Runs inside NGINX, Kong, or Envoy as a module, not as a separate proxy. No additional network hops or infrastructure.
-
Zero-day protection
ML engine detects attacks by intent rather than known patterns, providing protection against novel and zero-day threats.
-
K8s native
Purpose-built Kubernetes Ingress Controller with WAF included. No separate WAF deployment needed in K8s environments.
-
Check Point backing
ML technology originated from Check Point, providing enterprise-grade detection quality in an open source package.
Cons
-
ML model opacity
ML-based decisions are harder to debug than rule-based WAFs. Understanding why a specific request was blocked requires more investigation.
-
Newer project
Open-sourced in 2022, so less production track record than ModSecurity or established commercial WAFs.
-
Limited proxy support
Native integration only for NGINX, Kong, and Envoy. Other proxies like HAProxy, Caddy, or Traefik are not supported.
-
Learning period
The ML model needs time to learn application-specific patterns. Initial deployment may have higher false positive rates until learning completes.
Pricing
Pricing model: Free open source, managed cloud SaaS available
Open Source
Full ML-based WAF, self-managed
- ML-based threat detection
- NGINX, Kong, Envoy integration
- Kubernetes Ingress Controller
- API protection
- Anti-bot protection
- Community support
SaaS Management
Cloud-managed console with centralized policy management
- All open source features
- Cloud management dashboard
- Centralized policy management
- Enhanced analytics
- Threat intelligence updates
- SLA-backed support on paid tiers
Our Verdict
open-appsec represents the next generation of WAF technology: machine learning instead of signatures, embedded in your existing proxy instead of deployed as a separate appliance, and automatic learning instead of manual rule tuning. For teams tired of managing ModSecurity rules or paying enterprise WAF pricing, it is a compelling alternative.
The main considerations are the ML model's opacity (harder to debug than rules) and the limited set of supported proxies. If you are running NGINX or Kong in Kubernetes, open-appsec is one of the most elegant WAF solutions available.
Our verdict: The best ML-based open source WAF. Ideal for Kubernetes and cloud-native environments where teams want strong protection without WAF rule expertise.
CVE Coverage
open-appsec can detect and block attacks matching 87K+ known CVEs based on its supported rule sets.
Coverage by Attack Type
Latest Blockable CVEs
| CVE | Severity |
|---|---|
| CVE-2026-4510 | MEDIUM |
| CVE-2026-4161 | MEDIUM |
| CVE-2026-4087 | MEDIUM |
| CVE-2026-4086 | MEDIUM |
| CVE-2026-4084 | MEDIUM |
| CVE-2026-4077 | MEDIUM |
| CVE-2026-4072 | MEDIUM |
| CVE-2026-4069 | MEDIUM |
| CVE-2026-4067 | MEDIUM |
| CVE-2026-4022 | MEDIUM |
Frequently Asked Questions
How does open-appsec detect threats without signatures?
open-appsec uses a pre-trained machine learning model that understands the structure and context of HTTP requests. Instead of matching patterns, it analyzes whether a request's intent is malicious. The model was trained on millions of attack and legitimate request samples and continues to learn from each application's specific traffic in production.
Is open-appsec related to Check Point?
Yes. The ML engine behind open-appsec originated from Check Point's CloudGuard application security technology. Check Point open-sourced it to provide the community with ML-based protection. The project maintains its own governance and community, but benefits from Check Point's research and threat intelligence.
Can I use open-appsec with Traefik or Caddy?
Not currently. open-appsec has native integration with NGINX, Kong Gateway, and Envoy only. For Traefik or Caddy, consider Coraza WAF which has official plugins for both. You could also run open-appsec on NGINX as a reverse proxy in front of Traefik or Caddy, though this adds complexity.
Ready to try open-appsec?
Start with the free tier and upgrade as you grow.