How it works.

Real-time protection

Unique hybrid architecture is ideal for modern tech stacks and cloud deployments. The solution scales horizontally across multiple nodes while enabling customers to retain control of their sensitive data.

Platform consists of two components

Wallarm Nodes

are deployed locally. They inspect traffic and block malicious requests

Wallarm Cloud

is powered by AI. It creates customized security rules for the applications/APIs

Wallarm Nodes inspect traffic

Nodes use DPI approach to decode and analyze even the more complex nested formats such as JSON inside XML field. Traffic metrics that characterize the application are calculated locally using statistical algorithms based on character distribution functions instead of regexp. These metrics are sent to Wallarm Cloud and fed into Wallarm AI.

No personally identifiable information or application specific data leave customer premises.

Wallarm Cloud updates security rules

The cloud-based platform runs a three-layered machine learning engine to reconstruct applications' business-logic, identify their endpoints, data boundaries and normal user behaviors; all based on the data collected from Wallarm Nodes. Customized security rules are then deployed to Wallarm Nodes.

Security rules are automatically updated

Wallarm Nodes continuously generate application metrics. These metrics change with every new application release or update. Only the updated metrics and not sensitive or PII information is sent to Wallarm Cloud. Wallarm Cloud in turn continuously adjusts and refines the application profile and corresponding security rules and deploys the new set of updated rules to Wallarm Nodes every 15 minutes.

Active threat verification

Wallarm Cloud Scanner replays hacker attacks in a safe way to see if any of them could have resulted in a security incident.

Wallarm extracts payloads from attacks

For every malicious request, Wallarm extracts a payload, combines it with the information about which part of the application it was targeting and creates a job for the cloud-based scanner.

Scanner checks every payload for threats

The scanner sends out a series of requests against the application (or staging copy of it) to see if it's vulnerable to this kind of attack.

Reporting an incident

If the scanner identifies security issues, a ready-to-use ticket is created and the team is notified about the security incidents.

Three layers of machine learning

Machine learning is conducted continuously, thus Wallarm adapts to any application changes with no manual reconfiguration

Reconstructing the App business logic

What is the structure of the application? Does it have /login, /checkout, /search functions? Wallarm reconstructs business functions based on the live traffic.

Learning the data formats in parameters

What type of data is entered into a form? What parameter is passed in the API — Multipart, Base64, or just text? Wallarm supplements the application data derived from live traffic with the knowledge base of data formats and encodings.

Learning the behavior patterns

How do the users typically use the application? How frequently they access different functions? Wallarm creates a profile to detect deviations and to protect against behavior-based attacks.

How nodes are deployed

Dynamic module

NGINX / NGINX Plus

Apache (soon)

HAProxy (soon)

IIS (soon)

Reverse proxy

Linux package Docker image

IaaS/PaaS

Kubernetes Amazon Web Services (AWS)Heroku Google Cloud Engine (GCE)