How it works
Real-time protection, threat verification and AI behavioral analytics working together for continuous application security.

Real-time protection

Unique hybrid architecture is ideal for modern tech stacks and cloud deployments. The solution scales horizontally across multiple nodes while enabling customers to retain control of their sensitive data.

Platform consists of two components

Wallarm Nodes
are deployed locally. They inspect traffic and block malicious requests
Wallarm Cloud
is powered by AI. It creates customized security rules for the applications/APIs
Wallarm Nodes inspect traffic

Wallarm Nodes inspect traffic

Nodes use DPI approach to decode and analyze even the more complex nested formats such as JSON inside XML field. Traffic metrics that characterize the application are calculated locally using statistical algorithms based on character distribution functions instead of regexp. These metrics are sent to Wallarm Cloud and fed into Wallarm AI.

No personally identifiable information or application specific data leave customer premises.
Wallarm Cloud updates security rules

Wallarm Cloud updates security rules

The cloud-based platform runs a three-layered machine learning engine to reconstruct applications' business-logic, identify their endpoints, data boundaries and normal user behaviors; all based on the data collected from Wallarm Nodes. Customized security rules are then deployed to Wallarm Nodes.

Security rules are automatically updated

Wallarm Nodes continuously generate application metrics. These metrics change with every new application release or update. Only the updated metrics and not sensitive or PII information is sent to Wallarm Cloud. Wallarm Cloud in turn continuously adjusts and refines the application profile and corresponding security rules and deploys the new set of updated rules to Wallarm Nodes every 15 minutes.
Active threat verification
Wallarm Cloud Scanner replays hacker attacks in a safe way to see if any of them could have resulted in a security incident.
Wallarm extracts payloads from attacks
Wallarm extracts payloads from attacks
For every malicious request, Wallarm extracts a payload, combines it with the information about which part of the application it was targeting and creates a job for the cloud-based scanner.
Scanner checks every payload for threats
The scanner sends out a series of requests against the application (or staging copy of it) to see if it's vulnerable to this kind of attack.
Scanner checks every payload for threats
Reporting an incident
Reporting an incident
If the scanner identifies security issues, a ready-to-use ticket is created and the team is notified about the security incidents.
Three layers of machine learning
Three layers of machine learning
Machine learning is conducted continuously, thus Wallarm adapts to any application changes with no manual reconfiguration
Reconstructing the App business logic
What is the structure of the application? Does it have /login, /checkout, /search functions? Wallarm reconstructs business functions based on the live traffic.
Learning the data formats in parameters
What type of data is entered into a form? What parameter is passed in the API — Multipart, Base64, or just text? Wallarm supplements the application data derived from live traffic with the knowledge base of data formats and encodings.
Learning the behavior patterns
How do the users typically use the application? How frequently they access different functions? Wallarm creates a profile to detect deviations and to protect against behavior-based attacks.

How nodes are deployed

Dynamic module


Apache (soon)

HAProxy (soon)

IIS (soon)

Address:94107San FranciscoBrannan St, 415
(415) 940-7077,