v Inline anomaly detection · self-hosted

Every request judged. Every verdict explainable.

Monolith Ward inspects live HTTP traffic inline and makes a protective decision on every single request — adaptive, audited, and running entirely inside your own network.

Book a shadow-mode pilot See how it works
Nothing leaves your network by default Reason code on every decision Safe-by-default rollout
allow block rate_limit challenge
live decision feed · tenant-acme live
Evaluated / s
0
Block rate
0
p99 latency
0
0
Terminal actions — allow, block, rate-limit, challenge
0
Discrete permissions gating individual actions
0
Taxonomies mapped live — OWASP, CWE, MITRE
0
Bytes of your traffic sent to the vendor
The problem

Adaptive L7 attacks evade static rules — and teams can't explain what's being attempted

01

Static rules miss adaptive attacksInjection variants, credential abuse, scraping, and automated probing slip past signature-only web firewalls.

02

No real-time, explainable insightApplication teams have little visibility into the attacks being attempted against their own APIs.

03

False positives erode trustBrittle rule sets create operational friction and train teams to ignore alerts.

04

Decisions must be defensibleSecurity and compliance need verdicts that are auditable and explainable after the fact.

05

Data sovereignty pressureSending production traffic to a third-party cloud is increasingly hard to justify under regulation.

06

Someone else's cloud, your accountabilityMost WAFs are operated off-premise — yet your team owns the incident review.

What it is

Every inbound request, evaluated inline — with an explainable verdict

Ward runs as a sidecar beside the reverse proxy you already operate. Each request gets a verdict, a reason code, and one of four terminal actions — written to an audit trail you own.

Inbound HTTP request Inline evaluation allow block rate_limit challenge

Inline & real-time

Deployed as a sidecar alongside your existing reverse proxy. Every request is evaluated in the request path.

Explainable & audited

Each decision carries a reason code and is recorded for investigation — not an opaque score.

Fully self-hosted

Runs entirely inside your infrastructure. The vendor never hosts, operates, or sees a deployment.

The operator console

A real console for analysts — evidence for compliance

A live decision feed, attack-surface view, flow analytics, a policy editor, and investigation views — backed by a tamper-aware audit trail across the datastore you own.

ward · overview / tenant-acme live
Evaluated (24h)
0
Blocked
0
Avg risk
0
p99 latency
0
shadow alert_only strict
Profile · alert_only (default) · 47 routes monitored
Why a CISO cares

Six properties that make it defensible to a board, an auditor, and a reviewer

01

Data sovereignty

By default, no decision data, logs, or telemetry leaves your network, and there is no outbound connection to vendor infrastructure at runtime. Customer-configured integrations (SIEM, IdP) stay under your control.

02

Explainable verdicts

Every decision maps to a reason code and a recognised taxonomy — not an opaque score.

03

Adaptive detection

Behavioural and anomaly analysis catch what static signatures miss.

04

Tested, hardened AI

The detection AI is built with poisoning and evasion controls, the LLM is kept out of the decision path, and autonomous agents red-team it against defined adversarial scenarios.

05

Safe-by-default rollout

A mandatory observe-first progression prevents "turn it on and break production".

06

Tamper-evident policy

Every policy change is cryptographically signed and verified before it can take effect.

Detection pipeline

Four cooperating layers decide one terminal action per request

01Layer 1

Deterministic signatures

Fast, precise matching for the major injection classes.

02Layer 2

Adaptive anomaly scoring

Behavioural and statistical analysis of each request.

03Layer 3

Session & flow analysis

How this request fits the session and the broader traffic shape.

04Layer 4

Decision & enforcement

Policy combines the signals into one action with a reason code.

Threat coverage

Deterministic signatures for injection, adaptive detection for behaviour

Deterministic signatures

Major injection classes, matched precisely.

SQL injection cross-site scripting command injection path traversal LDAP injection template injection

Adaptive behavioural detection

The classes static signatures miss.

access-pattern abuse credential stuffing brute-force automated probing scraping
Taxonomy cross-mapping at decision time OWASPCWEMITRE ATT&CK Plus application-layer DoS mitigation via compound rate limits and a proof-of-work challenge action.
The detection AI

A small, self-contained model ensemble — and a program that attacks it

Drift monitoring

Watches for shifts in traffic behaviour over time.

Session-transition scoring

Flags improbable navigation through your API.

Outlier detection

Spots requests statistically unlike legitimate traffic, across many dimensions.

Payload classifier

Learns from operator feedback to sharpen accuracy over time.

Similarity scoring

Compares payloads against known-good and known-bad exemplars.

Per-route thresholds

Tunes sensitivity per endpoint to suppress false positives.

Statistical drift monitor
EWMA baselines with chi-squared tests across live traffic metrics — detects regime change, not just volume spikes.
Markov session model
Uni-/bi-/tri-gram transition probabilities, Laplace-smoothed, flag improbable navigation through your API.
Online payload classifier
Logistic regression trained by SGD on engineered features; weights are clamped and auto-revert from baseline drift.
Contrastive similarity scorer
k-nearest-neighbour voting against benign and malicious exemplars, with cold-start gating.
Isolation-forest anomaly detection
Unsupervised outlier scoring by expected path length — a proven axis-parallel forest is the default.
Anisotropic Isolation ForestNovel · in evaluation
Covariance-shaped split hyperplanes give a per-feature sensitivity dial axis-parallel forests can't offer. Opt-in, under shadow benchmarking.
Bayesian per-route thresholds
Beta-distribution priors learn each endpoint's false-positive tolerance and tune sensitivity automatically.

Poisoning controls in the learning pipeline

Online training is bounded — drift too far from the shipped baseline and the model auto-reverts; weights are clamped, not unbounded.

Human-in-the-loop, and gated

Only authenticated admins submit labels, each validated against the recorded decision — no forged "block" label on an allowed request.

Designed to raise the cost of evasion

Cold-start gating and fail-safe-to-allow under uncertainty — an uncertain model never auto-escalates to a block.

Signed detection rules

The payload rule set is signed (Ed25519) and verified before load; an unsigned or tampered set is rejected and fails closed.

The LLM is optional, off by default, and never in the enforcement path

Nothing is bundled; a customer-supplied local model only writes after-the-fact incident narratives. Untrusted content is sanitised and size-bounded, with a circuit breaker — so even a successful prompt injection corrupts a narrative, not a verdict.

MYTHOS

We attack our own AI with AI

Autonomous AI agents run a corpus of attack scenarios — injection, initial-access, and LLM-misuse such as prompt injection and jailbreak — against a sandboxed deployment with no production credentials and no outbound network. The engine also understands AI-agent tool-call payloads, including the Model Context Protocol.

Note — MYTHOS is a structured self-assessment, not a third-party certification: continuous adversarial evidence and a coverage map, not a rubber stamp.

Measured against hard gates

  • Time-to-first-block
  • ≥90% correct MITRE ATT&CK labelling
  • Inline latency held low under attack
  • Containment effectiveness
  • Signed incident bundles for EU AI Act (Art. 73)
Safe enforcement & rollout

Enforcement is earned through a mandatory observe-first progression

You don't flip a switch and start blocking production. Ward ships defaulting to the non-blocking alert-only posture.

shadow

Observe only

Evaluate and record verdicts. No traffic is affected.

alert_only

Validate signals

Confirm signal quality with no blocking. The shipped default posture.

strict

Active enforcement

Block, rate-limit, and challenge — rolled out gradually behind canary gates.

Your network
Inline evaluation enginestateless · scalable sidecar
In-memory hot storeephemeral state
Async analyzeroff the request path
Analytics datastoreyou own retention
Operator consolelive feed · policy editor · audit · investigation
no outbound connection to vendor infrastructure
Data handling & sovereignty

Your data stays in your network by default

  • Minimised & redacted by defaultIdentifiers are SHA-256 hashed; raw request content is only briefly retained for live investigation.
  • You own retention end-to-endGoverned entirely by your policy on the analytics datastore you operate.
  • Updates are pulled by youOn your own schedule. We build and sign the software; you decide when it lands.
Deployment & responsibility

The same engine, deployed the way your environment runs

Kubernetes

Horizontal autoscaling

Stateless sidecar scales linearly with traffic across your cluster.

Single host

One container

A single signed container for smaller footprints and edge sites.

Appliance

Signed VM image

A signed appliance for your hypervisor — including fully air-gapped environments.

Monolith builds

  • The detection & policy engine
  • Signed software releases & provenance
  • Adaptive models & signature rule sets

You run & own

  • The infrastructure it runs on
  • The secrets and the data
  • Retention, policy, and update schedule
Start observe-only

Run Ward against your own traffic — via a low-risk shadow-mode pilot

A scoped shadow-mode pilot on one representative service. Observe-only, nothing blocked, and you'll see real verdicts against your own traffic within days.

Book a shadow-mode pilot Read the white paper