WebWall
Request access
Research previewOnboarding enterprise design partners

The security platform for post-HTTP enterprise apps.

Modern stacks are WebSocket-first, event-bus-driven, and shot through with embedded AI agents. Traditional WAFs watch HTTP requests that no longer carry the decision — and SOCs pay for it at audit time. WebWall is the runtime security platform for the surface your WAF cannot see, with positive-security policy, ML-assisted detection, and signed audit as first-class primitives.

Request enterprise accessRead the technical brief

Deploys inline on MAJA browser isolation · zero-disruption shadow mode · single Rust process · 5 ms p95 per event.

40%
of enterprise traffic now rides WS or event-bus, invisible to HTTP WAFs
99.88%
ADL-WAF-class detection, composable as one rule among many
5 ms
p95 reasoning budget per event, deadline-bounded and in-process
PROV-O
signed audit entry on every verdict — replayable and admissible
Why now

Your WAF was designed for a web that no longer exists.

Three cracks your security programme is already paying for — in incident cost, audit cycles, and engineering time spent writing brittle glue between tools that were never designed to cooperate.

  • 01

    The request perimeter is gone

    Salesforce Lightning, Slack, Teams, Workday, and every trading desk run on long-lived WebSocket sessions and event-bus topics. The HTTP WAF sees the 101 Upgrade, then nothing for the rest of the day.

  • 02

    Agents make policy at runtime

    Embedded LLMs and MCP tool-callers decide which resources to touch based on natural-language intent. Without a semantic notion of authorised action, a single misleading sentence becomes an exfiltration path.

  • 03

    Auditors outpace signatures

    EU AI Act, GDPR, and ISO 27002 demand explainable, replayable, attributable decisions. A blocklist or an SVM margin score cannot answer “why did you allow this?” — which is now the default audit question.

How it works

Meaning, not bytes.
Rules, not signatures.

WebWall lifts every frame into a typed semantic graph, runs human-authored policy rules in a forward-chaining reasoner, and emits verdicts with signed PROV-O evidence. In-process, deadline-bounded, composable with ML assistance.

rules/ws-exfiltration.kyl — excerpt
rule "classified payload to non-consented peer"
  when  /event-kind          /ws-frame-sent
        /payload-categories  contains /pii
        /peer                !in /consented-peers
  then  /verdict             /block
        /explain             "pii → unattested peer"
        /emit-audit
  1. I

    Ingest

    Every WebSocket frame, event-bus message, MCP call, SSE event, and DOM mutation is lifted into a typed event with provenance: peer DID, CSP origin, subprotocol, payload hash, and consent purpose.

  2. II

    Reason

    Events enter a session-scoped fact graph keyed by the kyl vocabulary — actor, intent, channel, topic, message-schema. Signed kyl rules fire in a forward-chaining reasoner with a 5 ms deadline and strictest-wins verdict merging.

  3. III

    Enforce & attest

    Allow · rewrite · block · quarantine, inline on the MAJA transport. Every verdict emits a PROV-O audit entry signed with a post-quantum profile — explainable, replayable, admissible.

Platform

Six primitives. One coherent runtime.

WebWall is not a feature bag. Every primitive is a direct answer to a specific enterprise gap, and every verdict composes through a single strictest-wins pipeline.

01Reasoning

Semantic action sitemap

A signed, per-app manifest of which (channel, topic, message-type) triples are authorised for each user intent. Positive-security by default — anything unlisted is denied, no matter what the signature database says.

02Policy

kyl policy language

Rules are human-authorable, machine-validatable kyl documents. Security engineers review them the way DevOps reviews Terraform, with sitemap-diff workflows and signed rule bundles.

03Compliance

DPV consent governance

Data Privacy Vocabulary classifications on every payload, bound to declared purposes. No classified category crosses a consent boundary without explicit user authorisation — GDPR and EU AI Act, enforced at the byte.

04Audit

Signed PROV-O trail

Every verdict carries a post-quantum-signed PROV-O entry with the fact set, rule DID, and reasoning chain. Replayable for incident review; admissible for regulators and internal SOC forensics.

05Detection

ML-assisted, never terminal

ADL-WAF-class dual-layer anomaly detection (Decision-Tree → SVM) is composable as one rule among many. 99.88% benchmark compatibility without the opacity — explanations survive because ML never owns a verdict.

06Identity

Web Bot Auth & DID

Cryptographic peer identity via IETF Web Bot Auth, DIDs on channels and messages, and actor classification that distinguishes humans from agents, bots, and scrapers at the first frame.

Threat coverage

Eight AI-era threats,
mapped to composable rules.

Each threat is modelled in the WebWall threat ontology and bound to one or more kyl rules. Verdicts merge strictest-wins; every firing is explainable against an external standard.

T1OWASP LLM01 · MITRE ATLAS AML.T0051

Indirect prompt injection

Surface
WS frames, event-bus delivery, SSE
Control
ws-injection rule + isolation fence rewrite
T2W3C PROV-O · schema.org

Semantic poisoning

Surface
JSON-LD / schema.org @id spoof
Control
schema plausibility + DID provenance check
T3OWASP LLM06 · ceLLMate UCSD 2025

Agent scope violation

Surface
Off-manifest tool calls, topic squatting
Control
action-sitemap strictest-wins enforcement
T4OWASP LLM08 · DPV v2

AI-assisted exfiltration

Surface
WS/eventbus outbound with classified payload
Control
DPV payload-class + consent-destination check
T5EU AI Act · GDPR Art 6 · DPV

Consent boundary crossing

Surface
Events whose purpose is not in session consent
Control
consent-boundary rule · DPV purpose matching
T6IETF draft-meunier-web-bot-auth

Semantic bot misuse

Surface
Unattested peers, synthetic input cadences
Control
actor-class inference + Web Bot Auth verify
T7W3C CSP Level 3 · NIST SP 800-53 AC-4

Cross-origin leak

Surface
postMessage bridges, BroadcastChannel
Control
origin provenance + sitemap channel patterns
T8Barth et al. 2008 · CaMeL DeepMind 2025

Confused deputy

Surface
Agent acting on attacker intent as user
Control
flow taint propagation + intent binding
How we compare

A strict superset on the surfaces that matter in 2026.

Positive-security wins adversarial. Negative-security wins benchmarks. WebWall runs both and composes them under a single audit trail.

CapabilityWebWallCloudflare / AkamaiADL-WAF / ML WAFceLLMate
HTTP-request WAF rules
Classic path/method/body regex
WebSocket-frame reasoning
Per-frame decisions after the 101 Upgrade
Event-bus pub/sub enforcement
Topic + message-type semantic sitemap
Indirect prompt-injection defence
In-context detection with classifier fallback
DPV consent & purpose binding
Payload classification against session consent
Signed PROV-O audit trail
Replayable, attributable, admissible verdicts
ML anomaly detection (ADL-WAF class)
Decision-Tree anomaly → SVM classification
Human-authorable policy language
Review-gated, diff-able, signed rules
Browser-isolation integration
In-process with DOM-mirror enforcement points
Web Bot Auth / DID peer identity
IETF draft-meunier, cryptographic peer attestation

Comparison reflects published capabilities as of April 2026. ADL-WAF refers to Nakayiza et al., arXiv:2511.12643, and representative ML-based WAFs. ceLLMate refers to the UCSD semantic action-sitemap research. We track changes and will update.

Integration

Runs inline, where the bytes already flow.

WebWall is AKIRA, a forward-chaining semantic reasoner, running alongside MAJA, a browser-isolation substrate that streams DOM mutations and duplex frames between a server-side Chromium and the client. Reasoning and enforcement sit on the same hot path, so verdicts land before a byte reaches the user.

In-process Rust crate
AKIRA is a Rust library linked into MAJA’s tokio runtime — no extra network hop, no side-car. The reasoner reads from the same FlatBuffers rings MAJA already produces.
Enforcement at existing seams
Verdicts (allow · rewrite · block · quarantine) apply at the mutation filter, input injector, and transport egress — points MAJA already owns. No net-new sockets.
Deadline-bounded reasoning
A 5 ms p95 budget per event batch, with rule-level deadlines and named fallbacks. LLM classifiers are always non-blocking with deterministic defaults.
Operator MCP surface
Explain, replay, validate-rule, sitemap-diff, actor-class, model-registry, flow-explain — all exposed as MCP endpoints for SOC analysts and security engineers.
server host · single processPID 1 · Rust
Chromium (C++)DOM observer · input injectorshared-memory ringFlatBuffers · zero-copy · mmap → tokioMAJA · RUST SERVERsession managertransport demuxAKIRA reasonerkyl rules · deadline 5 ms+adl-anomaly (optional)enforcementmutation-filter · input-injector-gate · transport-egress-gatetransport · WebTransport / WS / HTTP/2Client browserreceives only verdicts-passing bytes
Trust & compliance

Built for auditors,
not just SOC analysts.

Every verdict is signed evidence. Every rule is a reviewable document. Every ML model carries a training-data attestation. That is what modern regulation demands — and the bar the next generation of enterprise security platforms has to meet.

  • Aligned
    EU AI Act
  • Aligned
    ISO 27001
  • Aligned
    GDPR · DPV
  • Aligned
    PROV-O
  • Aligned
    NIST AI RMF
  • Aligned
    OWASP LLM Top 10

EU AI Act — risk categorisation

Every ML decision is tied to a model DID, a training-data attestation, a validation metric set with adversarial-bypass rate, and a permitted-transports manifest. High-risk systems get the paperwork their risk class requires.

Art. 14Art. 15ENISA AI sec

ISO 27001 / 27002

Runtime controls follow the ACO pattern with back-references to ISO 27002 and NIST SP 800-53 control IDs. Your ISMS Statement of Applicability maps one-to-one against WebWall rules.

A.5.15A.5.23A.8.25

GDPR · DPV consent traceability

DPV purposes and data categories on every classified payload. Verdicts explain exactly which consent scope a blocked action would have violated, in the vocabulary your DPO already uses.

Art. 6Art. 32W3C DPV v2

PROV-O · signed provenance

Verdicts are W3C PROV-O activities with agent, entity, and fact references, signed with a post-quantum profile. Replayable against any later rule-set for regression analysis.

W3C PROV-OFIPS 203FIPS 204

NIST AI RMF

Model governance events, adversarial eval harness, and drift detection produce a continuous evidence trail against Govern, Map, Measure, and Manage functions.

GV-4MS-1MG-4

OWASP LLM Top 10

LLM01 prompt injection, LLM06 sensitive-info disclosure, LLM08 excessive agency, LLM09 overreliance — each maps to a named WebWall rule and a named kyl threat DID.

LLM01LLM06LLM08LLM09
Enterprise access

Defend the traffic your WAF cannot see.

Design-partner slots are open for Q3 2026. If your stack includes WebSocket or event-bus apps, embedded AI agents, or regulated data under strict audit — you are who we built this for.

  • In-depth architecture call with our founding team
  • Shadow-mode deployment on one pilot application
  • First action-sitemap authored with our SOC engineers
  • Signed, replayable audit trail from day one of production