FAST ATTACKS. SILENT FRAUD. ONE RESPONSE.

Agentic models and offensive copilots are compressing recon, exploit chaining, credential abuse, and fraud ops into automated workflows that now scale faster than most security teams.

AI Has Made Cybercrime Cheaper.
RWAF Makes Your API Harder to Exploit.

Systems like Claude Mythos raise the ceiling for attackers by accelerating reconnaissance, exploit development, malware iteration, and sophisticated fraud campaigns. RWAF sits in front of your API to block abusive traffic now and build fraud intelligence from every request over time. No SDK. No code changes.

Get Started

Autonomous Attack Chains

Agentic models can scan, probe, chain weak points, and adapt with far less human effort than traditional campaigns required.

Exploit Quality Jumps

Advanced AI systems can reason about vulnerabilities and offensive paths, raising the sophistication of attacks against exposed APIs.

Fraud Ops at Scale

Attackers now automate phishing, account takeover, card testing, and promo abuse across thousands of sessions in parallel.

Recon in Minutes

AI-driven targeting turns leaked data, public endpoints, and weak controls into faster, more precise campaigns against high-value flows.

πŸ›‘οΈ Day 1 β€” The WAF (The Wedge) WIP

Point DNS at RWAF. In under 3 minutes your API is behind a production-grade firewall. Bots get blocked, credential stuffers get dropped, and bad traffic never reaches your origin.

No SDK. No code changes. No config. You're protected before lunch.

// Blocked before it hits your server
HTTP 429 Too Many Requests
X-RWAF-Blocked: rate_limit, datacenter_ip, ja4_mismatch
Retry-After: 60
Your API does not need to look broken to be under attack.

Most abuse starts in the gray zone before it becomes an outage: bots hammer login, fake signups drain promos, scrapers lift pricing, and cheap infrastructure keeps probing for weak routes. Teams usually do not see it until cloud bills spike or conversion drops.

RWAF sits inline from the first request and blocks the obvious garbage immediately. You get rate limits, bot filtering, client fingerprinting, ASN and IP reputation checks, and request validation at the edge. No backlog project. No integration tax. No waiting for fraud data to accumulate before seeing value.

🧠 Week 2+ β€” The Anti-Fraud Engine (The Moat)Roadmap

As traffic flows through RWAF, the fraud engine learns what's normal for your customers. Risk scores, reason codes, and recommended actions start appearing as headers.

The longer you run, the smarter it gets. Cross-customer network intelligence

// Enriched headers on every request
X-RWAF-Risk-Score: 87
X-RWAF-Decision: manual_review
X-RWAF-Reasons: new_device, ip_country_mismatch
X-RWAF-Action: request_2fa
You don't need to be a bank to get robbed.

Every time someone creates a fake account to abuse your free tier, games your referral program, card-tests against your checkout, or scrapes your pricing API to undercut you β€” that's fraud. It's just not called fraud in your chargeback dashboard, because it never shows up there.

RWAF's anti-fraud engine sits inline on your API. It scores every request, session, and account event in real time β€” and gets sharper the longer it runs on your traffic. No model to train. No analyst to hire. No SDK.

Sign up for the WAF because it's instant, zero-effort API protection. The longer you stay, the smarter our anti-fraud engine gets β€” and enriched by cross-network intelligence across all RWAF customers.

Why Sign Up β€” The Web Application Firewall (WAF)

Instant, tangible wins from day one.

Alpha
🚫
Stop Bots & Scrapers

Block automated abuse, scrapers, and credential stuffers before they touch your API. Protect your infrastructure and data.

Beta
⚑
Rate Limiting & DDoS

Per-IP, per-endpoint, and burst rate limiting with 429 responses and retry-after headers. No more surprise outages.

Roadmap
πŸ”
TLS Fingerprinting

JA3/JA4 fingerprints expose headless browsers, bots, and spoofed clients that pass User-Agent checks.

Alpha
🌐
IP & Geo Intelligence

Reputation scoring, VPN/proxy/Tor detection, ASN classification (data center vs. residential), and geo-fencing β€” all inline.

WIP
πŸ“‹
Schema & Header Validation

Reject malformed requests, missing headers, and suspicious payloads at the proxy layer β€” before they waste your compute.

Backlog
πŸ‘οΈ
Full Visibility Dashboard

Real-time traffic view, bot analysis, shadow-block mode, and attack timelines. Know exactly what's hitting your API.

The 48-hour audit "Don't change a line of code. Route your staging traffic through RWAF for 48 hours. We'll send you a report of every bot, scraper, and suspicious request we caught."

Why Stay β€” The Anti-Fraud Engine

"Fraud doesn't just hit banks. It hits your checkout, your free trial, your referral link, and your sign-up form." Enterprise fraud teams have had inline scoring for years. RWAF gives every API-backed product the same engine β€” without hiring a data scientist or buying a six-figure contract.

Roadmap
πŸ’³
Fewer Chargebacks

Score transactions before they settle. Risk headers let your backend auto-block fraud and reduce processor penalties.

Roadmap
βœ…
Higher Approval Rates

Precision ML scoring replaces blunt rules. More revenue from legitimate customers who would have been falsely blocked.

Roadmap
🧠
Models Trained on Your Traffic

Supervised + unsupervised models learn what's normal for your customers. Generic rules can't compete with this.

Roadmap
🌐
Cross-Network Intelligence

"This device appeared on 12 bad accounts." Network signals across all RWAF customers while preserving privacy. The true moat.

Roadmap
πŸ€–
Less Promo & Referral Abuse

Device fingerprinting + behavioral signals catch coupon stuffers, trial abusers, and referral loops.

Roadmap
πŸ“‰
Lower Manual Review Costs

Auto-approve clean traffic, auto-block obvious fraud, and only surface edge cases for human review.

Two Layers. One Proxy.

The WAF gets you in the door. The fraud engine keeps you Happy.

THE WEDGE
πŸ›‘οΈ API WAF Layer β€” Instant Protection WIP

Active from the moment DNS resolves. Zero config. Your API is protected before you write a single line of code.

  • Rate limiting & DDoS mitigation (429 + retry-after)
  • Bot detection & credential stuffing blocking
  • TLS/JA3-JA4 client fingerprinting
  • ASN classification (data center vs. residential)
  • Missing or anomalous browser header detection
  • IP reputation, geo-fencing, VPN/proxy/Tor signals
  • Request schema & payload validation
  • Shadow-block mode (observe without enforcing)
THE MOAT
🧠 Anti-Fraud Layer β€” Learns Over Time Roadmap

Starts scoring as data accumulates. The longer you run, the sharper it gets. This is what competitors can't replicate.

  • Heuristic & Deterministic Rules β€” known patterns, instant
  • Business Logic Anomalies β€” unusual order sizes, timing
  • Supervised ML β€” trained on known fraud patterns
  • Unsupervised Anomaly Detection β€” finds what doesn't look "normal" for each customer
  • Cross-Network Intelligence β€” signals across all RWAF customers (the moat)
  • Velocity & Impossible Travel
  • Fraud Reporting API β€” feed back chargebacks to improve models

How It Works

Example: a user tries to make a purchase on your platform.

1
User initiates a purchase on your app or site.
2
Request hits RWAF transparent proxy before reaching your API.
3
RWAF inspects device fingerprint, IP, geo, TLS, velocity, and behavioral signals in <10ms.
4
Risk headers are injected and the request is forwarded to your origin.
5
Your backend reads the headers and decides: approve, review, or block.
6
Outcomes (chargebacks, fraud reports) feed back into RWAF to improve scoring.

Example Response Headers (score 87/100):

X-RWAF-Risk-Score: 87
X-RWAF-Decision: manual_review
X-RWAF-Reasons: new_device, ip_country_mismatch, high_card_velocity
X-RWAF-Confidence: 0.91
X-RWAF-Action: request_2fa

Fraud Feedback Endpoint:

POST /v1/report-fraud
{
  "transaction_id": "tx_123",
  "outcome": "chargeback",
  "reason": "fraudulent"
}

What RWAF Inspects

Scoring combines signals from the request, the account, the device, and the transaction lifecycle in real time.

IP β€” reputation, geo, ASN type Alpha
IP β€” VPN, proxy, Tor Backlog
TLS β€” JA3/JA4 fingerprint, cipher anomalies WIP
Device β€” fingerprint, emulator, multi-account
Device β€” reputation, rooted or farmed device signals
User Agent β€” browser consistency, automation hints
Velocity β€” N attempts in M minutes, impossible travel
Geo β€” IP-country vs. card-country mismatch
Address β€” billing vs. shipping country mismatch
Identity β€” account age, email domain, phone status
Email β€” disposable inboxes, domain age, reputation
Phone β€” reputation, line type, SIM-swap indicators
Payment β€” BIN country, prepaid card, card velocity Backlog
Transaction β€” amount, basket size, merchant-specific thresholds
Behavior β€” typing speed, click patterns, login history
Session β€” cookie continuity, token reuse, hijack patterns
History β€” failed logins, prior chargebacks, refund rate
Graph β€” shared cards, phones, devices, referral links
Time β€” hour-of-day anomalies, burst timing
Headers β€” missing common browser headers
IDV β€” document checks, mismatch indicators Roadmap
Content β€” phishing text, scam keywords, unsafe links
Media β€” document, selfie, deepfake analysis Backlog
Social β€” profile age, impersonation trails Backlog
Network β€” cross-customer device/IP intelligence Backlog

The Customer Journey

WAF is the entry point. Anti-fraud is the lock-in.

lol
Day 1

WAF active. DNS points to RWAF. Bots, scrapers, and brute-force attacks are blocked. Rate limiting enforced. You see traffic in the dashboard.

lol
Week 1

Observe mode. Fraud score headers appear on every request. Log them, compare to your internal signals, and build confidence in the scoring.

lol
Month 1

Fine-tune rules. Set risk thresholds for auto-block, review, and approve. Edit rules via the dashboard. Start feeding back chargebacks.

lol
Month 3+

ML models are trained on your traffic. Cross-network intelligence kicks in. You turn on advanced features and automation.

Use Cases

API Abuse & DDoS Credential Stuffing OAuth / Token Abuse Session Hijack Detection Spam / Bot Detection Card Payment Fraud Account Takeover Fake Account / Bot Signup Card Testing P2P Transfer Fraud Synthetic Identity Promo & Coupon Abuse Trial Abuse Marketplace Seller/Buyer Fraud Seller Onboarding Risk Business Onboarding / KYB Loan & BNPL Application Fraud Wire / ACH Fraud Crypto Withdrawal Risk Referral Abuse Refund / Chargeback Abuse Returns Fraud Gift Card Fraud Loyalty / Rewards Abuse Mule Account Detection KYC / ID Verification AML / Sanctions Risk Phishing / Scam Detection SIM Swap Detection Fake Profile / Impersonation Affiliate / Ad Click Fraud Investment Fraud Insurance Claims Fraud Healthcare Claims Fraud Government Benefit Fraud
Works for: Merchants, fintechs, marketplaces, SaaS platforms β€” any business that needs to answer "How risky is this transaction or account?" before making a decision.

Setup

Get WAF protection immediately. Anti-fraud signals appear as traffic flows. Fine-tune blocking when comfortable.

lol
1
Point Your API Through RWAF

Update your CNAME or load balancer to route traffic through our transparent proxy. Your origin stays the same.

# DNS
CNAME api → proxy.rwaf.com

# Or set origin in dashboard
Origin: https://api.yourdomain.com
lol
2
Add the Web Script (Optional)

Drop our lightweight collector on your site to capture device fingerprint and behavioral signals. Use it to proxy payment or intent-based links for deeper scoring.

<!-- Add to your site -->
<script src="https://cdn.rwaf.com/collect.js"></script>

You may need to update your CSP or CORS policy to allow content from rwaf.com.

lol
3
Webhook Receivers (Optional)

Route webhooks from third-party services through RWAF so payment and account events get scored inline. Supports Stripe, PayPal, Adyen, Shopify, Auth0, and any custom webhook source.

# In your Stripe dashboard, set webhook endpoint to:
URL: https://proxy.rwaf.com/webhooks/stripe

# RWAF verifies the signature, scores the event,
# injects risk headers, and forwards to your origin.
Origin: https://api.yourdomain.com/webhooks/stripe

Configure webhook sources and signing secrets in the RWAF dashboard. Events like charge.disputed and payment_intent.succeeded automatically feed the fraud model.

lol
4
Forward Emails (Optional)

Route transactional and notification emails through RWAF to detect phishing, account takeover attempts, and fraudulent sign-up confirmations before they reach your mail handler.

# MX or inbound relay β€” point to RWAF
MX inbound → mail.rwaf.com

# Or forward via provider (SendGrid, Mailgun, SES…)
Inbound Parse URL:
https://proxy.rwaf.com/email/inbound

Works with SendGrid, Mailgun, Amazon SES, Postmark, and any SMTP relay. RWAF scores sender reputation, content risk, and links before forwarding to your handler.

lol
5
Observe, Then Enforce

Start in Observe Mode. Risk headers flow to your backend immediately. Review the dashboard, tune thresholds, then flip to active blocking when you're confident.

// Your backend reads headers:
const score = req.headers['x-rwaf-risk-score'];
if (score > 80) blockOrReview(req);

What Gets Scored

Out-of-the-box heuristics and abuse checks that start scoring from day one.

  • IP-country β‰  card-country
  • Shipping-country β‰  billing-country
  • Account age < 24 hours
  • > N payment attempts in M minutes
  • Disposable email domain
  • High-risk BIN or prepaid card
  • Device seen across many accounts
  • Unusual order size vs. user history
  • Data center IP (ASN classification)
  • Geolocation mismatch / impossible travel
  • Missing common browser headers
  • TLS fingerprint anomaly (JA3/JA4)
  • Phone reputation or SIM-swap anomaly
  • Session reuse or token hijack pattern
  • Graph-linked accounts sharing device or payment rails
  • Prior chargeback, refund, or promo-abuse history
  • Time-of-day anomaly vs. account baseline
  • ID document mismatch or onboarding inconsistency

Managed Rule Coverage

When configured, RWAF can also inherit managed rules across the core web exploit families, protocol abuse, and threat-intel signatures.

Injection & App-Layer Attacks

Covers the high-volume exploit classes that hit public APIs first.

  • SQL injection: 40 rules
  • Cross-site scripting: 30 rules
  • PHP and Node.js injection families
Traversal, Inclusion & RCE

Stops common payloads used to turn weak routes into footholds.

  • Local and remote file inclusion
  • Remote command execution: 12 rules
  • Java deserialization and process-spawn signatures
Protocol Enforcement

Rejects malformed or suspicious HTTP before it burns backend compute.

  • Protocol enforcement: 35 rules
  • Header injection and request smuggling checks
  • Method enforcement and malformed body validation
Threat Intel Signatures

Bundles curated detections for active exploit chains and evasions.

  • 18 known CVE exploit signatures
  • Threat-intel SQLi detections
  • Path traversal evasion coverage
Web Shell & Post-Exploitation

Targets payloads commonly used after initial compromise.

  • Web shell upload and interaction attempts
  • Suspicious command wrappers and shell expressions
  • Session fixation and unsafe state handling
API-Safe Default Posture

Useful coverage even before custom fraud policies are tuned.

  • Missing host, accept, user-agent, and content-type checks
  • Illegal charset, encoding, and range-request detection
  • Multipart parse failures and request-body anomalies

Integrations & Feedback Loops

Roadmap
πŸ”—
Webhook Relay

Forward webhooks from payment processors, identity providers, and other services through RWAF for inline scoring.

Backlog
⚠️
Card Network Alerts

Ingest TC40/SAFE early-warning alerts from card networks to update fraud models before chargebacks hit.

Roadmap
πŸ“Š
Dashboard & Case Review

Real-time traffic feed, shadow-block view, editable rules, alerts, and a case review queue for manual decisions.

Pricing

Simple, predictable pricing. Start free, scale when ready.

Starter

Free
For side projects & evaluation.
  • 1 domain
  • 500K requests/month
  • OWASP managed rules
  • Basic DDoS protection
  • Observe-mode risk headers
  • Community support
Get Started Free

Pro

$29/mo
For production APIs & growing apps.
  • 3 domains
  • 5M requests/month
  • WAF + bot protection
  • Anti-fraud scoring (250K events/mo)
  • Login/ATO detection
  • Webhook relay scoring
  • Dashboard & case review
  • Email support (24h SLA)
Start Pro Trial

Business

$149/mo
For high-traffic platforms & teams.
  • 10 domains
  • 25M requests/month
  • Advanced WAF + custom rules
  • Full anti-fraud engine (1M events/mo)
  • Cross-network intelligence
  • SIEM integration (webhook)
  • TC40/SAFE chargeback feed
  • Priority support (4h SLA)
Start Business Trial
Enterprise? Unlimited domains, custom SLAs, managed SOC, on-prem agents, and dedicated fraud analyst support. Contact us.
πŸ”₯ Limited β€” ? of 200 remaining

Founding Lifetime Deal

Help us build the next-gen WAF + anti-fraud platform and lock in a deal we'll never offer again. Lifetime access to the Pro tier β€” one payment, no recurring fees.

Solo
$199 one-time
  • βœ… 2 domains β€” lifetime
  • βœ… 2M requests/month
  • βœ… Core WAF + bot protection
  • βœ… Anti-fraud: login/ATO (100K sessions/mo)
  • βœ… 12 months email support
  • βœ… Private roadmap & feedback group
  • βœ… 50% off Business upgrade β€” forever
Claim Solo LTD β€” $199
Team / Agency
$449 one-time
  • βœ… 5 domains β€” lifetime
  • βœ… 5M requests/month
  • βœ… Full WAF + advanced bot protection
  • βœ… Anti-fraud: full engine (250K sessions/mo)
  • βœ… 12 months priority support
  • βœ… Private roadmap & feedback group
  • βœ… 50% off Business/Enterprise β€” forever
Claim Team LTD β€” $449

⏰ Offer ends when all 200 licenses are sold or after 30 days β€” whichever comes first. This exact deal will never return.

Frequently Asked Questions

RWAF (REST WAF and Anti-Fraud) is a transparent reverse proxy that sits in front of your API. It combines a web application firewall with an AI-powered fraud scoring engine. You get instant bot blocking, rate limiting, and DDoS protection on day one β€” and smarter fraud detection as traffic flows through over time.
No. Point your DNS (CNAME) at RWAF and you're protected. There's no SDK, no code changes, and no agent to install. Optionally, you can add a lightweight JavaScript collector for device fingerprinting and behavioral signals.
Under 3 minutes. Update your DNS record, and RWAF starts filtering traffic immediately. WAF rules are active from the first request. Fraud scoring improves as your traffic history builds.
RWAF is designed to inspect and score requests in under 10ms. The proxy runs on edge infrastructure close to your users, so the impact on response times is negligible for most workloads.
RWAF is built with automatic failover. If the proxy is unreachable, traffic falls through to your origin so your API stays available. We also support health checks and status page alerts.
Yes. Shadow-block mode lets you see risk scores and blocked-request reports without actually dropping any traffic. When you're confident in the scoring, flip to active enforcement from the dashboard.
When a device or IP is flagged as fraudulent on one RWAF customer's traffic, that signal is anonymized and shared across the network. This means a bad actor caught on one platform is recognized everywhere β€” without exposing any customer's private data.
Yes. The Starter plan is free and includes 1 domain, 500K requests/month, OWASP managed rules, basic DDoS protection, and observe-mode risk headers. No credit card required.
RWAF works alongside your existing WAF β€” you don't have to rip anything out. Most teams run their cloud WAF (AWS WAF, Azure Front Door, Cloudflare) for generic OWASP rules and edge caching, then place RWAF between that layer and your origin. RWAF focuses on what traditional WAFs miss: API-specific abuse, credential stuffing patterns, bot fingerprinting, and inline fraud scoring. Think of it as a specialized second layer that reads the traffic your WAF already passed and adds risk intelligence your backend can act on.
CDNs and RWAF solve different problems and chain together cleanly. Keep your CDN in front for caching, TLS termination, and static asset delivery. Point your CDN's origin (or a separate API subdomain) at RWAF, and RWAF forwards to your real backend. The CDN handles performance; RWAF handles security and fraud scoring on the dynamic API requests that actually reach your server. We've tested this with Cloudflare, Fastly, AWS CloudFront, and Azure Front Door β€” setup is just updating the origin address.
This page doubles as a public roadmap β€” every feature is tagged with its current build state so you always know what's live and what's coming.

LOL  Just for Laughs β€” these will be edited once we have onboarded more than a handful of clients.

WIP  Work In Progress β€” actively being built right now.

Alpha  Alpha β€” shipped to early-access users; expect rough edges and breaking changes.

Beta  Beta β€” available to all users, stabilising; feedback welcome.

Roadmap  Roadmap β€” committed and prioritised, build not yet started.

Backlog  Backlog β€” on the list but not yet scheduled.

Tags are updated as features ship. If something you need is in Backlog, join the waitlist and mention it β€” demand moves things up.
I've spent years building and shipping products β€” for myself, for SMB clients, and as staff at enterprises. Every time I exposed an API, I ended up being the "security team" too β€” watching logs at 1 a.m., blocking IPs by hand, and duct-taping rules around whatever the latest bot or scraper was doing.

That worked until AI changed the game. Attackers can now chain recon, exploitation, and fraud into automated workflows that run 24/7. There's no way to out-scale that by writing one more rate-limit rule or bolting on yet another SDK.

Cyber attacks hit fast. Fraud bleeds you slowly β€” and it's everywhere now. Every API endpoint, every checkout flow, every sign-up form is a surface. If you're not scoring risk inline, you're finding out about it in a chargeback email weeks later.

I've been fortunate to work alongside great people with enterprise-grade tools and processes. But at some point, less becomes more β€” and what founders actually need is one thing that just works.

RWAF is the tool I wanted for my own APIs: one DNS change, real WAF protection in minutes, and an anti-fraud engine that gets smarter the longer it runs. I'm building this so founders like you can keep shipping product while something intelligent sits in front of your API β€” blocking bots, abuse, and fraud before it ever reaches your app. I'll keep adding signals over time β€” SLA monitoring, enriched device telemetry β€” signals that can power your AI agents and workflows too.

What Clients Are Saying

SaaS Founder LOL

"I'm a SaaS founder with a public API and no dedicated security team. I can't spend weeks wiring up another tool or babysitting bot traffic every night. Never trust, always verify."

"I pointed my API to RWAF and got protection the same day. No SDK, no code changes, no long setup. Within minutes, bad traffic was getting filtered before it reached my origin."

"Over time, RWAF started showing me which requests, accounts, and sessions looked risky. That gave me a practical way to spot abuse, protect signup and login flows, and make better decisions without building a fraud system from scratch."

"RWAF gives me breathing room. I can stay focused on shipping and supporing my product."

Your API is unprotected right now.

One DNS change gets you a WAF today. Fraud intelligence grows on autopilot. Route your staging traffic through RWAF and see results in minutes.

Get Started