DEV.co
Open-Source Security · openappsec

openappsec

open-appsec is an open-source machine learning-based Web Application Firewall (WAF) that automatically detects and blocks threats against web apps and APIs. It deploys as an agent on Linux, Docker, or Kubernetes, integrating with NGINX, Kong, APISIX, and Envoy, and uses both pre-trained and environment-specific ML models to identify malicious requests.

Source: GitHub — github.com/openappsec/openappsec
1.6k
GitHub stars
126
Forks
C++
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryopenappsec/openappsec
Owneropenappsec
Primary languageC++
LicenseApache-2.0 — OSI-approved
Stars1.6k
Forks126
Open issues35
Latest release1.1.34 (2026-04-20)
Last updated2026-05-26
Sourcehttps://github.com/openappsec/openappsec

What openappsec is

C++ engine with dual ML approach: supervised model (trained offline on millions of requests) and unsupervised model (learns live from protected environment traffic). Deployed as a sidecar/attachment process; requests decoded for HTTP, JSON, XML analysis with IP-level access control. Manages via config files, Helm, or SaaS Web UI.

Quickstart

Get the openappsec source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/openappsec/openappsec.gitcd openappsec# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Kubernetes-native API & web app protection

Deploy via Helm charts on K8s with NGINX, Kong, or APISIX ingress controllers; leverage annotations for policy management and automatic environment-specific ML model learning.

Zero-day and OWASP Top 10 threat prevention

Continuously learns baseline traffic patterns and flags anomalies; supervised model trained on global attack patterns provides defense against known and unknown threats.

Multi-environment security posture (monitor to enforce)

Start in monitor-only mode in test environments with basic ML model; graduate to production with advanced model and enforcement; unified management across distributed agents.

Implementation considerations

  • Build environment must satisfy C++ compilation requirements (CMake, Boost, OpenSSL, PCRE2, libxml2, GTest, GMock, cURL, Redis, Hiredis, MaxmindDB, yq); pre-built packages simplify but lock to supported NGINX versions.
  • Dual ML model strategy: basic model (repo) adequate for test; advanced model (SaaS portal download) required for production accuracy; requires portal access and email updates for model refreshes.
  • Agent runs as separate process (nano-agent); attachment mechanism (C-based) bridges HTTP sources (NGINX, Kong, etc.) and agent security logic; IPC overhead and persistent volume management needed.
  • Standalone mode (local policy files) vs. managed mode (SaaS portal + token); hybrid modes support token-based registration; state persistence requires dedicated volumes (/etc/cp/conf, /etc/cp/data, /var/log/nano_agent).
  • Learning model built in real-time in protected environment; distributed environments use smartsync service (Golang) to correlate and unify models across multiple agents.

When to avoid it — and what to weigh

  • Require commercial SLA/support out-of-the-box — Apache 2.0 license permits use but does not include warranty, SLA, or vendor support obligations. Community support and paid SaaS management available separately.
  • Cannot compile from source or manage custom NGINX builds — Installation requires either pre-compiled binaries (limited NGINX versions supported) or compilation against external dependencies (Boost, OpenSSL, PCRE2, libxml2, GTest, Redis, MaxmindDB, etc.).
  • Need strict air-gapped or offline-only deployment — Advanced ML model download and updates, SaaS management features, and potential cloud-side learning correlation (smartsync) imply internet connectivity for optimal operation.
  • Heavy reliance on proprietary WAF rules or legacy policy formats — Policy is declarative (YAML) or K8s annotations; no evidence of migration tools from traditional WAF rule syntax (e.g., ModSecurity CRS).

License & commercial use

Apache License 2.0 (Apache-2.0): permissive, copyleft-free open-source license. Allows commercial use, modification, distribution, and private use. No warranty or liability. Attribution required.

Apache 2.0 permits commercial deployment without license restrictions. However, no explicit vendor support, SLA, or indemnification is conveyed by the license itself. Paid SaaS management platform (SaaS Web UI, advanced ML models, email updates) and professional support are available separately via openappsec.io; verify terms directly with vendor. Requires review of commercial support/SLA offerings for production deployments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Dual ML model design (supervised + unsupervised) reduces false positives via environment-specific learning. No details on input validation, buffer overflow mitigations, or process isolation strength provided in README. Requires review of: threat model for ML model poisoning, secure ML model distribution/updates, IPC security between agent and attachment, storage of learned models and logs, and incident response mechanisms. SaaS management portal security (my.openappsec.io) not documented. CII Best Practices badge noted but specific security audit results unknown.

Alternatives to consider

ModSecurity (OWASP CRS)

Open-source, rule-based WAF; mature, widely deployed, no ML dependency; lower operational overhead but requires manual rule tuning and maintenance; reactive rather than preemptive.

Cloudflare WAF or AWS WAF

Managed, cloud-native WAF with extensive ML/threat intelligence, SLA/support included; higher cost and vendor lock-in; suitable for organizations prioritizing managed security over customization.

Modern, actively maintained WAF library (Go/Rust); rule-based; lighter-weight alternative; no ML, but lower operational complexity and good K8s integration.

Software development agency

Build on openappsec with DEV.co software developers

Evaluate open-appsec in a Kubernetes or Linux environment. Start with the basic ML model in monitor mode, then scale to production with the advanced model and SaaS management.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

openappsec FAQ

What is the difference between the basic and advanced ML models?
Basic model (in repo) is trained offline on global attack patterns; recommended for monitor-only and test environments. Advanced model (portal download) is more accurate and recommended for production; available via my.openappsec.io and updates are pushed via email.
Can I deploy open-appsec without the SaaS management portal?
Yes. Standalone mode allows declarative configuration files and policy management without cloud connectivity. However, advanced ML model and real-time learning unification across agents require SaaS access.
What attachment points are supported?
NGINX, Kong, APISIX, Envoy, and Istio. Attachment (C-based process) bridges HTTP data between reverse proxy/ingress and the security agent; custom adapters for other platforms require development.
Does open-appsec support rate limiting and IP-level access control?
Yes. README mentions IP-level access control is applied upon every HTTP request; topics include rate-limiting. Detailed configuration options require consulting official documentation.

Work with a software development agency

Need help beyond evaluating openappsec? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Ready to Deploy ML-Powered App Security?

Evaluate open-appsec in a Kubernetes or Linux environment. Start with the basic ML model in monitor mode, then scale to production with the advanced model and SaaS management.