openappsec
open-appsec is an open-source machine learning-based Web Application Firewall (WAF) that automatically detects and blocks threats against web apps and APIs. It deploys as an agent on Linux, Docker, or Kubernetes, integrating with NGINX, Kong, APISIX, and Envoy, and uses both pre-trained and environment-specific ML models to identify malicious requests.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | openappsec/openappsec |
| Owner | openappsec |
| Primary language | C++ |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.6k |
| Forks | 126 |
| Open issues | 35 |
| Latest release | 1.1.34 (2026-04-20) |
| Last updated | 2026-05-26 |
| Source | https://github.com/openappsec/openappsec |
What openappsec is
C++ engine with dual ML approach: supervised model (trained offline on millions of requests) and unsupervised model (learns live from protected environment traffic). Deployed as a sidecar/attachment process; requests decoded for HTTP, JSON, XML analysis with IP-level access control. Manages via config files, Helm, or SaaS Web UI.
Get the openappsec source
Clone the repository and explore it locally.
git clone https://github.com/openappsec/openappsec.gitcd openappsec# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Build environment must satisfy C++ compilation requirements (CMake, Boost, OpenSSL, PCRE2, libxml2, GTest, GMock, cURL, Redis, Hiredis, MaxmindDB, yq); pre-built packages simplify but lock to supported NGINX versions.
- Dual ML model strategy: basic model (repo) adequate for test; advanced model (SaaS portal download) required for production accuracy; requires portal access and email updates for model refreshes.
- Agent runs as separate process (nano-agent); attachment mechanism (C-based) bridges HTTP sources (NGINX, Kong, etc.) and agent security logic; IPC overhead and persistent volume management needed.
- Standalone mode (local policy files) vs. managed mode (SaaS portal + token); hybrid modes support token-based registration; state persistence requires dedicated volumes (/etc/cp/conf, /etc/cp/data, /var/log/nano_agent).
- Learning model built in real-time in protected environment; distributed environments use smartsync service (Golang) to correlate and unify models across multiple agents.
When to avoid it — and what to weigh
- Require commercial SLA/support out-of-the-box — Apache 2.0 license permits use but does not include warranty, SLA, or vendor support obligations. Community support and paid SaaS management available separately.
- Cannot compile from source or manage custom NGINX builds — Installation requires either pre-compiled binaries (limited NGINX versions supported) or compilation against external dependencies (Boost, OpenSSL, PCRE2, libxml2, GTest, Redis, MaxmindDB, etc.).
- Need strict air-gapped or offline-only deployment — Advanced ML model download and updates, SaaS management features, and potential cloud-side learning correlation (smartsync) imply internet connectivity for optimal operation.
- Heavy reliance on proprietary WAF rules or legacy policy formats — Policy is declarative (YAML) or K8s annotations; no evidence of migration tools from traditional WAF rule syntax (e.g., ModSecurity CRS).
License & commercial use
Apache License 2.0 (Apache-2.0): permissive, copyleft-free open-source license. Allows commercial use, modification, distribution, and private use. No warranty or liability. Attribution required.
Apache 2.0 permits commercial deployment without license restrictions. However, no explicit vendor support, SLA, or indemnification is conveyed by the license itself. Paid SaaS management platform (SaaS Web UI, advanced ML models, email updates) and professional support are available separately via openappsec.io; verify terms directly with vendor. Requires review of commercial support/SLA offerings for production deployments.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
Dual ML model design (supervised + unsupervised) reduces false positives via environment-specific learning. No details on input validation, buffer overflow mitigations, or process isolation strength provided in README. Requires review of: threat model for ML model poisoning, secure ML model distribution/updates, IPC security between agent and attachment, storage of learned models and logs, and incident response mechanisms. SaaS management portal security (my.openappsec.io) not documented. CII Best Practices badge noted but specific security audit results unknown.
Alternatives to consider
ModSecurity (OWASP CRS)
Open-source, rule-based WAF; mature, widely deployed, no ML dependency; lower operational overhead but requires manual rule tuning and maintenance; reactive rather than preemptive.
Cloudflare WAF or AWS WAF
Managed, cloud-native WAF with extensive ML/threat intelligence, SLA/support included; higher cost and vendor lock-in; suitable for organizations prioritizing managed security over customization.
Modern, actively maintained WAF library (Go/Rust); rule-based; lighter-weight alternative; no ML, but lower operational complexity and good K8s integration.
Build on openappsec with DEV.co software developers
Evaluate open-appsec in a Kubernetes or Linux environment. Start with the basic ML model in monitor mode, then scale to production with the advanced model and SaaS management.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
openappsec FAQ
What is the difference between the basic and advanced ML models?
Can I deploy open-appsec without the SaaS management portal?
What attachment points are supported?
Does open-appsec support rate limiting and IP-level access control?
Work with a software development agency
Need help beyond evaluating openappsec? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Ready to Deploy ML-Powered App Security?
Evaluate open-appsec in a Kubernetes or Linux environment. Start with the basic ML model in monitor mode, then scale to production with the advanced model and SaaS management.