Protect: Security
The Protect stage defends deployed applications and infrastructure with two complementary products:
| Product | Domain | What it protects |
|---|---|---|
| PRX-WAF | Network | HTTP/HTTPS traffic — blocks attacks before they reach your application |
| PRX-SD | Endpoint | Files and processes — detects and removes malware on hosts |
Defense in Depth
Section titled “Defense in Depth”PRX-WAF and PRX-SD cover different layers of the security stack:
Internet traffic │ ▼┌─────────────────────────────┐│ PRX-WAF (Network Layer) ││ 17-phase detection pipeline ││ SQLi · XSS · RCE · DDoS ││ Bot detection · GeoIP │└──────────────┬──────────────┘ │ Clean traffic ▼┌─────────────────────────────┐│ Application Server ││ Files written to disk │└──────────────┬──────────────┘ │ ▼┌─────────────────────────────┐│ PRX-SD (Endpoint Layer) ││ Hash matching · YARA rules ││ Heuristic analysis · ML ││ Real-time file monitoring │└─────────────────────────────┘Automated Response
Section titled “Automated Response”Both products support automated response actions:
| Product | Actions |
|---|---|
| PRX-WAF | Block request, redirect, log-only, rate limit, CrowdSec report |
| PRX-SD | Quarantine file, kill process, clean persistence mechanisms, network isolation |
Notification System
Section titled “Notification System”Both products push alerts through multiple channels:
| Channel | PRX-WAF | PRX-SD |
|---|---|---|
| Webhook (JSON) | Yes | Yes |
| Slack | Yes | Yes |
| Discord | Yes | Yes |
| Telegram | Yes | — |
| Yes | — |
The Vision: Security Feedback Loop
Section titled “The Vision: Security Feedback Loop”In the full OpenPRX pipeline, security events feed back into the development cycle:
- PRX-WAF detects a new attack pattern against your API
- A security event is created as an issue in OpenPR
- An AI agent is dispatched via openpr-webhook to analyze the vulnerability
- The agent patches the code and pushes a fix
- Fenfa distributes the updated build
- PRX-WAF and PRX-SD rules are updated to cover the new pattern
This closes the loop from detection to remediation without manual intervention.
Tech Stack
Section titled “Tech Stack”Both products are built in Rust for performance and memory safety:
| Product | Architecture | Crates |
|---|---|---|
| PRX-WAF | 7-crate workspace on Cloudflare Pingora | Core, rules, detection, admin, notification, cluster, CLI |
| PRX-SD | 11-crate workspace | Core, scanner, signatures, YARA, heuristics, ML, quarantine, sandbox, monitor, CLI, GUI (Tauri) |