Skip to main content
Managed Security

Layer 7 WAF and DDoS protection — any cloud, no nameserver changes

Shield WAF sits in front of your origin on any hosting provider — AWS, Azure, GCP, DigitalOcean, on-prem — without requiring DNS nameserver changes. Full Layer 7 WAF with managed rules, geo-blocking, rate limiting, and DDoS protection, plus infrastructure scanning for vulnerability detection.

Get Started
View Security Testing
100%
Edge Coverage

Every request filtered through CloudFront WAF

24/7
Threat Monitoring

Automated alerting and incident response

<60min
Full Scan Cycle

Port + SSL + vulnerability per host

0
Config Required

Managed rules, updated by AWS automatically

Shield WAF Gateway

A cloud-agnostic Layer 7 WAF that works with any origin — no nameserver migration required. Just a CNAME change and you're protected.

Any Cloud, No Nameserver Changes

Shield works with any origin — AWS, Azure, GCP, DigitalOcean, or on-prem. A simple CNAME is all it takes. No nameserver migration, no Cloudflare lock-in, no disruption to your existing DNS provider.

Layer 7 WAF + DDoS Protection

AWS WAF v2 with managed rule groups: Core Rule Set (XSS, path traversal), SQL injection, known bad inputs, and IP reputation. CloudFront edge absorbs volumetric DDoS attacks before they reach your origin.

Geo-Blocking

Block traffic by country for compliance requirements. Default block list includes CN, RU, KP, IR, and BY. Configurable per domain through the FCP dashboard.

Rate Limiting

Two tiers of rate limiting: general traffic (10K requests per 5 minutes standard, with strict and relaxed options) and login-specific limiting (100 requests per 5 minutes scoped to authentication paths).

SSL/TLS Automation

Certificate provisioning through AWS Certificate Manager with automatic renewal. Domain onboarding includes DNS validation workflow to verify ownership before activation.

Per-Domain Configuration

Each protected domain gets its own configuration: cache profile, WAF profile, geo-blocking rules, and rate limit thresholds. Managed through the FCP dashboard or API.

Infrastructure scanning

Automated port scanning, SSL monitoring, and vulnerability detection for your hosts. Scheduled or on-demand.

Port Scanning

Nmap scans against the top 1000 TCP ports with service version detection. Policy enforcement flags unexpected open ports against your defined baseline.

SSL/TLS Monitoring

Certificate validity checks, chain-of-trust verification, protocol version assessment, and cipher strength analysis. Catch expiring certs and weak configurations before they cause outages.

Vulnerability Detection

Nuclei templates targeting network and SSL vulnerabilities at medium severity and above. CVE identification for known issues in detected service versions.

Host Inventory

Track every host by IP address, hostname, provider (AWS, DigitalOcean, GCP), environment (production, staging), and type (load balancer, VM, office). Enable or disable hosts for scanning.

Finding Lifecycle

Every finding moves through a defined lifecycle: active, resolved, false positive, or accepted risk. Track remediation progress and maintain an audit trail of security decisions.

Scan Scheduling

Four scan types at different depths: SSL check (~5 min), port scan (~15 min), vulnerability scan (~30 min), and full sweep (~60 min). Schedule recurring scans via cron or trigger on demand.

Full capability list

Shield WAF

  • Cloud-agnostic: works with any origin, no nameserver changes required
  • Layer 7 WAF with managed rules: SQLi, XSS, bad inputs, IP reputation
  • DDoS protection at the edge via CloudFront
  • Geo-blocking by country (configurable per domain)
  • Rate limiting: general traffic and login-specific thresholds
  • SSL/TLS certificate provisioning via ACM with automatic renewal
  • Per-domain configuration for cache profiles and WAF profiles
  • Zero-downtime domain onboarding with CNAME — no DNS migration
  • Bot detection and control per domain

Infrastructure Scanning

  • Port scanning with nmap (top 1000 TCP ports, policy enforcement)
  • SSL/TLS analysis: certificate validity, chain trust, cipher strength
  • Vulnerability detection via Nuclei templates (medium+ severity)
  • Web application scanning via Nuclei HTTP templates
  • Host inventory tracking by IP, provider, and environment
  • Finding lifecycle management (active, resolved, false positive, accepted risk)
  • Scheduled recurring scans on configurable cron intervals
  • Critical finding alerts and notifications
  • Monthly PDF and HTML security reports
  • Compliance framework mapping (SOC 2 Type II, ISO 27001, NIST)
  • OWASP Top 10 web application testing

Pricing

Straightforward pricing based on what you protect.

Shield WAF

Per domain / month

CloudFront CDN, managed WAF rules, geo-blocking, rate limiting, SSL automation, and FCP dashboard access for one domain.

Managed Security Bundle

WAF + Scanning

Everything in Shield WAF plus scheduled infrastructure scans, finding lifecycle management, and remediation guidance. The complete package.

Scanning Add-on

Per host / month

Port scanning, SSL monitoring, vulnerability detection, host inventory, and scheduled recurring scans for one host or IP range.

Ready to protect your infrastructure?

Talk to our team about Shield WAF onboarding and infrastructure scanning for your domains and hosts.

Start a Conversation View Case Studies