Hi HN,
I’ve been working on Shibuya, a next-generation Web Application Firewall (WAF) built from the ground up in Rust.
I wanted to build a WAF that didn't just rely on legacy regex signatures but could understand intent and perform at line-rate using modern kernel features.
What makes Shibuya different:
Multi-Layer Pipeline: It integrates a high-performance proxy (built on Pingora) with rate limiting, bot detection, and threat intelligence.
eBPF Kernel Filtering: For volumetric attacks, Shibuya can drop malicious packets at the kernel level using XDP before they consume userspace resources.
Dual ML Engine: It uses an ONNX-based engine for anomaly detection and a Random Forest classifier to identify specific attack classes like SQLi, XSS, and RCE.
API & GraphQL Protection: Includes deep inspection for GraphQL (depth and complexity analysis) and OpenAPI schema validation.
WASM Extensibility: You can write and hot-load custom security logic using WebAssembly plugins.
Ashigaru Lab: The project includes a deliberately vulnerable lab environment with 6 different services and a "Red Team Bot" to test the WAF against 100+ simulated payloads.
The Dashboard: The dashboard is built with SvelteKit and offers real-time monitoring (ECharts), a "Panic Mode" for instant hardening, and a visual editor for the YAML configuration.
I'm looking for feedback on the architecture and the performance of the Rust-eBPF integration.
Curiositryan hour ago
This is something I really want to exist. But vibe-coded security tooling? Pretty much the last thing I want.
nullcathedral3 hours ago
Feel free to correct me, but the ML classifier appears to be rather bare. Less than 20 hardcoded payloads with randomized URL encoding as the only augmentation. How does this generalize to novel evasion techniques? Genuinely curious what your eval numbers look like against real traffic.
https://github.com/theghostshinobi/Shibuya-waf-light-version...
[deleted]2 hours agocollapsed
koakuma-chan2 hours ago
"The most advanced open-source WAF ever built."
Somehow, the moment I read this, I knew it was AI slop.
nullcathedral2 hours ago
The website gave it away for me, felt very AI generated
reconnecting2 hours ago
> Shibuya WORLD DOMINATION PLAN (1)
*Month 3*: Top 10 security OSS project su GitHub
*Month 6*: 10k+ stars, 1000+ prod deployments
*Month 9*: Conference talks (OWASP, DevSecOps Days, Black Hat Arsenal)
*Month 12*: Industry standard, "the modern WAF", competitors che copiano te
## MONETIZATION ROADMAP
*Week 12-16*: Free tier (self-hosted, community support)
- Goal: 1000 GitHub stars
- Goal: 100 production deployments
- Goal: Dev che parlano di te su Twitter
*Week 16-20*: Pro tier launch ($49-99/mo) - Managed rules auto-update
- ML models ottimizzati
- Priority support
- Advanced dashboard
- Goal: primi 50 paying customers ($5k MRR)
*Week 20-24*: Enterprise tier (custom pricing) - Multi-tenant
- SSO/SAML
- Compliance reports (PCI-DSS, SOC2)
- SLA + dedicated support
- Custom integrations
- Goal: primi 5 enterprise deals ($50k+ ARR)
*Month 6+*: Exit strategy - Seed funding ($1-2M) o bootstrap to profitability
- Series A ($10M+) se traction è pazzesca
- Acquisition offer da competitor? (Cloudflare che compra per killare? NO GRAZIE, fuck them )
1. Deleted file/commit: https://github.com/theghostshinobi/Shibuya-waf-light-version...
swah2 hours ago
Speaking to LLMs looks fresh!
abusaidm2 hours ago
They have a roadmap of where they want to be, I think that’s normal. As long as they don’t pull a fast one on the oss community then I think if this catch on and it’s worth it then even if they sell the community can fork if the new owners are not so welcoming.
[deleted]2 hours agocollapsed
q3k2 hours ago
This makes me want to stop reading 'Show HN' threads.
wasting_time2 hours ago
Why?
pixelmeltan hour ago
Relevant username
[deleted]an hour agocollapsed
abusaidm2 hours ago
This looks really interesting especially in the age of agents running wild, having code execution be tracked using this as the ingress/egress you can allow and block things based on context and needs, you can setup policies and have them loaded on demand for a specific execution
Klonoar2 hours ago
This is the most generic and uninspired name you could have possibly chosen.
FajitaNachos2 hours ago
For the most busiest crossing in the world? I liked it. Have you been there?
Klonoaran hour ago
I lived in Japan for several years, yes.
FajitaNachos2 hours ago
I'm just here to say that I like the name.
koakuma-chan2 hours ago
What the fuck is this slop?
https://github.com/theghostshinobi/Shibuya-waf-light-version...
[deleted]2 hours agocollapsed
cboyardee2 hours ago
[dead]