Web applications and APIs are critical parts of your attack surface, but managing WAFs has never been easy. False positives, rule tuning, risks of production outages, and log analysis - all of this work has made WAF historically difficult to operationalize.
Well, that time is over. Meet Impart’s WAF Squad, a five-member squad of AI assistant superheroes connected together through the Impart platform, dedicated to making web application security not just manageable, but downright fun! WAF squad is powered by Impart's AgentOS, a platform that seamlessly connects agents together with shared storage, data pipelines, and compute to deliver the security outcomes that modern security teams need.
In this blog post, you’ll see how WAF squad works, and how they will revolutionize how you protect your apps and data - IN PRODUCTION.
WAF is a hard space to play
WAF has always been a historically challenging space to work in because of the intersection of multiple personas within a organization. Unlike other appsec tools like DAST, which are primarily controlled and managed by the application security team with very few other stakeholders, WAF has many stakeholders with different focus areas and priorities. WAF historically has impacted SRE teams, software engineers, architects, SOC teams, as well as application security teams. One tiny mistake by any of these teams can have a huge impact on all of them, which carries significant risk. That’s why so many organizations get so little value out of their WAF, with most of their rules turned off or in non-blocking mode.
At Impart, we have decades of operational experience working with all of these types of teams across hundreds of customers, along a wide range of production environments. Over the years we’ve been able to identify most of the common operational and implementation pitfalls associated with each persona and have developed playbooks and tactics to still be successful.
A Team of Assistants for a Team Sport
Many companies in the information security space have different types of assistants and chatbots bolted onto their SaaS offerings. These assistants have largely been gimmicks, not trusted enough to do anything in production. The most egregious I’ve encountered are AI chatbots which summarize developer documentation for security teams, which is a solution in search of a problem and doesn’t consider the different personas involved in a typical security team.
Our core insight from working in the WAF space for so long is that security is a team sport. It’s not enough to have a general purpose security assistants working on a security problem - there needs to be multiple security assistants, each with a different focus area and different expertise, which work together seamlessly in the same manner that an effective security team works together with other stakeholders in their organization.
How We Designed Our WAF Assistants
Building out a suite of AI-driven WAF Assistants wasn’t just about slapping some algorithms onto a firewall—it was about solving real-world security problems experienced by the people in the trenches. We started by mapping out the key personas in a typical WAF deployment: the SRE responsible for rolling out and monitoring performance, the AppSec engineer tasked with analyzing behavior and spotting threats, the Detection and Response engineer creating effective security policies, the Product Security specialist ensuring alignment with business goals, and the SOC analyst managing day-to-day operations and investigations.
Once we had these roles pinned down, we identified their most critical “jobs to be done,” such as monitoring resource usage, discovering risky endpoints, crafting targeted detection rules, refining policies to meet product objectives, and triaging potential incidents. By translating each job into a set of repeatable tasks, we saw a clear path for AI assistants that could automate or assist these responsibilities. Together, these tasks make up a WAF app.
Integrated using agentOS
To make our assistants work together as a team, we then integrated them using agentOS. AgentOS is comprised of 3 components that can be easily deployed within any cloud environment:
eBPF Observability
Our eBPF-powered observability layer gives agentOS direct access to runtime data in production—everything from HTTP requests and responses to system calls like file operations. It’s entirely dynamic: any runtime data can be inspected, analyzed, modified, or stored for later. This lets agentOS see anything, anywhere, at runtime.
Runtime Data Fabric
Capturing this data can be expensive (one customer sees over 20K RPS for a single app), so we built the Runtime Data Fabric to handle it. Designed for large-scale storage, analysis, and routing of runtime data, the Runtime Data Fabric offers multiple tiers: decentralized storage for ultra-low latency, mid-term storage in Impart’s Cloud, and long-term archiving in your SIEM or data lake. Data remains secure and accessible to any AI assistant, enabling teams of assistants to collaborate on shared datasets.
WASM Sandbox
The most innovative part of agentOS is our WebAssembly (WASM) sandbox, which securely runs any WASM-compiled program in user space. These programs can execute inline at scale—blocking, rate limiting, redirecting, or rewriting live HTTP traffic—powering Impart’s products and AI assistants behind the scenes.
Using these capabilities, it was simple for us to integrate the WAF assistants together into a single application, or squad. Today, our assistants can seamlessly share findings and data with each other: threat findings from one Assistant inform detection rules in another, and policy changes are instantly visible to the entire stack. The end result is a coordinated security “dream team” that unburdens human experts and ensures your WAF remains agile and effective—no matter how quickly your environment changes.
Meet the Dream Team
- Inspector – The detective who uncovers shadow endpoints, outdated libraries, and all those forgotten subdomains. If there’s a dark corner, Inspector’s flashlight finds it.
- Rule Writer – The coding wizard turning Inspector’s insights into targeted, accurate WAF rules. No more bloated rule sets that miss the mark.
- Architect – The master planner ensuring your security policies scale effortlessly across cloud, hybrid, or on-prem. Whether you’re building a small fortress or a mega-fortified city, Architect has you covered.
- SOC Analyst – The 24/7 sentinel, correlating alerts in real time and triaging incidents before they blow up. Think of it as your trusty night watch.
- Installer – The DevOps whiz who rolls out WAF deployments without the drama. Quick, painless, and no downtime migraines.
Alone, each Assistant shines. Together, they’re an all-star team capable of thwarting zero-day threats, locking down new APIs, and ensuring your security strategy doesn’t crumble under the next wave of attacks.
How They Work Together on Impart
Imagine a platform where all five heroes hang out, share intel, and tackle threats the moment they appear. That’s Impart AgentOS. Instead of bouncing between separate dashboards, you get a single command center. Inspector flags a suspicious endpoint? Great—Rule Writer can generate the necessary protection. Architect tests, approves, and deploys the policy, and SOC Analyst keeps watch for any follow-up threats. It’s the definition of teamwork, only you’re not wrangling five different tools or stakeholders manually to make it happen.
Conclusion & Call to Action
The WAF Assistants represent a new era of web security—smarter, faster, and infinitely more collaborative. By offloading repetitive tasks and maintaining real-time communication across the Impart platform, they free your human experts to focus on strategy, innovation, and high-level risk management.
Ready to see them in action? Click here to sign up for an upcoming deep-dive or book a live demo. Your security posture is about to get a serious upgrade—let the WAF Assistants show you what true teamwork can achieve.