Wallarm Documentation — Version 6.x (Current Stable)¶

Wallarm AI Control Platform is an AI and API security platform with four products: Wallarm API Security (inline API protection), Wallarm AI Hypervisor (runtime AI workload governance, AWS-only), Wallarm Infrastructure Discovery (cross-account AWS asset discovery, AWS-only), and Wallarm API Security Testing (AASM, TRT, SBT). Wallarm API Security detects and blocks the OWASP API Top 10 threats, automated abuse and bots, AI-targeted attacks, and attacks against Model Context Protocol (MCP) servers. This file indexes the current stable documentation: NGINX Node 6.x / Native Node 0.14.x+ / Edge Node 0.14.x+.

Important context for AI agents¶

This file covers Wallarm Node version 6.x — the current stable / default / latest version. URLs below have no version prefix because 6.x is served at the docs site root.
For other versions, fetch the version-specific llms.txt: 5.x (legacy), 7.x (preview). See Versioning Policy for the support lifecycle.
Every link below points to the raw markdown (.md) companion of the page — directly ingestible, no HTML conversion needed.
Two Wallarm node types coexist: NGINX Node (6.x, NGINX-based inline filter) and Native Node (0.14.x+, runs without NGINX, used with connectors). Confirm which node the user has before answering node-specific questions — many commands and config keys differ.
Wallarm supports many deployment shapes: Security Edge (managed), Kubernetes (NGINX Ingress, Sidecar, eBPF OOB, Helm for Native Node), cloud VMs (AWS/GCP/Azure/Alibaba), API gateways (AWS API Gateway, Apigee, Layer7, Kong, IBM API Connect, MuleSoft), CDN connectors (Akamai, CloudFront, Cloudflare, Fastly, Azion), and Linux all-in-one installer. Deployment shape changes almost everything — clarify it before answering deployment questions.
Canonical attack catalog: Attack Types. Canonical terminology: Glossary.

Available Languages¶

English (primary): https://docs.wallarm.com
日本語 / Türkçe / Português (BR) / العربية: selectable via the language switcher in the docs UI; auto-translated from English — English is canonical.

Documentation Structure¶

Introduction¶

Wallarm Platform Overview: Architecture, deployment options, supported protocols, and core capabilities of the Wallarm API security platform.
Quick Start Guide: End-to-end first-time setup walkthrough for new users (also: getting started, initial setup, onboarding).

API Discovery¶

API Discovery Overview: Continuous multi-protocol API discovery from real traffic — REST, GraphQL, SOAP, gRPC, WebSocket, MCP — builds and maintains the API inventory (also: endpoint discovery, API inventory build, APID).

Exploring Your APIs¶

API Inventory & MCP Servers: Browse, filter, and inspect discovered REST/GraphQL/SOAP/gRPC endpoints and MCP servers in the inventory UI.
API Discovery Dashboard: Aggregated metrics view for the API inventory — endpoint counts, risk distribution, sensitive data exposure, change velocity.
Track API and MCP Changes: Review additions, modifications, removals, and re-appearances of endpoints and MCP primitives over time (also: API change tracking, API drift detection).

Risk Analysis¶

Endpoint Risk Score: How the per-endpoint risk score is calculated and how to interpret it (also: risk rating, endpoint criticality).
Rogue APIs (Shadow / Zombie): Detect endpoints serving live traffic that are absent from your OpenAPI spec or no longer expected to exist (also: shadow API, zombie API, orphan API).
Sensitive Business Flows (SBF): Automatic identification of endpoints implementing critical business logic — authentication, payments, password reset, account changes (also: SBF, critical-flow endpoints).
Authentication Flow Detection: Detect the authentication scheme used by each endpoint (API key, Basic, Bearer, OAuth, HMAC, NTLM, SCRAM, etc.) and surface unauthenticated endpoints (also: auth scheme detection, unauthenticated endpoint detection).
Sensitive Data Detection: Detect and label endpoints that consume or return sensitive data — PII, credentials, financial, health (also: PII detection, data classification, sensitive parameter detection).
API Discovery Setup & Configuration: Enable API Discovery, set required node version, configure traffic sampling and parameter customization.

API Protection¶

API Protection Overview: The advanced (paid) API and AI protection feature set above the basic cloud-native WAAP (also: advanced API security, API runtime protection).
Attack Prevention Best Practices: Recommended baseline configuration of blocking modes, rules, and thresholds for production traffic.

API Session Security¶

API Sessions Overview: Group requests into per-user sessions to analyze behavior across multiple endpoints (also: session reconstruction, user-session visibility).
API Sessions Setup: Configure session-identifying headers/cookies/JWT claims and session context parameters; requires NGINX Node 5.1.0+ or Native Node 0.8.0+.
Exploring API Sessions: Filter, inspect, and pivot on reconstructed user sessions in the Console.
MCP Sessions: Group MCP tool calls, resource reads, and prompt invocations into sessions keyed by MCP-SESSION-ID (also: MCP session reconstruction).
Session Blocking: Block all requests belonging to a session that exhibited malicious behavior (also: session-level blocking, session ban).
Business Logic Abuse Detection: LLM-based detection of business-logic abuse (price manipulation, free-tier farming, etc.) within sessions (also: BLA, logic flaw detection).

API-Specific Protection¶

BOLA Protection: Detect and block Broken Object Level Authorization on endpoints with identifier variability (also: IDOR, authorization bypass, object-level access).
Enumeration Attack Protection: Block parameter/identifier enumeration that probes for valid IDs, usernames, or coupon codes (also: ID enumeration, username enumeration, scraping).
GraphQL Protection: GraphQL-aware request analysis — depth/complexity limits, introspection control, and standard attack detection on GraphQL payloads.
File Upload Restriction: Restrict allowed file types, size, and upload patterns to prevent OWASP API Top 10 "Unrestricted Resource Consumption" abuse.

AI Agent Protection¶

Agentic AI Protection Overview: API-level protection of AI agents, AI proxies, and AI-enabled APIs (also: AI runtime protection, LLM gateway protection).
AI Payload Inspection: LLM-based detection of prompt injection, system-prompt leakage, and jailbreaks in AI payloads (also: prompt injection detection, LLM input/output inspection).
MCP Mitigation Controls: MCP-specific policies — ACL by method/primitive/user/role, request verification, tool input schema enforcement (also: MCP ACL, MCP policy).

Bot Management (API Abuse Prevention)¶

API Abuse Prevention Overview: Detect and mitigate malicious bots performing scraping, account takeover, scalping, content abuse (also: bot detection, bot management, anti-bot, automated traffic protection).
API Abuse Prevention Setup: Enable bot detection, choose blocking mode, configure exposed endpoints.
Exploring Detected Bots: Drill into the 30-day rolling view of detected bot activity by type and target.
Bot Detection Exceptions: Mark known-legitimate bots (search crawlers, monitoring) and disable detection per endpoint (also: bot allowlist, bot exception rules).

API Specification Enforcement¶

API Spec Enforcement Overview: Positive-security enforcement of uploaded OpenAPI / GraphQL specs — block any request that violates the schema (also: schema validation, positive security model, OAS enforcement).
API Spec Enforcement Setup: Upload the spec, choose enforced endpoints, set blocking behavior.
API Spec Enforcement Events: View and triage requests blocked or flagged by spec enforcement.

Credential Protection¶

Credential Stuffing Detection: Detect login attempts using leaked credential pairs (also: account takeover, ATO detection, password reuse attack).

Threat Protection (WAAP)¶

WAAP Overview: The Cloud-Native WAAP layer — web application & API firewall for the OWASP Top 10 (also: WAF, web application firewall, API firewall).
Attack Detection & Handling: How Wallarm detects malicious traffic in real-time and what actions it takes (block / monitor) under each filtration mode.
Brute Force Protection: Configure rate-based detection of brute-force attacks on login and similar endpoints (also: credential brute-forcing, password spraying).
Forced Browsing Protection: Detect attempts to access non-listed or hidden resources by URL guessing (also: directory enumeration, path bruteforce).
Multi-Attack Thresholds: Block sources sending many malicious requests in a window, even when individual requests would otherwise be allowed.
DoS Protection: Mitigate application-layer DoS through resource exhaustion (also: layer-7 DoS, API resource exhaustion).
DDoS Protection: Mitigate distributed volumetric denial-of-service attacks (also: volumetric DDoS, L3/L4 DDoS).
IP Filtering / IP Lists: Allowlist or denylist IPs, networks, countries, or data centers (also: IP allowlist, IP denylist, IP block).
Filtration Mode: Per-app or global filtering mode (off / monitoring / safe-blocking / blocking) controlling whether the node blocks or only reports.

Mitigation Controls¶

Mitigation Controls Overview: Advanced fine-tuning layer on top of basic attack detection — ACL policies, request verification, schema enforcement (also: advanced policies, advanced rules).

Rules (WAF)¶

Rules (WAF) Overview: Custom rules that fine-tune WAF detection per branch/endpoint — exceptions, parser overrides, attack indicators (also: custom rules, WAF tuning, exceptions, rule branches).
Rate Limiting: Per-endpoint or per-source request rate caps (also: throttling, request limiting, RPS limits).
Virtual Patching: Block requests matching a specific CVE/vulnerability pattern without changing application code (also: vpatch, hotpatch, runtime patching).
Custom Regex Rules: Define custom attack indicators using regular expressions on chosen request parts (also: regex rule, custom detector).
Sensitive Data Masking: Mask sensitive request parts so they are not stored or exported (also: data masking, PII masking, redaction).
Request Parser Configuration: Override how the node parses specific endpoints/parameters (JSON, XML, etc.).
Response Header Manipulation: Add, remove, or replace response headers (also: HSTS, CSP injection rule).
Overlimit Detection Configuration: Tune behavior when request processing exceeds the per-request time budget.

API Security Testing¶

Security Testing Overview: The suite of pre-production and runtime test capabilities (Threat Replay, Schema-Based, Postman) (also: DAST, API testing).

Threat Replay Testing¶

Threat Replay Testing Overview: Re-run real-world attacks as harmless safety tests to discover vulnerable endpoints (also: replay testing, attack replay).
Threat Replay Testing Setup: Enable and configure Threat Replay Testing.
Threat Replay Testing Results: Explore test outcomes and prioritize discovered issues.

Schema-Based Testing¶

Schema-Based Testing Overview: Shift-left DAST that probes endpoints listed in an OpenAPI / GraphQL schema (also: schema DAST, OpenAPI testing, shift-left testing).
Schema-Based Testing Setup: Upload schema, configure auth, schedule runs.
Schema-Based Testing Results: Browse test runs and reported findings.

API Security Testing via Postman¶

Postman Testing Overview: Run passive security tests on Postman collections (also: Postman tests, passive API testing).
Postman Testing Setup: Connect Postman to Wallarm and authorize collections.
Postman Testing Results: View results in Postman AI Mode or in Wallarm Console.

API Attack Surface Management (AASM)¶

AASM Overview: Agentless external attack surface management for APIs (also: EASM, external attack surface, API ASM).
AASM Setup: Configure domains, scope, and scan cadence.
API Surface Discovery (AASD): External enumeration of hosts and API endpoints reachable from the internet (also: subdomain enumeration, exposed API discovery).
AASM Security Issues: Misconfigurations and risks found on discovered external hosts.
Detecting Vulnerabilities: How Wallarm passively detects application vulnerabilities from live traffic (also: passive vulnerability detection, vuln detection).

Deployment¶

All Deployment Options: Decision matrix of all supported deployment shapes — start here when choosing how to deploy.

Security Edge (Managed)¶

Security Edge Overview: Wallarm-managed deployment of nodes in geographically distributed PoPs — no infrastructure to run (also: managed edge, SaaS deployment).
Security Edge Free Tier: Free Security Edge tier — up to 500,000 requests per month.

Security Edge Inline¶

Security Edge Inline Overview: Inline managed Edge Nodes proxying traffic to your origin.
Security Edge Inline Deployment Guide: Step-by-step onboarding of an inline Edge deployment.
Edge Inline Access Control Lists: Edge ACLs by IP / network / country / data center.
Edge Inline Cache Rules: Configure response caching at the Edge.
Edge Inline Custom Block Page: Customize the HTTP 403 block page served when Edge blocks a request.
Edge Inline Host Redirection: Redirect requests between hosts at the Edge to unify entry points.
Edge Inline mTLS Configuration: Mutual TLS between the Edge Node and your origin (client certificate auth).
Edge Inline Multi-Region Deployment: Deploy Edge Nodes across multiple regions / cloud providers for geo-redundancy.
Edge Inline NGINX Overrides: Override NGINX directives on Edge at server / location level.
Edge Inline Upgrade & Management: Manage Edge configuration and upgrade Edge Nodes from the Console.

Security Edge Telemetry Portal¶

Edge Telemetry Portal Overview: Grafana dashboards with real-time Edge metrics — overview.
Edge Telemetry Main Dashboard: "Portal Inline Main" dashboard — traffic, latency, blocks.
Edge Telemetry Logs Dashboard: "Portal Inline Logs" dashboard — request and access logs.
Security Edge Connectors: Managed connector deployments via Security Edge for non-inline integrations.

Kubernetes¶

Istio Connector: Secure Istio-managed APIs via the Wallarm Connector for Istio Ingress.
Gloo Gateway Connector: Secure Gloo Gateway (Gloo Edge) APIs via the Wallarm Connector.

NGINX Ingress Controller¶

Wallarm NGINX Ingress Deployment: Deploy the F5 NGINX-based Wallarm Ingress controller on Kubernetes (also: K8s ingress, kubernetes installation, Helm install).
NGINX Ingress Configuration Options: Full Helm chart values reference for the Wallarm Ingress controller.
NGINX Ingress High Availability: HA / resilience guidance for the Wallarm Ingress controller.
NGINX Ingress Monitoring: Monitoring guidance specific to the Wallarm Ingress controller.
NGINX Ingress Real Client IP: Configure the controller to extract the originating client IP behind proxies.
Chaining Wallarm with Other Ingress Controllers: Run the Wallarm Ingress controller alongside an existing primary ingress.
Kong Ingress Controller Connector: Secure Kong Ingress-managed APIs via the Wallarm connector.

Helm Chart for Native Node¶

Native Node Helm Chart Deployment: Deploy the standalone Native Node on Kubernetes via Helm.
Native Node Helm Chart Configuration: values.yaml reference for the Native Node Helm chart.

Sidecar Proxy¶

Sidecar Proxy Deployment: Run the NGINX-based Wallarm node as a per-pod sidecar (also: K8s sidecar, ambient mode).
Sidecar Proxy Helm Chart: Helm chart reference for the Wallarm sidecar.
Sidecar Proxy Customization: Safe customization patterns for the sidecar solution.
Sidecar Pod Annotations: Per-pod sidecar configuration via Kubernetes annotations.
Sidecar Scaling Guide: Scaling, HA, and resource allocation for the sidecar.

eBPF (Out-of-Band)¶

eBPF OOB Deployment: eBPF-based out-of-band traffic inspection on Kubernetes (Beta) (also: OOB inspection, traffic mirror, kernel-level capture).
eBPF OOB Helm Chart: Helm chart reference for the eBPF OOB deployment.
eBPF OOB Packet Selection: Scope the traffic mirror by pod / namespace / protocol.

Cloud Platforms¶

AWS¶

Wallarm NGINX Node AMI for AWS: Pre-built EC2 AMI of the NGINX Wallarm Node — fastest way to launch on AWS.
Wallarm Native Node AMI for AWS: Pre-built EC2 AMI of the Native Node, intended for use with connectors and TCP traffic mirror.
NGINX Node Docker on AWS ECS: Deploy the NGINX Node Docker image to Amazon ECS.

Terraform Module (AWS)¶

Terraform Module Overview: Wallarm-provided Terraform module for deploying the node to AWS (also: IaC, terraform deploy).
Terraform — Wallarm in a VPC: Deploy Wallarm as an inline proxy in an existing AWS VPC.
Terraform — Wallarm in front of API Gateway: Protect Amazon API Gateway with Wallarm deployed inline in a VPC.
AWS WAF Integration: Layered protection combining AWS WAF (perimeter) with Wallarm (API security).
AWS Cost Estimation: Typical AWS infrastructure costs for running Wallarm NGINX Nodes via AMI.

AWS Autoscaling¶

AWS Autoscaling Overview: Auto-scale Wallarm filtering nodes on EC2 to match traffic.
Create AWS AMI Image: Build a custom Wallarm AMI for use in an Auto Scaling Group.
AWS Autoscaling Group Setup: Create and configure the Auto Scaling Group for Wallarm nodes (requires Wallarm "Administrator" or "Deploy" rights).
AWS Load Balancing for Wallarm: Create an AWS load balancer in front of the Wallarm ASG.
Routing Traffic to the Wallarm Node on AWS: Configure ALB, NLB, CloudFront, or API Gateway to send all traffic through the Wallarm Node and lock down direct origin access.

GCP¶

Wallarm NGINX Node Machine Image for GCP: Pre-built Compute Engine image of the NGINX Wallarm Node.
NGINX Node Docker on GCE: Deploy the NGINX Node Docker image on Google Compute Engine.

GCP Autoscaling¶

GCP Autoscaling Overview: Auto-scale Wallarm nodes on GCP Managed Instance Groups.
Create GCP Image: Build a custom Wallarm Compute Engine image.
GCP Instance Template: Define the instance template used by the Managed Instance Group.
GCP Managed Instance Group: Create the MIG and configure its autoscaling policy.
GCP Load Balancing for Wallarm: Configure a Google load balancer in front of the Wallarm MIG.

Azure¶

Azure Container Instances Deployment: Deploy the NGINX Node Docker image to Azure Container Instances.

Alibaba Cloud¶

Alibaba Docker on ECS: Deploy the NGINX Node Docker image to Alibaba Cloud ECS.
Heroku Deployment: Deploy Wallarm in front of a Heroku-hosted application via Docker image.
Private Cloud Deployment: Run Wallarm in a private / dedicated cloud environment.
Cloud-Init Script: Bootstrap Wallarm nodes via cloud-init for IaC workflows.

API Gateways¶

AWS API Gateway Connector: Build an API inventory and protect APIs managed by Amazon API Gateway.
Broadcom Layer7 API Gateway Connector: Secure Layer7-managed APIs via the Wallarm connector.
Kong API Gateway Connector (Standalone): Lua-plugin connector for standalone Kong API Gateway.

CDN¶

Akamai EdgeWorkers Connector: Forward traffic from Akamai EdgeWorkers to a Wallarm Node for inspection.
AWS CloudFront Connector (Lambda@Edge): Wallarm connector for CloudFront via Lambda@Edge.
Azion Edge Connector: Wallarm connector for Azion Edge.
Cloudflare Connector: Wallarm connector for Cloudflare (Workers-based).
Fastly Connector: Wallarm connector for Fastly Compute@Edge.

API Management Platforms¶

MuleSoft¶

MuleSoft Flex Gateway Connector: Secure MuleSoft Flex Gateway-managed APIs (Mule and non-Mule).
MuleSoft Mule Gateway Connector: Secure Mule APIs managed by Mule Gateway.
Azure API Management Connector: Secure APIs managed by Azure API Management (APIM).
Apigee Connector: Secure APIs managed by Apigee API Management.
IBM API Connect Connector: Proxy IBM API Connect traffic through an external Wallarm node.

TCP Traffic Mirror¶

TCP Traffic Mirror Deployment: Wallarm filtering node deployment for OOB analysis of mirrored TCP traffic (also: SPAN, port mirror, OOB inspection).

Packages & Containers¶

Linux (All-in-One Installer)¶

All-in-One Installer for NGINX Node: One-command Linux installer for the NGINX Wallarm Node — supported on major distributions.
All-in-One Installer for Native Node: One-command Linux installer for the standalone Native Node.

Docker¶

Docker Image for NGINX Node: Run the NGINX Wallarm Node from the official Docker image (x86_64 and ARM64).
Docker Image for Native Node: Run the standalone Native Node from the official Docker image.
NGINX Node Configuration Reference: Full directive reference for the self-hosted NGINX Wallarm Node.
Native Node Configuration Reference: Full .yaml reference for the self-hosted Native Node (all-in-one / Docker / AMI).

Special Setups¶

Multi-Tenant Node¶

Multi-Tenant Node Overview: One Wallarm node protecting multiple isolated tenants (also: multitenancy, MSSP deployment).
Multi-Tenant Configure Accounts: Correctly configure tenant accounts in the Cloud.
Deploy Multi-Tenant Node: Deploy the multi-tenant node.
Separate Postanalytics Module: Run the postanalytics (statistics) stage on a separate server from the filtering node.
Custom NGINX Version: Build Wallarm for an NGINX version not covered by the standard packages.
Request a Custom Deployment Option: Request support for a deployment shape not currently listed.

Deployment Reference¶

Inline Traffic Flow: Conceptual overview of inline deployments — Wallarm in the request path.
Out-of-Band Traffic Flow: Conceptual overview of out-of-band deployments — Wallarm inspecting mirrored traffic.
NGINX vs. Native Node Comparison: Architecture comparison of the NGINX Node and the Native Node — critical reading before choosing a node type.
Connector Architecture Overview: How connectors integrate Wallarm with external gateways and CDNs.

Maintenance¶

Maintenance Overview: Index of maintenance, monitoring, and upgrade topics for a running deployment.

Nodes & Infrastructure¶

Nodes Section of the Console: Manage self-hosted nodes from Wallarm Console.
Resource Allocation for the Node: CPU and memory sizing guidance for the NGINX Wallarm Node (also: capacity planning, node sizing).
Control over Export to Cloud: What request data leaves the node and how to restrict it (also: data export control, request-data privacy).
Cloud Synchronization: How the node syncs configuration and rules with Wallarm Cloud.
Proxy Configuration for Wallarm API: Route node-to-Cloud traffic through an HTTP/HTTPS proxy.
Block Page Configuration: Customize the page and HTTP code returned when the node blocks a request.
Handling Invalid Headers: Preserve headers with characters NGINX considers invalid (e.g. .).
JA3 Fingerprinting: Enable JA3 TLS client fingerprinting on the Wallarm Node.
Wallarm Terraform Provider: Manage Wallarm Cloud configuration as code via the official Terraform provider (also: IaC, terraform).

Monitoring & Metrics¶

NGINX Node Metrics¶

NGINX Node Prometheus Metrics — Overview: The metrics exposed by the NGINX Node in Prometheus format.
NGINX Node — Postanalytics Metrics: Postanalytics module / service runtime metrics for the NGINX Node.
NGINX Node — wcli Controller Metrics: Metrics of the wcli controller component of the NGINX Node.
NGINX Node — API Firewall Metrics: Metrics exposed by the API Firewall component of the NGINX Node.

Native Node Metrics¶

Native Node Prometheus Metrics — Overview: The metrics exposed by the Native Node in Prometheus format.
Native Node — Postanalytics Metrics: Postanalytics module / service runtime metrics for the Native Node.
Native Node — Runtime Metrics: Native Node runtime metrics (Go-process metrics).
Statistics Service (wallarm-status): Local wallarm-status service exposing node statistics.
Node Logging: Where node log files live and how to configure logging.
Failover Configuration: High-availability and failover patterns for the filtering node.
Post-Install Health Check: Checklist to confirm correct operation after a new node deployment (also: UAT checklist, post-install verification).

Upgrades & Migration¶

Wallarm Node Versioning Policy: Versioning scheme, release cadence, support window for NGINX / Native / Edge nodes.
Upgrade General Recommendations: Recommended pre-upgrade safety steps and rollback considerations.
What's New in 6.x: Notable changes when upgrading to 6.x — including Ingress Controller artifact changes.
NGINX Node Changelog (Artifact Inventory): Available NGINX Wallarm Node 6.x versions across form factors (also: NGINX node release notes).
Native Node Changelog (Artifact Inventory): Available Native Wallarm Node 0.14.x+ versions across form factors (also: Native node release notes).

NGINX Node Upgrade Instructions¶

Upgrade — DEB/RPM Packages: Upgrade Wallarm NGINX modules installed from DEB/RPM packages to the latest 6.x.
Upgrade — Separate Postanalytics Module: Upgrade a standalone postanalytics server to the latest 6.x.
Upgrade — All-in-One Installer: Upgrade a Wallarm node installed via the all-in-one installer to the latest 6.x.
Upgrade — Docker Image: Upgrade a running NGINX-based Docker image to the latest 6.x.
Migrate to the Wallarm NGINX Ingress Controller: Migrate off the Community Ingress NGINX controller onto the Wallarm-maintained one.
Community Ingress NGINX Retirement: Background and timeline for the November 2025 retirement of the Community Ingress NGINX project.
Upgrade — Sidecar Proxy: Upgrade the Wallarm Sidecar solution to the latest 6.x.
Upgrade — Cloud Image: Upgrade cloud node images deployed on AWS / GCP to the latest 6.x.
Upgrade — Multi-Tenant Node: Upgrade the multi-tenant node to the latest 6.x.

Native Node Upgrade Instructions¶

Upgrade — Native All-in-One Installer: Upgrade a Native Node installed via the all-in-one installer.
Upgrade — Native Helm Chart: Upgrade a Native Node deployed via Helm.
Upgrade — Native Docker Image: Upgrade a Native Node deployed from the Docker image.
Connector Code Bundle Release Notes: Versions of connector code bundles compatible with the Native Node (MuleSoft, Cloudflare, etc.).

Operations¶

Learning Request Volume: Measure incoming request volume — needed for licensing/billing decisions.
Wallarm Scanner IP Addresses: The fixed list of US/EU/ME Cloud IPs Wallarm uses for active scans (allowlist these on origin).

Troubleshooting¶

Troubleshooting Overview: Index of common troubleshooting scenarios.
Troubleshooting — Detection & Blocking: Diagnose why expected attacks are not showing in the Cloud or not being blocked.
Troubleshooting — Detection Tools Tuning: Tune Wallarm detection tools for false positives / negatives.
Troubleshooting — Performance: Diagnose high CPU / latency / slow request processing on the Wallarm node.
Real Client IP Behind a Proxy: NGINX configuration to extract the originating client IP behind another proxy / LB.
End-User Problems After Install: Common end-user-visible errors after installing the NGINX Wallarm node.
Wallarm Ingress Controller Troubleshooting: Common issues during Wallarm NGINX Ingress installation.
Wallarm Cloud Outage Behavior: How Wallarm nodes behave when the Wallarm Cloud is unavailable (also: cloud down, cloud outage).
OWASP Dashboard Alerts: Node sync error messages shown on the OWASP dashboards.
Wallarm Lines in NGINX Error Log: Decode common Wallarm-related lines in the NGINX error log.
Dynamic DNS Resolution in NGINX: Configure NGINX dynamic DNS resolution for upstreams (vs. resolve-once-at-start behavior).

Integrations¶

Integrations Overview: The catalog of available outbound integrations from Wallarm (also: webhooks, SIEM connectors, messaging).

Messaging & Alerts¶

Email Integration: Send scheduled reports and instant notifications via email.
Slack Integration: Send Wallarm notifications to a Slack channel.
Microsoft Teams Integration: Send Wallarm notifications to a Microsoft Teams channel.
Telegram Integration: Send scheduled reports to a Telegram chat.

Incident Management¶

PagerDuty Integration: Page on-call via PagerDuty (also: on-call paging, incident escalation).
Opsgenie Integration: Page on-call via Opsgenie.
Jira Integration: Create Jira issues from Wallarm events (supported Jira versions noted in the article).
ServiceNow Integration: Create ServiceNow tickets from Wallarm events.
Rapid7 InsightConnect Integration: Send Wallarm events to Rapid7 InsightConnect playbooks.

SIEM & Analytics¶

Splunk Integration: Forward Wallarm events to Splunk (also: SIEM, log forwarding).
Sumo Logic Integration: Forward Wallarm events to Sumo Logic.
Microsoft Sentinel / Azure Monitor Logs: Forward Wallarm events to Microsoft Sentinel / Azure Monitor.
Datadog Integration: Forward Wallarm events to Datadog via the Datadog API key.

Log Collectors¶

Fluentd Integration: Send Wallarm JSON webhooks to Fluentd.
Logstash Integration: Send Wallarm JSON webhooks to Logstash.

Integration Examples (Webhook Recipes)¶

IBM QRadar via Fluentd: Wallarm → Fluentd → IBM QRadar.
IBM QRadar via Logstash: Wallarm → Logstash → IBM QRadar.
Splunk via Fluentd: Wallarm → Fluentd → Splunk.
Splunk via Logstash: Wallarm → Logstash → Splunk.
ArcSight via Fluentd: Wallarm → Fluentd → Micro Focus ArcSight.
ArcSight via Logstash: Wallarm → Logstash → Micro Focus ArcSight.
Datadog via Fluentd / Logstash: Wallarm → Fluentd or Logstash → Datadog.

Cloud Storage¶

Amazon S3 Integration: Export hit data to an S3 bucket every 10 minutes.
MinIO Integration: Export hit data to an S3-compatible MinIO bucket every 10 minutes.

Webhooks¶

Generic Webhook Configuration: Send instant notifications via HTTPS webhook to any system.

DevSecOps¶

Verify Docker Image Signature: Verify the cryptographic signature of Wallarm Docker images.
Generate SBOM for Docker Images: Generate a Software Bill of Materials for Wallarm Docker images.

Platform Management¶

Platform Management Overview: Index of platform admin topics — users, dashboards, monitoring, triggers, settings.

Dashboards¶

Threat Prevention Dashboard: Top-level malicious-traffic dashboard for a chosen time window.
API Discovery Dashboard (Platform): API inventory dashboard in the Platform Management section.
OWASP API Top 10 Dashboard: Measure exposure to each OWASP API Top 10 risk category.
Business Intelligence Dashboards: Build custom dashboards from Wallarm telemetry (also: BI, custom dashboards).

Monitoring & Events¶

Event Overview: How Wallarm's Threat Management surfaces attacks and incidents in real time.
Analyzing Attacks: Investigate a single attack record in the Console.
Analyzing Incidents: Investigate an incident — an attack that hit a known vulnerability.
Hit Grouping & Sampling: How hits are grouped into attacks and how Wallarm samples for storage.
Security Issues (Vulnerabilities): Passively detected application vulnerabilities (also: vulnerabilities, security issues).

Triggers & Alerts¶

Trigger Configuration: Define event-driven actions (notify / block IP / create issue) (also: alerting rules, automations).

Search & Reports¶

Search & Filters: Query syntax for searching attacks, hits, incidents (also: search query language, Wallarm search syntax).
Custom Reports (PDF / CSV): Generate scheduled or on-demand PDF / CSV reports.

Account Settings¶

User Profile Settings: Settings → Profile tab — personal account preferences.
Applications: Group protected services into logical applications and view per-app stats.
Audit Log / Activity Log: Settings → Activity log — history of user actions in the Wallarm Console (also: audit trail, activity log).

Users & Access¶

User Management: Invite users and assign roles (also: RBAC, role assignment, team management).
API Tokens: Manage tokens for Wallarm API authentication and node filtration (also: API keys, authentication tokens).

SSO Configuration¶

SSO Overview: SAML SSO support overview (also: single sign-on, SAML).
SSO Setup (Generic): Generic flow for enabling SAML SSO.
SSO — Google Workspace (G Suite): SAML SSO via Google Workspace as IdP.
SSO — Okta: SAML SSO via Okta as IdP.
SSO Troubleshooting: Troubleshoot common SAML SSO problems.
LDAP Integration: Authenticate Console users via LDAP / Active Directory.

Plans & Pricing¶

Subscription Plans: The Wallarm subscription plans and what each one includes (also: pricing, plans, tiers).

Reference¶

Reference Section Overview: Index of reference material (API, attack catalog, glossary).

API Reference¶

Wallarm API Overview: Overview of the Wallarm REST API (also: REST API, public API).
Wallarm API Request Examples: Worked examples of Wallarm API calls.
Attack Types Catalog: Canonical list of attacks and vulnerabilities Wallarm detects, with descriptions and CWE/OWASP mapping (also: attack catalog, vulnerability list, supported attacks).
Glossary: Canonical terminology used across Wallarm documentation.
Data Retention Policy: Retention periods per data type stored in the Wallarm Cloud.
Shared Responsibility Model: What Wallarm is responsible for and what the customer is responsible for.
Comparing Wallarm to Other Solutions: How to compare Wallarm against other WAF / API security solutions.
SLA: Service-level agreement — availability commitments and credits.
Docs MCP Server: Connect an MCP client to this documentation. Read-only MCP server over streamable HTTP at https://mcp-docs.wallarm.com/mcp (server card: https://docs.wallarm.com/.well-known/mcp/server-card.json); exposes search_pages, get_page, list_pages, list_versions so AI clients can search and read Wallarm docs with citations.

Optional¶

The pages below are linked here rather than in the main tree because they are less directly useful for an LLM agent answering a question — videos can't be ingested as text, and legacy / EOL material is unlikely to be relevant to questions about the current product.

Video Guides (not ingestible by text-only agents)¶

EOL Node Upgrades (nodes 3.6 and lower — out of support)¶

EOL — What's New: Changes when upgrading from EOL versions to current.
EOL — NGINX Modules Upgrade: Upgrade EOL NGINX modules (3.6 and lower).
EOL — Postanalytics Upgrade: Upgrade EOL standalone postanalytics module.
EOL — Docker Image Upgrade: Upgrade EOL NGINX-based Docker image.
EOL — Ingress Controller Upgrade: Upgrade EOL Wallarm Ingress Controller.
EOL — Cloud Image Upgrade: Upgrade EOL cloud node images.
EOL — Multi-Tenant Upgrade: Upgrade EOL multi-tenant node.
Migrate IP Lists to Node 3.x+ Format: One-time IP allowlist/denylist format migration.