Varnish Layered Security Suite
Stop Bad Traffic. Accelerate Real Users.
Varnish Layered Security is a unified security runtime that integrates WAF, bot mitigation, and API protection into the caching and delivery layer. Eliminate the latency of external hops with in-process security logic that ensures privacy and resilience, from edge to origin.
Explore Tiers + Pricing
A unified security runtime
What is Varnish Layered Security?
Varnish Layered Security is a programmable policy engine that transforms your delivery tier into a unified security runtime.
It provides Layer 7 protection, distributed traffic governance, and origin shielding across your entire infrastructure, for total programmatic control over how traffic is sanitized and secured.
Replace inflexible, opaque defenses with a software layer that filters traffic and synchronizes global threat responses. Protect operations with autonomous real-time defenses while keeping costs predictable at scale.
Built on Varnish Enterprise: An extension for the Varnish Enterprise core that acts as a unified security runtime for your delivery environment, executing logic in-process wherever your traffic flows.
Capabilities
Integrated Defense & Enforcement
| Layer 7 Threat Protection | |
 |
WAF & Vulnerability Defense Block OWASP Top 10 threats in-process. Stop exploits directly in the request path without latency-heavy inspection hops. |
 |
Bot & Abuse Mitigation Identify and neutralize scrapers and automated fraud at the edge before they hit your compute resources. |
 |
Origin & DDoS Shielding Absorb volumetric attacks and protect backend stability with a high-performance buffer that blocks requests pre-origin. |
| Identity & Access Control | |
 |
High-Speed API Security Validate JWT and HMAC tokens at the entry point. Offload the "handshake tax" from your application logic. |
 |
In-Core TLS Secure communication with hardware-accelerated encryption and certificate validation. |
| Distributed Intelligence | |
 |
Global Rate Limiting Synchronize traffic quotas across regions in real-time. Stop "low and slow" attacks that bypass local counters. |
 |
Real-Time State (KV Store) Instantly propagate security flags and dynamic blocklists across your entire global cluster in milliseconds. |
| Operations & Governance | |
 |
Data & Logic Sovereignty Keep your code, logs, and certificates within your own perimeter. No third-party data-processing "black boxes." |
 |
Deep Observability Export 100+ log fields via OpenTelemetry or SIEM integrations for real-time forensics and audit compliance. |
Why use Varnish Layered Security?
Architectural Advantages
Varnish Layered Security replaces rigid hardware and black-box cloud services with a private, programmable security suite that operates directly in the request path. This software-defined approach provides the following advantages:
| In-Process Execution
Execute WAF, token validation, and rate limits in the HTTP flow at cache speeds. |
Policy-as-Code
Use sophisticated logic to challenge suspicious bots while serving content to verified users. |
| Total Data Residency
Maintain total ownership of SSL keys, security logic, and telemetry to ensure global compliance. |
Architectural Agility
The same engine for the edge, the origin shield, inside Kubernetes clusters and CI/CD workflows. |
Security Tiers & Plans
From the first packet to the global state
Varnish Defense in Depth
|
01. At the Edge
Conserve Compute Resources
Essential Security acts as your first line of defense. Neutralize automated port scans, known malicious bots, and noise at the entry point so your core infrastructure remains available for meaningful traffic. |
02. In the Path
Harden Application Logic
Application Security offloads identity verification and input validation to the Varnish runtime. Enforce JWT authentication and WAF policies in-process before requests ever reach your backend application servers. |
03. Global State
Universal State Synchronization
Platform Security ensures a unified perimeter. Use the distributed KV store to propagate security flags and rate limits across your entire footprint, so threats detected at one node are mitigated everywhere instantly. |
Strategic outcomes
Sovereign Protection and Predictable Operations
| Performance-First Security
Execute security logic in-process and sync global blocklists in milliseconds, for protection at speed. |
Operational Agility
Deploy custom rules and mitigations that adapt to emerging threats in real-time. |
| Infrastructure Hardening
Offload security to the edge to neutralize volumetric attacks and preserve uptime for real users. |
Predictable Financials
License-based model replaces unpredictable per-request costs, ensuring budget stability at scale. |
The autonomous security cycle
Programmable Defense Across Every Layer
Varnish is a versatile security runtime that closes the loop between visibility and enforcement. The packet is the trigger. Your defense reacts in milliseconds, autonomous from human intervention.
- Sense (Real-Time Observability): Capture 100+ request fields in real-time. Stream rich telemetry via OpenTelemetry for an instant audit trail and deep forensic analysis.
- Policy (Distributed Governance): Govern the perimeter using a distributed Key-Value Store. Synchronize security flags, rate-limit counters, and dynamic blocklists globally in milliseconds.
- Act (Programmable Enforcement): Execute policy directly in the request path. Operating at the speed of the network ensures your infrastructure is protected without adding latency.
Use cases
Practical Applications
| Pre-Origin Mitigation | |
|---|---|
| Automated Pattern Blocking
Drop requests based on malicious paths, query parameters, or illegal headers at the first point of contact. |
In-Path Request Sanitization
Strip malformed URLs and non-standard headers to prevent cache poisoning and unintended origin execution. |
| Global Orchestration & Response | |
|---|---|
| Global Context Sharing
Neutralize a threat in one region and propagate the mitigation across your global footprint in milliseconds. |
Active Adversary Frustration
Serve mock responses or tar-pit suspicious connections to exhaust attacker resources without impacting origin capacity. |
| Resource Offloading | |
|---|---|
| Edge Token Validation
Reject malformed tokens at the edge to protect identity providers and keep app logic focused on validated users. |
Compute Origin Shielding
Offload CPU-intensive WAF inspections to Varnish. Prevent backend exhaustion and maintain uptime during traffic spikes. |
| Sovereignty & Compliance | |
|---|---|
| Geofencing & Residency
Enforce strict access and residency requirements at the edge to keep traffic logic within your sovereign perimeter. |
Real-Time Audit Visibility
Stream high-fidelity telemetry via OpenTelemetry to your SIEM for instant forensics without origin involvement. |
Next steps
Scale Security. Simplify Your Stack.
Varnish Layered Security replaces unpredictable volumetric billing with a transparent, license-based model designed for unlimited global scale.
|
Standard
Essential Security
Foundational tier. Stabilize origins and reduce backend CPU cycles with native security defaults. |
API & App Protection
Application Security
Fixed-fee add-on. Harden APIs and application logic with advanced in-path protection. |
Global Coordination
Platform Security
Fixed-fee add-on. Orchestrate global defense with real-time state synchronization. |
Join the world’s largest CDNs, technology enterprises and streaming services using Varnish to accelerate and protect their data. For detailed pricing or to start a technical proof-of-concept, connect with our engineering team.
