alt Hacker NewsShow HN: Shibuya – A High-Performance WAF in Rust with eBPF and ML Engine
Hi HN,
I’ve been working on Shibuya, a next-generation Web Application Firewall (WAF) built from the ground up in Rust.
I wanted to build a WAF that didn't just rely on legacy regex signatures but could understand intent and perform at line-rate using modern kernel features.
What makes Shibuya different:
Multi-Layer Pipeline: It integrates a high-performance proxy (built on Pingora) with rate limiting, bot detection, and threat intelligence.
eBPF Kernel Filtering: For volumetric attacks, Shibuya can drop malicious packets at the kernel level using XDP before they consume userspace resources.
Dual ML Engine: It uses an ONNX-based engine for anomaly detection and a Random Forest classifier to identify specific attack classes like SQLi, XSS, and RCE.
API & GraphQL Protection: Includes deep inspection for GraphQL (depth and complexity analysis) and OpenAPI schema validation.
WASM Extensibility: You can write and hot-load custom security logic using WebAssembly plugins.
Ashigaru Lab: The project includes a deliberately vulnerable lab environment with 6 different services and a "Red Team Bot" to test the WAF against 100+ simulated payloads.
The Dashboard: The dashboard is built with SvelteKit and offers real-time monitoring (ECharts), a "Panic Mode" for instant hardening, and a visual editor for the YAML configuration.
I'm looking for feedback on the architecture and the performance of the Rust-eBPF integration.
Comments
Feel free to correct me, but the ML classifier appears to be rather bare. Less than 20 hardcoded payloads with randomized URL encoding as the only augmentation. How does this generalize to novel evasion techniques? Genuinely curious what your eval numbers look like against real traffic.
https://github.com/theghostshinobi/Shibuya-waf-light-version...
> Shibuya WORLD DOMINATION PLAN (1)
*Month 3*: Top 10 security OSS project su GitHub
*Month 6*: 10k+ stars, 1000+ prod deployments
*Month 9*: Conference talks (OWASP, DevSecOps Days, Black Hat Arsenal)
*Month 12*: Industry standard, "the modern WAF", competitors che copiano te
## MONETIZATION ROADMAP
*Week 12-16*: Free tier (self-hosted, community support)
- Goal: 1000 GitHub stars
- Goal: 100 production deployments
- Goal: Dev che parlano di te su Twitter
*Week 16-20*: Pro tier launch ($49-99/mo) - Managed rules auto-update
- ML models ottimizzati
- Priority support
- Advanced dashboard
- Goal: primi 50 paying customers ($5k MRR)
*Week 20-24*: Enterprise tier (custom pricing) - Multi-tenant
- SSO/SAML
- Compliance reports (PCI-DSS, SOC2)
- SLA + dedicated support
- Custom integrations
- Goal: primi 5 enterprise deals ($50k+ ARR)
*Month 6+*: Exit strategy - Seed funding ($1-2M) o bootstrap to profitability
- Series A ($10M+) se traction è pazzesca
- Acquisition offer da competitor? (Cloudflare che compra per killare? NO GRAZIE, fuck them )
1. Deleted file/commit: https://github.com/theghostshinobi/Shibuya-waf-light-version...
This looks really interesting especially in the age of agents running wild, having code execution be tracked using this as the ingress/egress you can allow and block things based on context and needs, you can setup policies and have them loaded on demand for a specific execution
This is the most generic and uninspired name you could have possibly chosen.
I'm just here to say that I like the name.
What the fuck is this slop?
https://github.com/theghostshinobi/Shibuya-waf-light-version...
[dead]
This is something I really want to exist. But vibe-coded security tooling? Pretty much the last thing I want.