Greymatter.io integrates a Web Application Firewall (WAF) into every proxy, so you can enforce Zero Trust faster and smarter—from the start. Greymatter shifts control, letting every team and tenant manage its own application, API, or workload security with no central bottlenecks.
A Secure-by-Default Mesh, for Every Tenant
Greymatter embeds an OWASP WAF engine inside each proxy. You instantly gain robust protection for all north-south traffic and can quickly enable or disable WAF for east-west communications. Greymatter delivers dedicated WAF protection to every tenant—whether you define it as an application, API, workload, or a more granular boundary. Each team controls its own WAF settings and rules, so nobody waits for action from an Enterprise perimeter firewall group.
You deploy protection against common web threats—SQL injection, XSS, remote code execution, and data leaks—across every entry, gateway, and workload. Teams use Greymatter Service Language (GSL) to manage WAF policies, tailoring enforcement for each tenant directly and immediately.
Tenant-Controlled, Composable Security
Greymatter lets each tenant own its WAF lifecycle. You declare and version your WAF policies using GSL and GitOps, instantly rolling out changes and keeping clear audit trails. Each tenant fine-tunes detection, rules, and enforcement for their applications. By default Greymatter starts in detection mode, enabling teams to calibrate for specific workloads, and move to blocking only when ready. This autonomy lets you control security with business realities and compliance needs for each asset.
Grounded in Zero Trust Architecture and NIST Standards
The DoD’s Zero Trust Architecture 2.0 defines seven pillars, including application and workload security, data protection, and visibility and analytics. By integrating a WAF, Greymatter advances three of those pillars:
- Application & Workload Security: Each proxy performs inspection, anomaly scoring, and blocking before traffic reaches the workload.
- Automation & Orchestration: Teams declare and version policies in GSL to automate rollout and maintain consistency across environments.
- Visibility & Analytics: The WAF provides detailed audit logging and rule-level observability to meet NIST 800-53 and SP 800-137 continuous monitoring standards.
Greymatter extends Zero Trust enforcement to the application / api proxy layer, giving operators a verifiable and auditable control plane native to the mesh.
Multi-Tenant Isolation: Security Without Bottlenecks
Greymatter replaces centralized perimeter bottlenecks with tenant-driven isolation. Each team manages, tunes, and tracks its own policies and audit logs. You ensure every workload—whether running in a hybrid cloud, a dedicated subnet, or a tightly scoped namespace—carries its own, custom-fit WAF enforcement. This control means you drive repeatable security and compliance everywhere, for every deployment.
Why It’s Groundbreaking for Service Mesh Security
Most service meshes bolt WAFs onto ingress gateways. Greymatter changes the model. Every proxy in the mesh can use gsl.#WafCorazaFilter to apply the full OWASP Core Rule Set (CRS) inline at the proxy layer.
This approach delivers:
- Full-lifecycle protection across ingress, egress, and east-west paths.
- Centralized management through Git-based configuration.
- Incremental enforcement that starts in detection mode and matures to blocking.
- Compliance alignment with PCI DSS, HIPAA, NIST, and DoD STIG controls.
Extensibility and Custom WAF Configurations
Greymatter’s WAF goes beyond default settings—it’s fully extensible. Administrators can load custom configurations directly into their mesh definitions using GSL. The gsl.#WafCorazaFilter supports a coraza_config object that teams can extend or replace to meet specific mission needs.
Through the standard GitOps workflow, teams can:
- Create or modify a security.cue policy in their GSL project.
- Define a custom WAF object (for example, CustomWAF) with directives such as SecRequestBodyLimit or SecAuditEngine.
- Reference that configuration in any proxy via coraza_config: policies.CustomWAF.
- Validate and deploy through the Greymatter CLI and Kubernetes rollout pipeline.
This structure enables fine-grained tuning for API inspection depth, response body scanning, and service-specific policies. Teams version and review every change through normal Git pull requests. By exposing these controls declaratively, Greymatter empowers developers with policy-driven autonomy while adhering to Zero Trust’s “policy as code” principles.
Real-World Use Cases
- Secure Application / API Gateways in Multi-Tenant Environments: WAF filters malicious traffic before it gets to backend APIs, protecting against injection and reconnaissance.
- Protect Sensitive Data in Dynamic Web Applications: Teams enable full response body inspection to catch reflected XSS or data leakage involving mission or PII data.
- Adapt Defense During Zero Trust Maturation: Tenant edge gateways start in detection-only mode to baseline behavior, then enforce blocking as they advance through ZTA 2.0 maturity.
- Comply with Auditable Edge Protection: Detailed logs fulfill NIST 800-92 and DoD RMF requirements, supporting investigations and threat correlation.
Built for Operators and Security Teams
Operators manage WAF policies in GSL just like any other mesh construct:
filters: [
gsl.#WafCorazaFilter & {
coraza_config: policies.CustomWAF
},
]This unified configuration model brings routing, security, and policy together for consistent and portable enforcement across hybrid environments.
What This Means for Zero Trust Implementations
The WAF integration advances Greymatter’s mission to deliver agentic, composable, and compliant mesh security. For DoD, federal, and enterprise teams, this means:
- End-to-end Zero Trust enforcement
- Built-in alignment with NIST and DoD ZTA frameworks
- Extensible WAF policies managed through GitOps
- Full auditability and policy provenance
Conclusion
Adversaries keep exploiting lateral pathways and application-layer weaknesses. Greymatter eliminates that gap by embedding a fully extensible, policy-driven OWASP WAF directly into the mesh. This represents Zero Trust in action—secure by default, auditable by design, and adaptable to mission-critical workloads.