Open Source Embedded Application Firewall
Block (No)SQL injection attacks in your Node.js app with just one command
Aikido Runtime is your automatic shield against critical injection, path traversal, and prototype pollution attacks on Node.js applications.
It’s an autonomous application firewall that blocks dangerous queries and injections in real time.
Supports your tech stack
MySQL
MongoDB
Postgres
TypeORM
Sequelize
Stop relying on manual code reviews for injection vulnerabilities.
Detect and block malicious user input automatically, with just one command.
SQL & NoSQL injection
Attempts to manipulate database queries for malicious purposes (data theft, unauthorized access, etc.), including protection for different database flavors like MySQL, MongoDB, Postgres, and more.
Command injection
Attacks that inject and execute arbitrary system commands on your server through user input.
Rate limiting
Attacks by bots or brute force that flood your app with requests, aiming to overwhelm your servers or disrupt service for legitimate users
Path traversal
Attempts to access unauthorized files or directories on your server by manipulating input fields or file paths.
Let Aikido handle the dirty work of blocking attacks.
Lives inside your app, not on top of it.
Unlike external security tools that operate as separate agents or services, Runtime Protection runs seamlessly inside your application.
Just let it run in the background.
Developers loathe security tools requiring constant monitoring. Aikido Runtime Protection operates in the background, analyzing data on the fly, and halts attacks preemptively, offering automatic defense against common and critical injection and prototype pollution attacks.
- No more regular maintenance.
- No more updating rulesets.
- No more follow-up actions.
We handle the threats; you concentrate on your app.
Intercept and modify risky operations in real time.
Forget bulky WAFs and complex agents. Aikido Runtime Protection uses a clever trick called monkey-patching to become your app's built-in security shield. This means it integrates seamlessly without messing with your existing setup.
But here's the real win: Aikido Runtime Protection detects threats as your application runs, so it can stop attacks in real-time, before they ever reach your database. No more endless patching or worrying about new vulnerabilities. Just install it once, and it handles the rest.
Way less false positives & negatives.
Aikido Runtime Protection looks for patterns and structures that indicate SQL injection, NoSQL injection, command injection, and path traversal. It doesn't just rely on simple blacklists, but examines your database queries in detail, understanding the difference between actual malicious commands and legitimate (but unusual) user input.
Worried about the vulnerabilities you don’t know about? Runtime even identifies obfuscated or previously unknown threats.
Deploy in seconds.
To start blocking SQL/NoSQL injection and prototype pollution attacks in less than a minute, install Aikido Runtime Protection’s embedded security engine to your JavaScript app.
We’re implementing security best practices aligned with the highest standards.
FAQ
Is Aikido Runtime Protection compatible with various databases and third-party services?
Right now, Aikido Runtime Protection plays nicely with popular databases like MySQL, MongoDB, and PostgreSQL, and is compatible with ORMs like TypeORM and Sequelize. We're always adding support for more like Python and Ruby. Have a specific service in mind? Let us know, and we'll prioritize it.
What is the performance impact of implementing Aikido Runtime Protection in my application?
Honestly, it's tiny. We're talking minuscule overhead for most apps. We're obsessed with performance and constantly benchmark Runtime to make sure it stays lightning fast. Need hard numbers for your use case? Just run some tests based on our benchmarks.
It's open source, but what if I run into issues or have specific questions? Where can I get help?
You're not on your own. We have a growing community of developers and security folks using Aikido Runtime Protection. Don’t hesitate to open a GitHub issue – we're committed to making this project a success, and that includes support.
How do I know Runtime Protection is actually working? Can I monitor blocked attacks and get detailed reports?
Seeing is believing. Aikido Runtime Protection logs blocked attacks with all the juicy details: what the attack looked like, where it came from, etc. We're working on dashboards and integrations to make this info even more accessible.
Monkey-patching sounds risky—will it break my app's functionality or create unforeseen conflicts?
Monkey-patching gets a bad rap. Done right, it's a clever and efficient way to add functionality. Aikido Runtime Protection targets a very specific area of your code, monitoring all outgoing traffic to databases and 3rd party APIs. We've rigorously tested it to make sure it plays nice with common setups. We even tested with OpenTelemetry in the background, which didn't create any conflicts. Still worried? Try it in a test environment first.
Why does Aikido Runtime Protection give me less false positives/negatives than WAF?
Traditional WAFs are like security guards at the gate. They only see what comes in, not what goes on inside your building (your app). Aikido Runtime is the security guard inside, watching both the front door AND how people move around once they're in. Because it sees the whole picture – the user input AND your app's database requests – it can tell the difference between a legitimate (but weird-looking) customer and a thief trying to be sneaky. Less false alarms, less real threats slipping through.
How can one tool autonomously block so many threats without impacting performance?
We get it. It sounds too good to be true. Aikido Runtime Protection’s magic is in three things: 1) it is a library inside your app, 2) it monitors both incoming user input and outgoing connections (to databases or 3rd party services)
3) it doesn't rely on giant rule lists. This laser focus lets it protect you with almost zero performance overhead.