Zen, your in-app firewall for peace of mind–at runtime
Stop attacks inreal time
Prevent OWASP Top 10 & Zero Day threats onautopilot
SQL & NoSQL injection
Command injection
Set rate limiting
Path traversal
Get the power of in-app protection
Privacy
Results
Rate limiting
Performance
Installation
Maintenance
Triage
Costs
Fully Embedded
Get peace of mind at runtime
Way less false positives & negatives
Stop attacks in real-time
Runs in the background
Block users & restrict IP routes
Uncover API route schemas
Level up your API security with smart testing methods, from synthetic traffic to context-aware DAST.
Zen works for your setup
FAQ
Does Zen require agents?
No! Unlike others, Zen by Aikido integrates directly into your application with no need for external agents. Deployment is as simple as adding a single line of code (importing a package), so you’re up and running in mere minutes. This approach is fast, lightweight, and far less intrusive!
Do I need to list Aikido as a subprocessor?
User tracking is fully optional and off by default. Should you choose to track users, and share personal identifiable information (PII) rather than just IDs, you will be required to list Aikido Security as a subprocessor.
Is Aikido's software pentested?
Yes. We run a yearly pentest on our platform and also have an ongoing bug bounty program to ensure the security of Zen is continuously tested by a wide range of security experts.
Is Zen compatible with various databases and third-party services?
Right now, Zen by Aikido works seamlessly with popular databases like MySQL, MongoDB, and PostgreSQL. It is compatible with ORMs and database drivers across different languages, such as TypeORM for Node.js and SQLAlchemy for Python. We have full support for Python and Node.js, and support for Ruby and PHP is coming soon. Have a specific language, driver, or package in mind? Let us know, and we’ll prioritize it.
What is the performance impact of implementing Zen Firewall in my application?
Honestly, it's tiny. We're talking minuscule overhead for most apps. We're obsessed with performance and constantly benchmark Zen to make sure it stays lightning fast. Need hard numbers for your use case? Just run some tests based on our benchmarks.
It's open source, but what if I run into issues or have specific questions? Where can I get help?
You're not on your own. We have a growing community of developers and security folks using Zen. Don’t hesitate to open a GitHub issue – we're committed to making this project a success, and that includes support.
How do I know Zen is actually working? Can I monitor blocked attacks and get detailed reports?
Seeing is believing. Zen logs blocked attacks with all the juicy details: what the attack looked like, where it came from, etc. We're working on dashboards and integrations to make this info even more accessible.
Monkey-patching sounds risky—will it break my app's functionality or create unforeseen conflicts?
Monkey-patching gets a bad rap. Done right, it's a clever and efficient way to add functionality. Zen targets a very specific area of your code, monitoring all outgoing traffic to databases and 3rd party APIs. We've rigorously tested it to make sure it plays nice with common setups. We even tested with OpenTelemetry in the background, which didn't create any conflicts. Still worried? Try it in a test environment first.
Why does Zen give me less false positives/negatives than WAF?
Traditional WAFs are like security guards at the gate. They only see what comes in, not what goes on inside your building (your app). Zen is the security guard inside, watching both the front door AND how people move around once they're in. Because it sees the whole picture – the user input AND your app's database requests – it can tell the difference between a legitimate (but weird-looking) customer and a thief trying to be sneaky. Less false alarms, less real threats slipping through.
How can one tool autonomously block so many threats without impacting performance?
We get it. It sounds too good to be true. Zen’s magic is in three things:
- it is a library inside your app,
- it monitors both incoming user input and outgoing connections (to databases or 3rd party services)
- it doesn't rely on giant rule lists. This laser focus lets it protect you with almost zero performance overhead.
I don’t want to connect my repository. Can I try it with a test account?
Of course! When you sign up with your git, don’t give access to any repo & select the demo repo instead!
What happens to my data?
We clone the repositories inside of temporary environments (such as docker containers unique to you). Those containers are disposed of, after analysis. The duration of the test and scans themselves take about 1-5 mins. All the clones and containers are then auto-removed after that, always, every time, for every customer.