# Baffle WAF

## Product Positioning
Tagline options:

"Baffle bots. Calm traffic." (playing on both meanings: confuse + quiet)
"Confuse bots. Calm infrastructure."
"Bewilder bots, silence the chaos"

## Target market:

Solo devs/bootstrapped startups (can't afford $249/mo Wafris/Cloudflare)
Privacy-conscious/regulated orgs (data sovereignty requirements)
Self-hosters (infrastructure control enthusiasts)
Cost-sensitive scale-ups (outgrowing free tiers)

## Business Model (Sidekiq-style)
Free (fully functional):

Ruby/Rack edge agent (2-5ms response time)
Local SQLite rules
IP blocking, rate limiting, geoblocking
Manual rule management
Community support

Pro ($99-149/mo):

Go edge agent (performance upgrade)
SSO / multi-team
Centralized hub with traffic analytics
Automated rule generation
Adaptive sampling (manual 0-100% toggle for hub load management)
IP reputation feeds
Priority support

## Key Technical Decisions
Traffic categories:

Blocked - Matched deny rule
Allowed - Matched allow rule (fast-path for whitelisted IPs/APIs)
Unmatched - No rules, passed through

## OWASP approach:

Don't try to compete with ModSecurity's full CRS
Focus on network-layer threats (bots, rate limiting, IP reputation)
Map to OWASP Top 10 where applicable (A05, A07, partial A01/A03)
Position as complementary to app-layer security

### Killer Feature: Performance Visibility
Always-on category timing:

Track latency by rule type (IP checks, rate limits, regex, etc.)
Show real-time impact in dashboard
Let users add rules and immediately see performance cost
"The only WAF that shows you exactly what your rules cost"

Why this matters:

No other WAF does this well
Solves "why is my site slow?" blame game
Empowers users to make informed tradeoffs
Natural deterrent against kitchen-sink rule sets

## Implementation:

Start with category-level timing (always on, minimal overhead)
Users can experiment: add rule → watch latency → remove if too expensive
Can add detailed per-rule profiling later if needed

## Terminology Settled

Rule pruning - removing inactive rules for performance
Violation/pattern match - when traffic triggers a rule
Adaptive sampling - hub telling edges to reduce telemetry load

## Architecture Clarity
Self-hosted only (no SaaS hosting from you):

Edge agents do forward auth with local SQLite
Push telemetry to hub every 10 seconds
Hub analyzes and pushes rules back
Max 20-second gap between violation and rule deployment