HOW IT WORKS

One engine for delivery and security.

CrownWall is a complete application delivery controller — delivery and security running in the same pipeline, because they were always the same job.

Client

TLS Termination

Bot Check

WAF Inspection

Rate Limit

Load Balance

Backend Origin

Security bolted on is security with gaps.

Most organisations arrive at CrownWall having assembled a stack: a cloud load balancer here, a WAF plugin there, a bot management service on top, a compliance reporting tool pulling from three different log sources. Each product sees a fragment of the traffic. None of them see the whole picture. The gaps between them are where attackers operate.

CrownWall processes every request through a single, ordered pipeline. Every layer sees the full request context. WAF rules can reference rate-limit state. Bot decisions inform load-balancing choices. Logs from every layer arrive in one place, correlated by a single request ID. There are no gaps.

One ordered pipeline

Every layer sees the same request, the same context, and the same request ID.

Context

shared

Rules

coordinated

Logs

correlated

What happens to every request, in order.

Every request follows the same ordered path through the CrownWall edge.

1

TLS termination

Connection terminated at the CrownWall edge using your certificate — provided by you or managed automatically via Let’s Encrypt. HTTP/1.1, HTTP/2, and WebSocket supported natively.

2

Protocol normalisation

Request parsed and normalised. Encoding-bypass attempts neutralised at this stage before any rule evaluation.

3

IP reputation & geo checks

Fast lookup against continuously updated IP reputation data. Geographic filters applied if configured.

4

Bot identification

Client classified as known good bot, known bad bot, or unclassified. Unclassified clients are fingerprinted for behavioural analysis.

5

WAF rule evaluation

Managed and custom rulesets evaluated against the full request — referencing bot classification, geo data, and header context.

6

Rate limit checks

All configured rate limits evaluated across all configured dimensions: per IP, per key, per session, per endpoint, per concurrency.

7

Routing decision

Backend selected based on load-balancing configuration and live health-check state. Response served from cache if configured.

8

Origin forward

Request forwarded to the selected backend. Original client information preserved in standard headers. Unique request ID logged end-to-end.

Fast by design.

Each layer runs in single-digit milliseconds. The full pipeline typically adds 10–20ms to request latency. For cached responses, the origin is not contacted at all.

Live in four steps.

A simple deployment path from adding your domain to live protected traffic.

Step 1

Add your domain

Add the domain you want to protect. CrownWall verifies ownership and provisions your edge configuration.

Step 2

Configure your origins

Tell CrownWall where your application runs. Set up health checks for multiple backends.

Step 3

Apply your security policy

Managed WAF rulesets active by default. Refine with custom rules. Test in shadow mode before enforcing.

Step 4

Point your DNS

Update DNS to point at CrownWall. Traffic flows through within minutes of propagation.

Deploy today.

Start with managed defaults, then refine rules as your traffic data arrives.