User-space deployment
No kernel hooks, packet tampering, or special cloud account required. Run it in front of an HTTP service.
Open-source alpha - v0.4.1
Net Ward
Always-on bot deflection for small HTTP services.
Put a local reverse proxy in front of your app. Clean traffic passes through. Known probes and low-end abuse get harmless mirror responses that waste bot effort without a cloud account, kernel hooks, or retaliation.
Always on
Deception, not damage control
Pip install, no AWS required
Small services get scraped, scanned, and shoved around before they have a security team. Net Ward gives them a local buffer that behaves like infrastructure, not theater.
Operating model
Always on, fail open, no retaliation.
Net Ward is built for teams that need a practical buffer in front of a small service. It is not a cloud WAF and it is not a hostile countermeasure. It is a local reverse proxy that classifies request shape and routes known abuse into safe, plausible mirrors.
Clean request
Forwarded to the upstream service.
Known probe
Matched against bundled or operator patterns.
Mirror response
Returns harmless fake pages, redirects, or status shapes.
Safe deception
Mirror responses are normal HTTP responses. No malware, no retaliation, no collection of submitted secrets.
Operator patterns
Ship with bundled probe patterns, disable collisions, and add local patterns with insertion-time validation.
Load visibility
Includes an operator load generator to measure latency, error rates, and process resource behavior.
Quick start
Run it from a checkout.
Point `upstream_target` at the service you want to protect, then put Net Ward in front of it.
pip install -e .
python -m netward --config example_config.jsonProof
Reviewed, patched, and tagged before release.
Net Ward v0.4.1 shipped only after an internal pre-launch security review found and closed the launch-blocking issues. The public release includes the patch notes, known limitations, and operator guidance instead of asking users to trust a vague claim.
Published from commit a14414f after the security patch.
Full local suite was green before launch.
Basic Auth loop, flood self-denial, and 502 deception oracle were fixed.
Fingerprinting, detection, install path, supply chain, and runtime load.
Known limits
Honest about the edges.
Net Ward is an alpha. The changelog documents the boundaries operators need to plan around: regex policy is best-effort static analysis in v0.4.1, reverse-proxy source awareness is deferred, Windows DB ACL enforcement is deferred, and coordinated low-rate multi-source floods are v0.5 work.
Support the work
Help keep small-service defense practical.
Net Ward is open-source alpha software. Sponsorship helps fund testing, documentation, and the v0.5 work already called out in the changelog.
Questions operators ask first.
Is Net Ward a WAF?
No. It is a small reverse-proxy deception layer. It does not replace application security or a full edge stack.
Does it attack bots back?
No. Net Ward returns harmless HTTP responses. The mirror layer is meant to deflect automated abuse, not retaliate.
What happens if Net Ward fails?
The design goal is fail open: classification, storage, or mirror failures should pass traffic to upstream.
Who is it for right now?
Small teams running HTTP services that want a practical, local deflection layer and are comfortable operating alpha software.
Ready to inspect it?