Login
Start Free

Zen, your in-app firewall for peace of mind–at runtime

Automatically block critical injection attacks, introduce rate limiting for APIs, and more...
Get Zen
Set up in seconds - No config needed
Block SQL injection
Blocks bots
Rate limit APIs
Auto-create Swagger docs
Available for
Coming Soon
Zen by aikido stop attacks in real time

Block
zero-day vulnerabilities

Zen detects threats as your application runs and stops attacks like zero-days in real-time, before they ever reach your database. No more endless patching or worrying about new vulnerabilities. Just install it once, and it handles the rest.

Prevent OWASP Top 10 & Zero Day threats on
autopilot

Zen by Aikido SQL & NoSQL injection

SQL & NoSQL injection

Attempts to manipulate database queries for malicious purposes (data theft, unauthorized access, etc.), including protection for different database flavors like MySQL, MongoDB, Postgres, and more.
Zen by Aikido - Command Injection

Command injection

Attacks that inject and execute arbitrary system commands on your server through user input.
Zen by Aikido Set rate limiting

Set rate limiting

Attacks by bots or brute force that flood your app with requests, aiming to overwhelm your servers or disrupt service for legitimate users
Zen by Aikido Path traversal

Path traversal

Attempts to access unauthorized files or directories on your server by manipulating input fields or file paths.

SQL & NoSQL injection

Block attempts to manipulate database queries for malicious purposes, like data theft or authentic bypass. Supports MySQL, MongoDB, Postgres & more.

Command injection

Block attacks that inject and execute arbitrary system commands on your server through user input.

Path traversal

Black attempts to access unauthorized files or directories on your server by manipulating input fields or file paths.

Set rate limiting

Attacks by bots or brute force that flood your app with requests, aiming to overwhelm your servers or disrupt service for legitimate users.
Get Protected Now

Get the power of in-app protection

Privacy

Results

Rate limiting

Performance

Installation

Maintenance

Triage

Costs

Zen

Privacy matters, no 3rd party key access
Minimal false positives/negatives
User-aware rate limiting
Negligible impact
One command, installed in seconds
No rule updates
Helps prioritize vulnerabilities (in Aikido)
Open Source, included in Aikido

Cloudflare WAF

3rd party requires access to your private keys
More false positive/negatives
IP-based rate limiting only
+100ms latency
Complex initial setup
Needs constant updates
No prioritization or risk feedback
Closed source, scales fast

Fully Embedded

Unlike WAFs, Zen runs inside your application.
No complex agents to deploy
No extra infrastructure or hardware
No impact on your performance

Get peace of mind at runtime

Concerned about spam, bots, or malicious user input? Zen gives you always on protection, so you don’t have to worry.
Zen by aikido - get peace of mind

Way less false positives & negatives

Blocklists are too simple. With in-app context, Zen knows the difference between a malicious command vs legitimate input. No more false alarms.
Zen

Stop attacks in real-time

Zen blocks attacks before they ever reach your database. No more breaches.
Zen by aikido Stop attacks in real-time

Runs in the background

Zen analyzes data on the fly and blocks attacks automatically.
No more updating rulesets
No constant monitoring
No extra follow-up actions

Block users & restrict IP routes

Use Zen to get extra control if something doesn’t feel right.
Zen by aikido - peace of mind at run-time

Auto-generate
Swagger documentation

Zen automatically discovers all APIs, even undocumented, forgotten APIs by analysing inbound traffic.
On top of automating API docs, this helps Aikido discover vulnerabilities in your API with context-aware DAST.
Auto-gen API docs
To supercharge API security testing

Zen works for your
setup

You can test Zen in dry mode and verify it works, so you don’t break your app.
Select your setup
Node.js
Python
Ruby
Coming Soon!
PHP
Coming Soon!
.Net
Coming Soon!
Java
Coming Soon!
npm install -- save-exact @aikidosec/firewall
or
yarn add --exact @aikidosec/firewall
and import Zen to your
app.js
with just one line of code:
require(@aikidosec/firewall)
or
import @aikidosec/firewall
pip install aikido_zen
or
poetry add aikido_zen
and import Zen to your
app.py
with just one line of code:
import aikido_zen
npm install -- save-exact @aikidosec/zen
or
yarn add --exact @aikidosec/zen
and import Zen to your
app.js
with just one line of code:
require(‘@aikidosec/zen);
or
import‘@aikidosec/zen;
Tab 1
Tab 2
Tab 3
Tab 4
Tab 1
Tab 1
Zen for Node.js is compatible with :
 Express
✓ Hono
✓ Hapi
✓ Micro
✓ Next.js
Fastify
Coming Soon!
Zen for Python 3 is compatible with :
 Django
✓ Flask
 Quart
Tab 2
Tab 3
Tab 4
Zen for Python 3 is compatible with :
Django
Flask
Quart
Zen for Python 3 is compatible with :
Django
Flask
Quart
Tab 1
Tab 2
Tab 3
Tab 4
Zen for Node.js is compatible with :
Express
Hono
Hapi
Micro
Next.js
Fastify
Coming Soon!
Zen for Node.js is compatible with :
Express
Hono
Hapi
Micro
Next.js
Fastify
Coming Soon!

FAQ

More to explore
Documentation
Trust Center
Integrations

Does Zen require agents?

No! Unlike others, Zen by Aikido integrates directly into your application with no need for external agents. Deployment is as simple as adding a single line of code (importing a package), so you’re up and running in mere minutes. This approach is fast, lightweight, and far less intrusive!

Do I need to list Aikido as a subprocessor?

User tracking is fully optional and off by default. Should you choose to track users, and share personal identifiable information (PII) rather than just IDs, you will be required to list Aikido Security as a subprocessor.

Is Aikido's software pentested?

Yes. We run a yearly pentest on our platform and also have an ongoing bug bounty program to ensure the security of Zen is continuously tested by a wide range of security experts.

Is Zen compatible with various databases and third-party services?

Right now, Zen by Aikido works seamlessly with popular databases like MySQL, MongoDB, and PostgreSQL. It is compatible with ORMs and database drivers across different languages, such as TypeORM for Node.js and SQLAlchemy for Python. We have full support for Python and Node.js, and support for Ruby and PHP is coming soon. Have a specific language, driver, or package in mind? Let us know, and we’ll prioritize it.

What is the performance impact of implementing Zen Firewall in my application?

Honestly, it's tiny. We're talking minuscule overhead for most apps. We're obsessed with performance and constantly benchmark Zen to make sure it stays lightning fast. Need hard numbers for your use case? Just run some tests based on our benchmarks.

It's open source, but what if I run into issues or have specific questions? Where can I get help?

You're not on your own. We have a growing community of developers and security folks using Zen. Don’t hesitate to open a GitHub issue – we're committed to making this project a success, and that includes support.

How do I know Zen is actually working? Can I monitor blocked attacks and get detailed reports?

Seeing is believing. Zen logs blocked attacks with all the juicy details: what the attack looked like, where it came from, etc. We're working on dashboards and integrations to make this info even more accessible.

Monkey-patching sounds risky—will it break my app's functionality or create unforeseen conflicts?

Monkey-patching gets a bad rap. Done right, it's a clever and efficient way to add functionality. Zen targets a very specific area of your code, monitoring all outgoing traffic to databases and 3rd party APIs. We've rigorously tested it to make sure it plays nice with common setups. We even tested with OpenTelemetry in the background, which didn't create any conflicts. Still worried? Try it in a test environment first.

Why does Zen give me less false positives/negatives than WAF?

Traditional WAFs are like security guards at the gate. They only see what comes in, not what goes on inside your building (your app). Zen is the security guard inside, watching both the front door AND how people move around once they're in. Because it sees the whole picture – the user input AND your app's database requests – it can tell the difference between a legitimate (but weird-looking) customer and a thief trying to be sneaky. Less false alarms, less real threats slipping through.

How can one tool autonomously block so many threats without impacting performance?

We get it. It sounds too good to be true. Zen’s magic is in three things:

  1. it is a library inside your app,
  2. it monitors both incoming user input and outgoing connections (to databases or 3rd party services)
  3. it doesn't rely on giant rule lists. This laser focus lets it protect you with almost zero performance overhead.

I don’t want to connect my repository. Can I try it with a test account?

Of course! When you sign up with your git, don’t give access to any repo & select the demo repo instead!

What happens to my data?

We clone the repositories inside of temporary environments (such as docker containers unique to you). Those containers are disposed of, after analysis. The duration of the test and scans themselves take about 1-5 mins. All the clones and containers are then auto-removed after that, always, every time, for every customer.

More to explore
Documentation
Trust center
Integrations
We’re compliant!
Zen by Aikido SOC 2 Compliance
SOC 2
Compliant
Zen by Aikido ISO compliance
27001
Compliant

Get protected today, with

Launch Now
Set up in seconds - No credit card required