Stop the attacks yourfirewall can't even see.
Silker AI is an AI-native security layer that blocks prompt injection, data leaks and app-logic attacks your WAF misses - in <10ms. Paste a script for any website, deploy a proxy for full runtime protection, or add one line of SDK code.
See your app through an attacker's eyes
Drop in your URL. We run a read-only scan of what's publicly visible - TLS, headers, exposed API docs, cookie settings - and send a plain-language report. No install, no exploit payloads.

One engine. Three ways to deploy.
The same detection engine, wherever your app lives. Pick the path with the least friction for your stack.
Node.js SDK
One line in any Node app - Express, Next.js, Nest. Protects inbound + outbound traffic, including data leaks a WAF can’t see.
npm i @silker-ai/agentDocker Container
Run the proxy in front of any app, on any host. PHP, Java, Python, Go — no code changes required.
docker run ghcr.io/niceappspl/silker-proxyCloudflare Worker
Deploy a Worker on your Cloudflare zone. Any backend, zero code changes — we run inside Cloudflare.
wrangler deployProtects any stack
Silker works at the HTTP layer - it doesn't care what your backend is written in.
Three steps to runtime security
Install, detect, monitor. Your traffic stays on your infrastructure - we only receive security events.
Install in minutes
One line in a Next.js app, a Cloudflare Worker, or a Docker container in front of any backend. No re-architecture.
npm i @silker-ai/agentDetect locally, block instantly
Every request is inspected where your app runs. Threats - including prompt injection and data leaks - are blocked in real-time. Detection runs on your infra, not ours.
request → inspect → allow / 403Monitor & fix
See blocked threats, data-leak alerts, and traffic on the dashboard. AI Copilot explains each issue and suggests the fix.
platform.silkerai.comSecurity a WAF doesn't give you
Silker is built for apps with AI in them. It blocks prompt injection, stops sensitive data from leaking, and covers the OWASP basics - all from one engine.
AI-Native Threat Detection
The threats unique to AI-generated and AI-powered apps - caught before they reach your model or database.
- Prompt Injection & JailbreaksDetects instruction overrides, jailbreaks and extraction on your LLM routes.
- OWASP Top 10SQLi, XSS, path traversal, file-upload abuse and more - included by default.
- Rate Limiting & Auto IP BansStops abuse and brute-force with sliding-window limits and temporary bans - core steps in how to secure an API.
- Scanner Trap NewHoneypot paths (/.env, /wp-login.php, /.git) bots probe first - hit one and we ban the IP instantly, before it finds a real hole.
Data Leak Prevention
The part a WAF can't see: sensitive data leaving your app. Silker inspects responses and outbound calls - why edge WAFs miss outbound data - then redacts or blocks leaks.
- Secrets & API KeysCatches leaked keys, tokens, private keys and DB connection strings.
- PII RedactionEmails, phone numbers, cards, SSN/PESEL - block, redact or just monitor.
- On-demand Security ScansScan your live app for misconfigurations and exposed surface, with fix tips.
Monitoring & Alerts
One dashboard for every install - SDK, Worker or container. Deploy Silker as a reverse proxy in front of any backend and see blocked threats, data-leak alerts, traffic and geographic origins in real-time.
Learn how runtime security works
- New to proxies? What is a reverse proxy and why it is the right place to add security.
- Shipping an API? How to secure an API with auth, rate limits, and response inspection.
- Comparing options? Best WAF for modern apps explains how to pick the layer you are missing.
How Silker compares
Every tool below covers part of the problem. Silker is the only one that connects the dots across your whole AI app - runtime, outbound data, AI routes and the database layer.
Already on Cloudflare? Keep it - Silker adds the AI-native layer on top as a Worker or one line of code.
Start free. Pay as you grow.
Detection runs on your own infrastructure - you pay for scale, advanced detection and the dashboard. Works with SDK, Cloudflare Worker or Docker.
Not sure which layer you need? See the best WAF options by use case.
For side projects
- 1 application
- Up to 10,000 requests / mo
- AI threat & OWASP blocking
- 1 free security scan
- Community support
Beta: 50% off for first 3 months, then $39/mo
- Up to 2 apps, 500k req / mo
- AI Verdict & Copilot
- Global Threat Map
- Pentest & data leak detection
- 30-day log retention
- Email support
Beta: 50% off for first 3 months, then $99/mo
- Everything in Pro
- Up to 5 apps, unlimited req / mo
- Team seats & Google SSO
- On-demand scans & Slack alerts
- Priority support
Self-host & regulated
- On-prem / self-hosted
- Unlimited apps & requests
- SAML SSO, SIEM export
- Custom SLA & dedicated support
Prices in USD. Cancel anytime. Beta: 50% off your first 3 months, then standard pricing.
Install in under 2 minutes
Pick one of three ways to deploy - same engine, same dashboard.
Node.js SDK Recommended
One line in any Node app - Express, Next.js, Nest. Inbound + outbound.
// Express / Node - zero-config (reads SILKER_API_KEY from env)
import { middleware } from '@silker-ai/agent'
app.use(middleware())
// Next.js (middleware.ts) - Edge-ready
import { nextMiddleware } from '@silker-ai/agent/next'
export const config = { matcher: '/api/:path*' }
export default nextMiddleware()Cloudflare Worker Coming soon
Any backend behind Cloudflare. Runs on your zone.
# set SILKER_APP_ID + SILKER_TARGET in wrangler.toml
wrangler secret put SILKER_API_KEY
wrangler deploy
# Done - traffic is inspected at the edge.Docker Container Self-host · any stack
Run the proxy in front of any app - PHP, Java, Python, Go. No Cloudflare required.
docker run -d \
-p 8080:8080 \
-e SILKER_TARGET=http://your-app:3000 \
-e SILKER_API_KEY=sk_your_key \
-e SILKER_APP_ID=your_app_id \
ghcr.io/niceappspl/silker-proxy
# Point your traffic to :8080 - that's it.Most AI-built apps ship with critical holes
Independent audits of apps built with Lovable, Bolt, Cursor, Replit and v0 keep finding the same thing: security is skipped by default. These are the numbers Silker exists to fix.
of audited AI-built apps had at least one vulnerability
shipped with the database left open - anyone could read every record
of Lovable apps exposed an API key directly in the browser
auth tokens + 35k emails leaked from one app within days of launch
These aren't edge cases - they're the default output of AI coding tools. Silker is the runtime layer that blocks these attacks live, instead of just emailing you a report after the breach.
Numbers, not promises.
Verified against Silker's own proxy instrumentation and coverage matrix — not industry estimates.
proxy latency overhead p99 — real-time inspection, no user-visible lag
lines of application code changed — drop in a Docker proxy or paste a script tag
to full runtime protection — Docker reverse proxy, zero code changes
of requests inspected — every inbound payload and every outbound response, in real time
These are Silker's own production metrics — not vendor benchmarks. See how we measure →
Ship secure AI apps
Install in one line of code. Catch prompt injection and data leaks before your users do - with less than 10ms added latency.