Scenarios
No generic feature tour. Each scenario is a named problem with stakes — and the real, copy-pasteable YAML that solves it, plus a schematic of exactly what happens on the wire. Nobody fakes a working Cedar policy or a post-quantum handshake.
A bank exposes APIs publicly. An adversary records the TLS today to crack it once quantum lands. Post-quantum key exchange makes every recorded session quantum-safe.
Read the scenario →Partner APIs on a hostile network. Every call must prove who (mTLS / SPIFFE) and what it may do (Cedar) — deny-by-default, evaluated in-process.
Read the scenario →A regulated app needs a WAF for PCI-DSS 6.4.1 — without an appliance or a cloud-WAF bill. Coraza + the OWASP CRS run inside the ingress, in a memory-safe sandbox.
Read the scenario →Schrems II / GDPR require TLS termination and processing inside EU jurisdiction — even when backends run elsewhere. An EU edge terminates; origins dial out over a tunnel.
Read the scenario →Government procurement needs FIPS 140-3, memory safety, and a verifiable supply chain. FIPS crypto, 100% safe Rust, and signed + attested images check boxes a C/C++ proxy can't.
Read the scenario →
gRPC is method-level RPC over HTTP/2. Native GRPCRoute routes by service and method, splits
traffic per method, and keeps HTTP/2 and grpc-status trailers intact end to end.
AKS caps a node NIC at ~300 Load Balancer rules, and per-Gateway implementations burn through it. One shared data plane behind a single Load Balancer serves N Gateways and thousands of routes in ~2 rules.
Read the scenario →Next in the pipeline: fully zero-inbound tunnel deployments behind NAT, and the cost case against per-request cloud-WAF and load-balancer pricing.
In progressEach scenario above runs on the same single binary — no add-ons, no per-feature licensing. Free for one production cluster; Enterprise €5,000/year for unlimited clusters, support & SLA.