Introducing: open-appsec Machine-Learning-Driven WAF for Kong Gateway – Featuring a New, Flexible Lua-Based Plugin (Beta)
- Christopher Lutat
- 3 days ago
- 6 min read

Introduction
In this blog, we’re excited to introduce the new, significantly improved open-appsec WAF integration for Kong Gateway — the machine-learning-driven Web Application Firewall — delivered through a high-performance, Lua-based plugin.
By combining Kong Gateway’s robust API traffic management capabilities with open-appsec’s strong AI-powered, zero-day-resilient security, this integration brings adaptive, low-maintenance, highly effective threat prevention directly to the API gateway layer.
You’ll learn how this solution works, why it’s a smarter alternative to traditional rule-based WAF solutions, and how it is being deployed across Linux, Docker, and Kubernetes environments. Whether you prefer using declarative configs or centralized web UI management, this blog covers everything to get you started with easily adding ML-based API and web application security to your web APIs, apps and services published through Kong.
Kong Gateway
Kong Gateway is a high-performance, open-source API gateway designed to manage, secure, and scale APIs and microservices. Built for modern architectures, Kong acts as a central traffic control layer that enables features like authentication, rate limiting, logging, traffic routing, and observability. With its lightweight, extensible design and plugin architecture, Kong Gateway is widely used in cloud-native environments to simplify API management and enforce consistent policies across distributed systems.
open-appsec WAF
open-appsec is an open-source, machine-learning-based Web Application Firewall (WAF) designed to provide preemptive, adaptive protection against both known and zero-day web threats.
Unlike traditional WAFs that rely heavily on static signatures or manual tuning, open-appsec uses behavioral models and context-aware ML to detect and block malicious activity in real time. This reduces false positives, minimizes the need for constant updates, and ensures robust security coverage even as threat landscapes evolve. Key benefits include high detection accuracy, reduced administrative overhead, and the ability to protect modern, dynamic applications without complex rule sets. Did you know? open-appsec is the only known WAF solution which has provided preemptive protection against all of the following, recent, critical web attacks: Log4Shell, Spring4Shell, Text4Shell, MoveIt, generic WAF bypass (Claroty Team82).
Learn more about open-appsec’s security effectiveness in this WAF comparison:
open-appsec offers a free, community edition, as well as premium and enterprise editions containing additional security features, higher scalability and support. In addition to its unique, highly effective WAF engine, open-appsec also includes many more security engines (some of them require premium edition, find a list of all features and edition comparison here: https://www.openappsec.io/pricing). Here are some of the additionally available security capabilities:
Snort 3.0 signature support
Geo Blocking
AntiBot
File Upload Security
Rate Limiting
API Schema Discovery and Enforcement
IPS
Learn more about open-appsec’s contextual machine learning WAF technology:
Smarter, AI-Based Security for Kong Gateway with open-appsec
Integrating open-appsec WAF with Kong Gateway through the new Lua-based plugin enables seamless, efficient protection for your exposed web applications and APIs directly at the API gateway layer against zero-day attacks, OWASP-Top-10 attacks and more. Both Kong Editions are supported for this integration: Kong Gateway Enterprise (commercial version) as well as Kong Gateway OSS (open-source edition).
Developed in full alignment with Kong’s official plugin development guidelines, the Lua-plugin ensures a native and reliable integration that fits smoothly into existing Kong environments on all common platforms. This approach offers flexible control over where and how the WAF is applied to traffic — whether on specific routes, services, or across the entire gateway. Additionally, the Lua-based integration makes deployment simple and adaptable, allowing organizations to easily add advanced, ML-based security to their current Kong Gateway setups with minimal configuration effort. If you are currently using open-appsec with our traditional Kong integration, we recommend stepping up to this new and improved, more native integration with Kong gateway and the Kong ecosystem (e.g. Kong Konnect). It offers significantly greater flexibility in deployment and configuration.
Deployment Options
open-appsec can be flexibly and seamlessly integrated with Kong Gateway across all common deployment environments — including Linux, Docker, and Kubernetes. Whether you're running Kong in a traditional VM setup or orchestrating services in a containerized or cloud-native environment, deploying open-appsec alongside Kong is straightforward and well-documented.
Linux
On Linux, the new open-appsec WAF plugin for Kong is available in the LuaRocks repo. Use the luarocks install command to install the open-appsec-waf-kong-plugin from the LuaRocks repository (Kong open-appsec WAF Attachment Plugin - LuaRocks). Once installed, it can be loaded and activated just like any official Kong plugin, using Kong’s standard plugin activation/configuration mechanisms. To add and enable open-appsec's ML-based security inspection, you'll also need to install the open-appsec agent on the system using the open-appsec-install tool. This agent runs the contextual machine learning engine and performs the actual analysis and decision-making, it receives traffic from the “open-appsec attachment” Lua plugin for inspection and returns security verdicts back to the plugin in real time.
For detailed, step-by-step installation instructions see:
Docker
For Docker-based environments, open-appsec provides a ready-to-use Docker Compose file that deploys both, Kong Gateway as well as the open-appsec agent. The Kong container used in the deployment is based on the official Kong image, enhanced to already include the Lua-based open-appsec WAF attachment plugin. This allows traffic to be intercepted and inspected by the separate open-appsec agent container, which then returns real-time security decisions. Alternatively, you can build your own enhanced Kong container from the official image to include the open-appsec-waf-kong-plugin by adding it using luarocks install.
For detailed, step-by-step installation instructions see:
Kubernetes
In Kubernetes environments, deploying open-appsec with Kong is simple and scalable. Use a Kong container image that includes the open-appsec-waf-kong-plugin — this container is provided directly by the open-appsec project, alternatively you could also build it manually.
When deploying the Kong Helm chart, adjust the values to use the enhanced Kong image that already contains the open-appsec attachment plugin and also make sure to adjust your Kong configuration to load and activate this plugin. To deploy the required open-appsec components, like the open-appsec agent container, which does the actual ML-based security inspection, you deploy an additional open-appsec Helm chart. This chart will then install the necessary container(s) and use Kubernetes’ mutating webhook mechanism to automatically inject the open-appsec agent into your existing Kong deployment (specifically it’s adding the agent as a sidecar to the same pod already running your Kong proxy container). You only have to add a label to the existing Kong “target” namespace and deployment, then perform a rollout restart for the changes to be applied .
For detailed, step-by-step installation instructions see:
Configuration Management Options
open-appsec attachment plugin for Kong
This new Lua-plugin-based integration of open-appsec with Kong Gateway supports all regular options to manage your Kong Gateway and also to activate and apply the open-appsec plugin, e.g. declaratively (DB-less), using database for the Kong configuration, or using Kong’s optional, central, SaaS-based management Kong Konnect. For Kong Konnect there’s a plugin schema available which allows you to activate and the open-appsec-waf-kong-plugin centrally from the Kong Konnect web UI and apply open-appsec inspection to your routes, services, etc., see also Using Kong Konnect (Kong only).
The new native Kong Plugin for open-appsec provides you great flexibility, as you can apply the open-appsec WAF preemptive protection e.g. globally, on service-level, route-level, consumer-level, and more.
open-appsec
For managing open-appsec in terms of monitoring, configuring, analyzing security events and reporting, you can choose among three different options aligned with your specific requirements:
Central Management
open-appsec provides a central management web UI (https://my.openappsec.io) allowing you to configure open-appsec, monitor your deployments, analyze security events with flexible dashboards and log view and create reports.
Find some web UI example screenshots below:



Local, Declarative Management
open-appsec can be managed on all platforms in a declarative way, using CRDs (Kubernetes) or a declarative, yaml-based configuration file (Linux and docker), allowing you to integrate the configuration (and also the deployment) of open-appsec in modern, cloud-native GitOps CD flows. Find below a partial example of a declarative open-appsec policy as it could be used e.g. with open-appsec Linux or Docker deployments, for K8s the declarative configuration is based on custom resources.

Best of both worlds
You can even connect locally, declaratively managed deployments to open-appsec’s central management web UI in a special mode, allowing you to benefit from central monitoring, security event analysis and reporting and event to see the local configuration in read-only mode in the central web UI, while still managing everything in full “GitOps-style”.
Conclusion
Smarter, AI-based WAF Security at the Kong Gateway Layer
By integrating open-appsec’s machine learning–driven WAF directly into Kong Gateway via a native Lua plugin, organizations can now achieve powerful, adaptive protection against both known and emerging threats — right at the API gateway. This approach offers high detection accuracy, minimal false positives, and the flexibility to fit seamlessly into any deployment model, including support for all of the following platforms: Linux, Docker, or Kubernetes.
Whether you prefer centralized management or a declarative GitOps workflow, the open-appsec WAF plugin empowers you to enforce modern security policies with ease and efficiency. If you're already using Kong Gateway, adding open-appsec’s intelligent WAF is a simple but significant step toward securing your API infrastructure against today’s fast-evolving threat landscape.
More information is available here:
open-appsec WAF:
Website: https://www.openappsec.io
GitHub: https://github.com/openappsec
Playground: https://www.openappsec.io/playground
Whitepaper: https://www.openappsec.io/whitepaper Lua Plugin: https://luarocks.org/modules/openappsec/open-appsec-waf-kong-plugin
Kong Gateway:
Github: https://github.com/kong/kong