FAQ
Frequently asked
questions
Everything you need to know about Silker AI
Silker runs where your app runs. Pick one of three paths: one line with our Node SDK (Next.js, Express), a Cloudflare Worker on your zone, or a Docker proxy in front of any backend. You can also start with a free scan of your live app first - no install required.
Two things a generic WAF misses, plus the basics: prompt injection and jailbreaks on your AI/LLM routes, and sensitive data leaking out (API keys, secrets, PII). On top of that we cover OWASP basics like SQL injection, XSS, path traversal and malicious file uploads, plus rate limiting and bot abuse.
No. Detection runs in-process and adds minimal latency (typically under 10ms per request), and telemetry is sent asynchronously after the response - it never blocks your users. The self-hosted proxy option is a lightweight Node service built on the same detection core as the SDK.
Yes. While Silker AI comes with smart defaults, you can configure custom rules, whitelist trusted IPs, adjust sensitivity levels, and define specific threat response actions through our dashboard. Enterprise plans include dedicated security consultations to tailor rules to your needs.
By default, Silker blocks the malicious request and logs the incident. You receive real-time alerts via Slack, email, or webhook. For some issue types we surface a concrete fix suggestion - you stay in control of what gets applied. All actions are configurable based on threat severity.
Detection runs in your own runtime or edge, so your traffic doesn't pass through our servers. Request payloads aren't stored unless you explicitly enable forensics. Metadata (threat logs, analytics) is encrypted, and PII is redacted before anything is logged. We're built with GDPR in mind; SOC 2 Type II is in progress and not yet certified - we'll say so until it is.
The proxy works with any web application regardless of language or framework. Deploy via Docker, Kubernetes, or Cloudflare Workers. Your app can be Node.js, Python, Go, Java, PHP, Ruby, or anything else. We protect the traffic; we don't need to know your stack.
Yes. Your app stays on Vercel. Run the Silker proxy on Railway, Fly.io, or Render (one Docker container). Set SILKER_TARGET to your Vercel URL (e.g. https://your-app.vercel.app). Point your custom domain to the proxy instead of Vercel. Traffic flows: user → proxy → your Vercel app. No code changes to your Vercel project.
Yes! Our Starter plan is free forever for small projects (up to 10K requests/month). It includes real-time threat detection and basic auto-fixes. No credit card required. Upgrade to Pro or Enterprise anytime for advanced features and higher limits.
Pro is $39/month (or $31/month annually) and covers multiple apps. Business adds more apps and team features. Enterprise offers unlimited apps with custom pricing based on your total request volume and support needs. Contact us for a tailored quote. During beta you get 50% off your first 3 months.
Starter includes community support (documentation, email). Pro gets priority email support with a 24-hour response target. Enterprise adds a dedicated channel and hands-on security guidance for incident response and compliance.
Runtime application security (also called RASP - Runtime Application Self-Protection) means protecting a web application while it is actually running and serving traffic, rather than scanning it for vulnerabilities before or after deployment. A runtime security layer sits in the request path and inspects each request and response in real time, blocking attacks the moment they happen. Silker AI implements this as a drop-in reverse proxy or SDK - no code changes required.
A WAF (Web Application Firewall) sits at the network edge and filters traffic based on signatures and IP reputation before it reaches your app. Runtime application security (RASP) runs inside your application's execution environment and has full context about what the code is actually doing - making it effective against attacks that bypass WAF rules, such as prompt injection on AI routes, business-logic abuse, and sensitive data leaking in responses. Silker combines both approaches: edge filtering plus in-runtime inspection.
AI-generated code often skips authentication, exposes API keys in client bundles, and ships with Row-Level Security disabled on databases. Silker AI's reverse proxy protects any web app without requiring you to change the code - you point your domain at the Silker proxy and it inspects all traffic. It blocks SQL injection, XSS, prompt injection and detects secrets or PII leaking in API responses, making it a practical first security layer for apps built with Lovable, Bolt, Cursor, or any AI coding tool.
Still have questions?
Our team is here to help. Reach out and we'll get back to you within 24 hours.
Contact Support