Stillsuit

Multi-mode firewall. One engine.

Name: Stillsuit
Brand: Sandworm Security

Stillsuit NGFW delivers packet filter, stateful inspection, NGFW with App-ID and DPI, Layer 7 WAF, and signature-based IPS — all driven by one rule engine, deployed as code, observed through the platform.

Book a demo View documentation

Stillsuit

Traffic flow

Active policy

policy: prod-web-tier
rules:
  - action: block
    match:
      cve: CVE-2024-1086
  - action: allow
    match:
      port: 443

Requests

1.2M

Blocked

Allowed

1.1M

Five rule shapes. One engine.

Packet Filter

L3/L4 stateless 5-tuple rules for the fast path. CIDR-based src/dst, TCP/UDP/ICMP, zone-aware, logged or dropped with low-latency policy evaluation built for high-throughput environments.

Stateful Firewall

Connection tracking with a full TCP state machine: NEW, ESTABLISHED, RELATED, INVALID, and CLOSING. Configurable idle timeouts and per-source connection limits prevent resource exhaustion.

NGFW with App-ID

Deep packet inspection and application identification across encrypted and plaintext traffic. Risky-app categorization lets you write policy against application intent, not just port numbers.

Layer 7 WAF

OWASP CRS 4.x subset, Sandworm-managed rulesets, bot fingerprints, and virtual patches for emerging CVEs. Custom rules use Sandworm Rule Expression v1 and ship through the same CI pipeline as your application code.

Signature-based IPS

Suricata-format signature imports with per-signature severity tuning. Alert or block actions per rule; false-positive suppressions scoped by source CIDR or destination asset tag.

A real Stillsuit policy. Code-reviewable. Version-controlled. Deployable from CI.

yaml

# stillsuit/policies/prod-web.yaml
name: prod-web-tier
match:
  zone: prod
  port: [80, 443]
rules:
  - name: block-sql-injection-patterns
    action: block
    when:
      http.path.contains: ["'", "OR 1=1", "-- "]
  - name: allow-health-checks
    action: allow
    when:
      http.path: /healthz
      source.cidr: 10.0.0.0/8

How Stillsuit works

1
Policy as code
Write firewall and WAF policy in YAML. Rules are version-controlled, code-reviewed, and applied via the Sandworm CLI or a CI step — not a click-through UI that leaves no audit trail.
2
Inline or mirrored deployment
Deploy Stillsuit inline (L2 bump-in-the-wire) for active blocking, or in mirrored/monitor mode to evaluate new signatures before enforcement. Deployment mode is a per-zone flag, not a rebuild.
3
TLS termination and DPI
For zones where TLS inspection is enabled, Stillsuit terminates the session, applies App-ID and WAF rules against plaintext, then re-encrypts before forwarding. Inspection is logged as an attestation event visible in the trust portal.
4
Events flow to the platform
Every allow, block, WAF hit, and IPS alert is emitted as an OCSF-formatted event and ingested by the Sandworm platform. Truthsayer triage, investigation correlation, and compliance evidence all consume the same stream.

Built for teams that need defense at the perimeter and the application layer

Web-facing services that carry PCI or HIPAA scope

Stillsuit logs every WAF event and firewall decision as structured evidence. PCI DSS Requirement 1.3 segmentation and Requirement 6.4 web-application protection come from the same engine.

Platform teams who manage policy as infrastructure

WAF rules and IPS signatures live in the same repository as your Terraform. Pull-request reviews and CI validation apply before any rule touches production traffic.

Security teams replacing a point WAF appliance

Stillsuit is a service, not a box. There is no appliance lifecycle to manage. WAF, IPS, and NGFW capability ship in one deployment and stay current through signature feed subscriptions.

SOC analysts correlating network and application events

Because Stillsuit emits OCSF events into the same platform as endpoint and identity signals, analysts see firewall blocks and WAF hits alongside the rest of the incident timeline — no pivot to a separate console.

Integrations

Inline/L2 deployment
BGP
syslog
threat-intel feeds

Frequently asked questions

How is Stillsuit deployed — does it require dedicated hardware?: No dedicated hardware is required. Stillsuit runs as a software service and supports inline L2 (bump-in-the-wire), routed L3, and traffic-mirroring deployment modes. It can run on commodity x86 servers, cloud instances, or as a containerized workload. Deployment mode is configured per zone in the policy file.
Does TLS inspection store decrypted traffic?: No. Stillsuit terminates TLS in-memory to apply inspection rules, then re-encrypts before forwarding. Decrypted payloads are not persisted to disk or emitted to logs. Only the inspection result — allow, block, or WAF match with the matched rule name — is recorded as an event.
How is Stillsuit priced?: Stillsuit is included in both the Platform and Sovereign bundles. If you need the firewall and WAF without the full platform, standalone add-on pricing is available. See /pricing for current rates — there is no per-rule or per-inspection-event charge.
How does Stillsuit differ from a cloud-native WAF like AWS WAF or Cloudflare?: Cloud-native WAFs are scoped to their own traffic on-ramp. Stillsuit sits inline on your own network perimeter and combines packet-filter, stateful, NGFW App-ID, WAF, and IPS in one rule engine — and all events flow into the Sandworm platform alongside your other security signals. You can also run it in environments where a cloud WAF is not an option, such as on-premises or air-gapped networks.
Are the IPS signatures updated automatically?: Stillsuit pulls from configurable threat-intel feeds on a schedule you control. Sandworm publishes a managed feed of curated Suricata-format signatures. You can also import your own signature bundles or subscribe to third-party feeds via the standard Suricata import path.
What is on the Stillsuit roadmap?: Three capabilities are in the pipeline: DDoS volume-attack mitigation using rate limiting and SYN-cookie defenses at scale; BGP Blackhole (RTBH) integration for upstream null-routing during volumetric attacks; and expanded App-ID fingerprints covering additional encrypted protocols. None of these are generally available yet.

The rest of the platform

Also in Sandworm.

CNAPP

CloudGuard

Cloud-native application protection across AWS, Azure, and GCP.

See CloudGuard →

SIEM

Sandworm SIEM

Security information and event management with real-time correlation.

See Sandworm SIEM →

EDR

Sandworm EDR

Cross-platform endpoint detection and response.

See Sandworm EDR →

Packet filter · stateful · NGFW · WAF · IPS — one engine.

We'll drop Stillsuit inline on a test environment — live.

Get Started