Arcjet Launches: Wasm-Powered Security for Modern Developers
Arcjet, a San Francisco startup offering an innovative security SDK for developers to protect applications in production, launched today.
Arcjet’s novel approach involves embedding a WebAssembly (Wasm) module in its SDK, allowing for local analysis of incoming requests at near-native speed.
The Wasm module is compiled from Rust and provides a secure sandbox for analysis, which is cross-platform and will be extended to other languages beyond JavaScript, David Mytton, founder of Arcjet, told The New Stack.
Where Wasm isn’t available, Arcjet falls back to its real-time API. This is a gRPC API deployed in the closest cloud region to your app, but it also calls the exact same Wasm module, Mytton said.
“This solves the problem of language-level implementation differences and allows us to use Go for the API — it’s the best for gRPC,” he said. “This gives us the same guarantees as server side —sandbox performance and exactly the same result as if it were executed in the developer’s environment.” The company aims for a 20ms response time service-level agreement for its API.
“Without Wasm we’d have to write that security analysis code from scratch for each language we wanted to support,” Mytton said. “Instead, we can write it once [in Rust] and then compile it to Wasm.
“This saves a lot of time but also means we can inherit the properties of Wasm everywhere, in particular native performance and the security sandbox. Otherwise, we’d have to figure those out in every environment as well.”
Developer Velocity and Security
Arcjet’s differentiation is its close integration with applications, allowing developers to design tailored security rules.
“As developers are building more apps with AI and deploying them faster thanks to platforms like Vercel and Fly.io, just throwing a firewall in front of your app is no longer sufficient,” Mytton said. “Network-level solutions lack the context needed to distinguish anonymous abuse versus traffic actually coming from your largest customer. Getting it wrong is expensive, especially with the cost of AI inference.”
Arcjet offers native security solutions for modern platforms like Next.js, Node.js, Bun, SvelteKit, Fly.io, Netlify and Vercel.
However, Arcjet is a server-side solution. “JavaScript frameworks like Next.js allow you to write all your backend code in JavaScript and connect it to the frontend, but everything Arcjet does is server side,” Mytton said. “The other languages we’re going to support are all server-side as well: Python next, then Ruby, PHP and Go.”
Arcjet chose Rust for its WebAssembly capabilities and efficiency, particularly in avoiding the need to bundle a garbage collector.
Moreover, Mytton added, “most discussion about Wasm is client side in the browser, but I think this cross-platform server-side use case is more interesting.”.
A side benefit is that the same Arcjet code that runs in production and can also run on the developer laptop or in staging, so you can actually run tests against your security rules.
Few Lines of Code
The product allows developers to implement security measures with a few lines of code, integrating directly into their application.
“Arcjet has helped us easily invest in the security and efficiency of our platform,” Chris Ellis, co-founder and CEO of Thatch, a beta user of Arcjet, told The New Stack.
“Unlike a separate security service that gives us little visibility into its impact on our system, Arcjet gives us rich application-level insights at runtime that help us build security automations in critical parts of our application, from sales to customer onboarding.”
Arcjet differentiates itself from competitors like Cloudflare by integrating security directly into the application code, allowing for context-aware protection.
“Arcjet’s approach focuses on context-aware security that can dynamically adjust based on factors like user authentication, pricing plans and IP reputation,” Zane Lackey, general partner at Andreessen Horowitz, which has invested in the company, told The New Stack.
“Arcjet’s technology represents a significant leap forward compared to previous security solutions. By integrating directly with modern frameworks and platforms, it delivers a vastly improved developer experience — a critical element that has long been missing from traditional security tools.”
Better Than Shifting Left?
The company is seeing interest from customers looking to use the Arcjet tool in attack detection and bot protection, especially for AI applications where each request has a direct cost.
“We’ve been able to use Arcjet to give our sales team better signals on the validity of a lead, and we’re working on integrating Arcjet into our demo intake form, enabling us to create a low-friction sales intake form that’s protected from bots and spam,” Ellis said.
“Integrating with Arcjet was also very straightforward, given their plug-and-play and well-documented SDK. We were up and running in a couple of days.”
Arcjet aims to make security more accessible to developers, as opposed to the “shift left” approach, Mytton said.
“DevSecOps just hasn’t really worked,” he said.
