Arcjet’s 2025: Shipping the Security Developers Actually Use

2025 was a defining year for Arcjet. We made deliberate progress across product, platform, and company, translating a clear focus into meaningful results. Over the course of the year, we delivered substantial improvements to the Arcjet platform, sharpened our point of view on modern application security, and reached important milestones as more teams began relying on Arcjet in production.

This post looks back on the decisions we made, the problems we chose to prioritize, and the principles that guided how we built throughout the year. It reflects how Arcjet evolved in 2025 and how that progress sets the foundation for what comes next.

Company News, Culture, and Milestones

This year, we shared several updates that reflect how Arcjet is growing as a company, how we work together, and the principles that guide our decisions beyond the product itself. This year, Arcjet: 

• Opened its first physical office in New York City’s Flatiron district. The space gives our remote-first team a shared home base for collaboration, planning, and spending time together in person. 
• Introduced a local AI security model that brings expert threat analysis directly into application code, and shared how Arcjet approaches open source by maintaining a small set of projects we actively use and support, and by being clear about what we open source and why. 
• Closed a $8.3 million Series A funding round. This investment supports product development and reflects strong adoption of Arcjet’s developer-first security approach by teams building modern applications. 
• Shared how Arcjet runs the company like an open source project, using transparent workflows, public-by-default docs, and early feedback to help a remote-first team collaborate and move quickly.
• Published our perspective on why unlimited PTO often fails in practice, reinforcing our decision to use a more structured time-off model with clearer expectations and real flexibility.
• Ended 2025 with nearly 1,000 production deployments of Arcjet, up from 500 when we announced our Series A in October.

These milestones reflect our focus on building a company with clear values, intentional growth, and a working environment that supports both the developers who use Arcjet and the team building it.

Product Releases and Platform Updates

This year, our product work focused on reducing friction for developers integrating Arcjet into real production environments, while expanding the kinds of applications and platforms we can protect. These updates were driven by direct feedback from teams running Arcjet in production and aimed at making strong security easier to apply by default.

• Expanded framework support with new Fastify, Nuxt, Astro, and React Router SDKs so developers can integrate strong, in-code security directly into these applications with minimal setup and secure defaults.
• Introduced Filters to let developers quickly enforce access rules like allow or deny based on HTTP headers, IP addresses, and other request fields directly in application code. 
• Added support for detecting real client IP addresses in Firebase deployments by using a custom header that Firebase provides, so applications using Arcjet on Firebase can power accurate bot detection, rate limiting, and other security features without extra configuration.

These changes make it simpler to apply consistent security across frameworks and deployment environments while keeping control in application code. As always, the goal is to help teams ship faster without having to compromise on protection or add unnecessary complexity to your stack.

AI Traffic, Bots, and Web Security Trends

We also published several pieces exploring how AI-driven traffic and automation are changing the shape of the web, and what those shifts mean for developers responsible for protecting production applications.

• Explained why identifying AI agents requires moving beyond simple user-agent strings, and how HTTP message signatures can help servers verify automated traffic with higher confidence.
• Examined how changes like Google’s AI Overviews could reshape the web’s traffic economy, and why site owners may need more granular control over crawlers, indexing behavior, and automated access.
• Broke down practical bot detection techniques for developers, including layered approaches that combine user-agent verification, fingerprinting, and rate limiting to defend against malicious automation.

These discussions reflect a broader shift toward treating automated traffic as a first-class concern in application security, and give you a clearer framework for understanding, measuring, and controlling how bots and AI agents interact with your systems. We also built them into the Arcjet product as we continue to evolve our detection methods.

Looking ahead

By the end of 2025, Arcjet was shipping faster, supporting more production workloads, and operating with clearer convictions about what application security should look like in practice.

Going into 2026, we’ll expand our foundations from JS into other ecosystems (starting with Python), graduate the JS SDK to 1.0.0, make our local AI model available to all, and continue to push developers to think about security as a feature.

Thanks to everyone who built with Arcjet, shared feedback, and trusted the platform in production.