Announcing Arcjet’s local AI security model, an opt-in AI security layer that runs expert security analysis for every request entirely in your environment, alongside our Series A funding.
Tl;dr: Today we’re announcing Arcjet’s local AI security model, an opt-in AI security layer that runs expert security analysis for every request entirely in your environment, alongside our Series A funding.
Arcjet is now used by more than 1,000 developers across more than 500 production applications integrating in-code protections from malicious bots, web scrapers, signup form spam attacks, and fake accounts. This funding will accelerate our mission to make embedded in-code protection the default for modern applications.
When developers are building, they’re thinking about outcomes: shipping features, unblocking PCI audits, stopping abuse. Developers are not shopping for WAFs, they’re solving concrete problems like bots hammering a signup form or spam polluting analytics. That’s why Arcjet is designed for developers: drop the SDK into your routes, test locally, and make security decisions with application context.
Legacy network-edge tools see packets, not users or business logic. Real context lives in code where decisions can be made with full application awareness. Running detection locally means millisecond decisions with first-party context and privacy by default.
Accurate detection is the hardest part of security. Too strict and you frustrate users with too many false positives. Not strict enough and you miss potential attacks. Purely rule-based and you fall behind, but pure AI can be flaky.
So I’m excited to announce Arcjet’s first AI security model as an opt-in package alongside our SDK. It’s designed to run locally within your request handlers as an additional layer of a defense in depth strategy, improving security analysis accuracy so developers can ship faster with confidence.
Arcjet’s AI model combines deterministic rules with learned signals to analyze each request and return a refined recommendation you can act on, in code. Traditional WAFs match patterns. Arcjet evaluates context (user behavior, app state, and business logic) for more accurate detection.
The model is shipped as a separate package that you install into your application dependencies alongside the existing Arcjet SDK. It bundles an AI model trained on a variety of signals collected across the Arcjet platform.
When triggered following a call to aj.protect() the model runs inference locally to analyze the metadata associated with each request received by your application. This context is combined with the results of your existing Arcjet rules and historical patterns to produce a “refined” security decision.
Using the AI model reduces false positives and is designed to be used to improve the security for particularly sensitive transactions, such as during shopping checkout or account signup. You can inspect the results of each of your rules in-code, as well as the AI recommendation, to decide how to handle the request e.g. allow, deny, or take some other action specific to your application.
Arcjet’s AI model is opt-in and runs locally:
npm install @arcjet/intelligenceIn this example, the model will run alongside bot detection and Shield WAF rules in this form POST handler for Next.js:
import arcjet, { detectBot, shield } from "@arcjet/next";
import { refine } from "@arcjet/intelligence";
import { type NextRequest, NextResponse } from "next/server";
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
detectBot({
mode: "LIVE", // use "DRY_RUN" to log only
allow: ["CATEGORY:SEARCH_ENGINE"], // block bots except search engines
}),
shield({ mode: "LIVE" }),
],
});
export async function POST(req: NextRequest) {
// Run determinstic rules
const decision = await aj.protect(request);
// Use the Arcjet AI model as an additional security layer
const aiDecision = await refine(decision);
// The AI decision reduces false positives so if it recommends
// denying, we accept that decision
if (aiDecision.isDenied()) {
return NextResponse.json({ error: "Unauthorized" }, { status: 403 });
}
// You can also access the full Arcjet decision reasoning
// to customize the form logic e.g. checking location
if (decision.ip.hasCountry() && decision.ip.country === "US") {
// Return a custom response for the United States
}
// Your form logic here
return NextResponse.json({
ok: true,
});
}Because protection lives in your code, you decide where to apply enhanced checks, such as authentication, payments, and high-value APIs, without shipping sensitive data to a third party.
Arcjet’s AI model builds on our existing suite of developer-friendly security features, including bot detection, rate limiting, email validation, sensitive information detection, and Shield WAF protection against OWASP Top 10 attacks, creating a comprehensive security platform that ships with your code.
Arcjet is available now for JS applications using Node.js, Bun, or Deno runtimes, as well as Astro, Next.js, Remix, SvelteKit, Tanstack Start, Fastify, and NestJS frameworks.
The new AI model is in early testing and will be generally available soon. Sign up below for early access.
Today I’m also excited to announce we’ve raised $8.3M in Series A funding, led by Plural and Ott Kaukver, former CTO of Twilio and Checkout.com. Existing investors Andreessen Horowitz and Seedcamp participated alongside new strategic angels including Jeff Lawson (former CEO, Twilio), Feross Aboukhadijeh (CEO, Socket), and Micah Smurthwaite (former Head of EMEA Sales, Cloudflare).
Arcjet’s approach is resonating with teams in high-stakes environments. More than 1,000 developers across AI and e-commerce are using Arcjet to protect 500+ production applications processing millions of requests daily. One customer reduced serverless cloud costs by 66% by blocking scraping at the application layer. Another was able to rapidly secure a new finance platform against common attacks, completing a security audit ahead of a crucial launch deadline.
We built Arcjet to make security a native part of the development process with minimal overhead and APIs that feel familiar. This funding will accelerate our mission to make embedded in-code protection the default for modern applications.
Start using Arcjet for free - sign up now.
Questions? Feel free to reach out.
Native security for Next.js, Node.js, Bun, SvelteKit, Vercel, Netlify, Fly.io and other modern platforms. Announcing our seed funding led by Andreessen Horowitz.
Get the full posts by email every week.