Intelligent Security Proxy

Constable

Every request must answer to it.

Constable runs every inbound request through a 25-stage gauntlet — admission, IP reputation, botnet detection, CVE-mapped rules, adaptive scoring — dropping threats at the exact layer that catches them. Clean traffic reaches your origin; the response is then inspected, rewritten, header-hardened, and returned to the client. Written in Go.

Get a Demo See How It Works
CONSTABLE ▸ REQUEST PIPELINE
LIVE
INBOUND · req-id · TLS · HTTPS IN
Worker slot · pool503
Rate limit · per-IP429
IP block listBLOCK
GeoIP filterBLOCK
Botnet · IP reputationBLOCK
Botnet · behavioralBLOCK
Botnet · UA fingerprintBLOCK
Conditional rulesBLOCK
Authentication401
HTTP method405
Header limits431
URL + header rulesBLOCK
CVE · URL + headersCVE
Per-path rulesBLOCK
Read body · max_bytes413
Body rules408
CVE · request bodyCVE
Adaptive scoring · shadowLOG
Select upstreamROUTE
Forward to upstream
ORIGIN UPSTREAM · response received ↩ 200
Passive stack fingerprint + bodySCAN
Response rewritesREWRITE
Security headers + strip+HDRS
Record · adaptive windowsLEARN
RETURN TO CLIENT 200
SERVED 0 BLOCKED 0 0 evaluated

25

Inspection Stages Per Request

<1s

Live Config Reload — No Restart

2+

Live IP Threat Feed Integrations

0

Downtime Required to Block

What Is Constable

A single hardened chokepoint between the public internet and your application.

Constable doesn't rely on a single defense. Every layer is independent, stackable, and tunable — so no attacker slips through a gap between them. Each inbound request runs the full ordered gauntlet and is dropped at the first layer that flags it. Only clean traffic ever reaches your origin, and every response makes the return trip back through Constable for inspection and hardening.

Written in Go Zero Production Dependencies Zero-Downtime Reloads
constable ▸ round-trip evaluation trace
▸ inbound request arrives
admission: worker slot, per-IP rate limit
reputation: IP blocklists, GeoIP, 3-layer botnet detection
rules: auth, method, URL / header, CVE signatures, per-path
body: size limit, body rules, CVE body inspection
adaptive scoring evaluated against learning windows
CONSTABLE
✕ threat detected → dropped at the matching layer, event logged
✓ clean → forwarded to origin upstream
↩ response: stack fingerprint + body scan, rewrites, header injection
↩ recorded against adaptive windows → returned to client

Layered Control, Enforced in Order

CVE-Pattern Detection

URL, header, and body rules mapped directly to named CVEs and stack-scoped. Log4Shell, PHP-CGI exploits, Exchange probes — every signature blocked on first contact.

Three-Layer Botnet Detection

IP reputation blocklists, behavioral analysis on error rate and path scanning, and user-agent fingerprinting — three independent layers that catch automated traffic.

Adaptive Scoring

Runs in shadow mode by default — logging verdicts without enforcing — then graduates to feeding conditional rules once tuned. Learning windows track every client over time.

IP Threat Intelligence

Integrates live blocklist feeds including FireHOL Level 1 and CINS Army, updated continuously. Known malicious infrastructure is blocked before it announces itself.

Zero-Downtime Config Reload

Push updated rules to GitHub. Constable polls for changes and reloads its full configuration in under a second — no restart, no dropped connections, no exposure window.

Response Inspection + Hardening

Origin responses are fingerprint-masked, scanned, rewritten, and stamped with HSTS, CSP, and frame controls — then recorded against adaptive windows before reaching the client.

Architecture

Sits at the gate. Inspects both directions.

Constable is the single hardened chokepoint between the public internet and your application. Every request runs the full ordered gauntlet and is dropped at the first layer that flags it. Only clean traffic reaches the origin.

The response makes the return trip through Constable too — passive stack fingerprinting, body inspection, rewrites, security-header injection, and a final record against the adaptive-learning windows — before it's handed back to the client. Config lives in a JSON file pulled from GitHub; update a rule, push a commit.

25-Stage Gauntlet Response Hardening Git-Backed Config
Request Leg

Admission, reputation, rules, body, and adaptive scoring — evaluated in order, short-circuited at the first match.

Origin Upstream

Only clean, verified traffic is forwarded to your application. Everything else is dropped before it ever leaves the proxy.

Response Leg

Stack fingerprint masking, body scan, rewrites, and security-header injection on the way back to the client.

Git-Backed Config

Rules live in JSON pulled from GitHub. Update a rule, push a commit — Constable reloads in under a second.

Put Constable at your gate.

Want to see Constable inspect live traffic against your stack? Get in touch with the AgileSecOps team for a walkthrough and deployment plan tailored to your environment.

Get a Demo

info@agilesecops.com