/01
Polymorphic challenge
Each render ships a unique JS bytecode VM. Strings XOR-ciphered per-page, identifiers randomised, opcode order shuffled. Reversing one page gives you exactly nothing on the next.
duplicate renders0
Our network philosophy
A CDN is not a pipe. It is a perimeter. Each request is inspected before it is routed — TLS fingerprint, header order, cursor cadence, timing probe — and the verdict ships in under two milliseconds. Twelve signals, one answer.
Every challenge we render is unique. Strings encrypted per-page, a fresh bytecode VM per session, identifiers randomised before the client ever sees them. An attacker who reverses one page gets a solver that works on zero others. Silence as a weapon.
01
Polymorphic
Every challenge compiles to a one-shot JS bytecode VM. Two renders never share a string, identifier, or opcode order.
02
Twelve signals
Network, protocol, client, behavior — all 12 signals converge to one verdict in 1.8 ms p95.
03
Environment-bound
Cookies pinned to country × ASN × fingerprint × host. A stolen token dies on the next hop — replayed by nobody.
04
Silent block
Bots receive a valid-looking 200 they can never solve. No error, no retry loop, no signal to iterate against.
WAF verdict p951.8 ms
Signals / req12
Good-path p9535 ms
Cache hit p50<1 ms
Challenge entropyper-render
✦
Onboarding new workloads · Q4 capacity open
An edge where bad traffic dies silently, fast.
Invite only · ping @klopchan for a code.
Start routing
→
12 signals
1.8 ms verdict
0 duplicate renders
SILKGUARD CDN
PINGORA EDGE · 2026
12 SIGNALS · 1 VERDICT
RESOLVED IN 1.8 MS P95
SCROLL TO INSPECT
THE PERIMETER
STEP BEHIND A PERIMETER WHERE NOISE DIES BEFORE YOUR ORIGIN HEARS IT
SilkGuard sits between your stack and the open internet — polymorphic challenges, behavioural scoring, environment-bound cookies. Every request is weighed; only what should ever reach you is forwarded.
/02
Twelve-signal pipeline
Network, protocol, client, behaviour — four layers, twelve signals, one weighted verdict. Short-circuit exits at the cheapest phase that can decide. No signal runs if it can’t change the answer.
verdict p951.8 ms
/03
Origin shield & cache
L1 in-memory cache with byte-capacity limits. SingleFlight coalescer folds N concurrent misses into one origin fetch. Stale-while-revalidate, soft purge, cross-PoP fan-out via Redis Streams.
L1 hit p50<1 ms
/04
Environment-bound cookies
Tokens mint to an HMAC over country × ASN × fingerprint × host. A cookie copied off one session cannot be replayed from another network, ASN, or device. Session continuity survives PoP failover for 6h.
replay window0 s
/05
HTTP/3 · 0-RTT
QUIC termination at the front-proxy with allow-0rtt enabled. Replay-protection ACLs block early-data on non-idempotent paths. Alt-Svc advertises H3 to every client on the first handshake.
protocolH3 + 0-RTT
/06
Headless & automation killer
WebDriver, Puppeteer, Selenium, Phantom, CDP — detected before PoW even runs. Critical flags route to visual captcha; score ≥ 60 routes to block. No feedback loop for iteration.
critical flags6 classes
The promise
Read the architecture brief
→
Your origin should be a place you put code, not a place you defend. Twelve signals converge in under 2 ms — your application only sees traffic it should ever answer.
03
Selected attack classes absorbed
9:41
●●●
Bots stop.
Users don’t.
1.8 ms
WAF verdict, p95
35 ms
Good-path p95
Perimeter live