Whitepaper · v1.0Engineering · May 2026

AWAIS — a technical whitepaper.

Architecture, threat model, and cross-vertical CRDT defense in vertical SaaS.

Gladius Engineering · May 2026 · v1.0

Abstract

What this paper covers.

AWAIS — Autonomous Web Application Intelligence System — is the application-layer defense surface that protects Gladius products and the dealers, fabricators, contractors, and operators who use them. It does not replace a CDN web application firewall, a SIEM, or a perimeter network control; it sits inside the application boundary and is wired into every tRPC procedure, every webhook handler, and every cron job.

This paper documents the threat model we built AWAIS against, the four-layer defense architecture, the CRDT-based Sentinel Mesh that federates signatures across five sister verticals, and an honest read on where the system is strong, adequate, and weak. We end with the roadmap and the open problems we have not yet solved — including how to safely exchange attack signatures between tenants who are competitors in the same physical market.

§1 · The threat model

Vertical SaaS is structurally under-defended.

The shape of the attack surface in vertical SaaS — dealership CRMs, stone fabrication MRPs, landscape ops platforms, dealer BDC stacks — is not the shape of the attack surface in a generic B2B SaaS. The June 2024 CDK Global outage is the canonical example. A single ransomware event at a vendor that sits at the dealer’s operational core froze roughly 15,000 dealerships for weeks, idled hundreds of millions of dollars in daily revenue, and exposed years of customer PII. The CDK incident is not unusual in form. It is unusual only in scale, and the scale is a direct consequence of a vertical-SaaS pattern: one vendor concentrating extremely sensitive data for an entire industry, often with security investment sized for a much smaller risk surface.

The attack surface that AWAIS is built to defend has, at minimum, the following classes of valuable data and entry points:

•Lead webhooks. ADF/XML and JSON lead intake from third-party shopping sites, OEM-mandated lead vendors, and dealer microsites. Every one of these is a publicly reachable endpoint that accepts free-form customer text and attaches it directly to the dealer’s pipeline.
•Customer PII. Name, phone, email, address, driver’s license, often SSN for credit applications. Federal Trade Commission Safeguards Rule and GLBA explicitly cover this data. A breach is not just a reputational event; it is a regulatory event.
•Payment data. Customer deposits, Stripe customer references, ACH details for floor-plan and dealer payout. PCI DSS scope reduction via tokenization is necessary but does not eliminate the payment-fraud attack surface.
•Vehicle data. Inventory, cost, pack, holdback, dealer-cash incentives. Exposure of cost data is a competitive harm even when no consumer PII is touched.
•Dealer credentials. Reused passwords, leaked DMS service-account tokens, third-party vendor logins stored as “integration credentials.” The blast radius of one credential-reuse incident is the entire connected pipeline.

The OWASP Top 10 covers the technical vector inventory well. It does not cover the compliance overlay that vertical SaaS operates under: FTC Safeguards Rule (16 CFR Part 314), GLBA financial-privacy obligations, state-level breach notification statutes, and OEM-imposed certification requirements for dealer-connected systems. Defending against SQL injection is necessary. Defending against regulatory non-conformity is also necessary, and that requirement shapes the AWAIS audit trail.

Net: an application detection surface for vertical SaaS has to defend technical attacks, enforce tenant isolation as a first-class concept, and emit an audit trail that survives both internal compliance review and external regulatory discovery. AWAIS is designed against all three.

§2 · AWAIS architecture

Four layers, one decision.

AWAIS is the second layer in a four-layer defense model. The layers are roughly:

1.Edge / CDN / WAF. Vercel’s edge absorbs volumetric layer-3 and layer-4 attacks, terminates TLS, enforces HSTS, and serves the static surface. Standard CDN WAF rules catch generic web attacks at the perimeter before any application code runs.
2.AWAIS application detection. The 66 rules in 8 categories run inside the application boundary, on every inbound request and on every tRPC procedure. AWAIS sees the request after the edge has decoded it, before any database write. This is the layer where application-semantic decisions live: which dealer, which user, which payload shape, which historical pattern.
3.Tenant isolation. Every tRPC procedure is wrapped by a middleware that derives dealerId from the HMAC-signed session cookie and asserts it matches the dealerId on every Prisma row touched by the procedure. Cross-tenant access is not a permission check that the developer remembers to add — it is an invariant that fails the request by default if not explicitly asserted.
4.Audit trail. Every detection event and every federation event is persisted to the federationEvent table with the origin vertical, the signature hash, the severity bucket, the action taken, and the propagation timestamp. The audit trail is replayable, immutable in practice (append-only), and accessible to compliance review.

Rule synthesis comes from three sources. The first is the public CVE feed, which we monitor and convert into pattern templates whenever a CVE describes a vector relevant to the stacks we deploy (Next.js, Prisma, Postgres, Twilio, Stripe, our own homegrown auth). The second is production traffic itself: AWAIS instruments every inbound request and emits anomaly candidates that engineers triage during the weekly Sentinel review. The third is the cross-vertical learning loop: when a signature lands at one vertical, the mesh propagates a candidate signature to the other four for evaluation.

Rule categories · 8

R-SQLiSQL injection

Parameterized-only data path; AWAIS scores any inbound payload against the SQLi corpus before the tRPC handler sees it.

R-XSSCross-site scripting

Reflected, stored, and DOM-class scanners. React's auto-escaping is necessary but not sufficient at the dealer-content boundary.

R-SSRFSSRF and RCE

Outbound URL allow-list, redirect chain inspection, prototype-pollution checks at object boundaries.

R-AUTHAuth bypass

Session validation, JWT-style HMAC, MFA challenge integrity, accept-invite token replay defense.

R-RATERate abuse

Per-IP, per-tenant, and per-endpoint sliding windows. Anomaly detection on velocity and entropy of request bodies.

R-TENANTTenant isolation

Every tRPC procedure is wrapped by middleware that asserts the dealerId on the row matches the dealerId on the session.

R-PIIPII leak

Response-body scanners check egress for plaintext SSN, full PAN, and unredacted phone in non-portal paths.

R-MESHMesh propagation

Federation event signature verification; CRDT merge rules; per-origin trust weights.

Internal regex bodies, exact pattern lists, and bypass conditions are not published. Researchers can probe the surface via the bounty program at /awais/red-team.

§3 · Sentinel Mesh — CRDT federation

Five verticals, one shared immune system.

Gladius operates five sister verticals on a shared foundation: Gladius CRM for auto dealerships, Gladius BDC for dealer business-development centers, GladiusStone for stone fabrication, GladiusTurf for landscape operations, and GoFetch for the consumer vehicle-finder marketplace. Each vertical has its own database, its own tenants, its own users, and its own attack surface. They also share enough architectural DNA that an attack pattern observed against one is, in practice, informative about the others.

Why federate. When a signature lands at one vertical — a credential stuffing run against the BDC sign-in, a probing query against the CRM lead webhook, a tenant-isolation attempt against GladiusStone — the other four are at elevated risk of seeing the same attacker within hours. Single-system detection is too slow against a coordinated probe. Federation lets the mesh defend in minutes what a single vertical would take days to learn alone.

Why CRDT, not consensus. The five verticals are independently deployed, independently operated, and must continue to defend themselves if the federation layer is unreachable. A consensus protocol (Raft, Paxos) would create a hard dependency — a quorum outage would degrade defense at every node simultaneously. A conflict-free replicated data type (CRDT) is the opposite tradeoff: each node accepts local writes, propagates them asynchronously, and merges peer writes deterministically. The defense set is eventually consistent across the mesh and always available locally. We chose monotonic union semantics for the signature set: adding a signature is commutative, associative, and idempotent, so concurrent emissions from multiple verticals merge without coordination.

Federation event shape. Each event carries: the signature hash, the severity bucket (Low / Medium / High / Critical), the origin vertical, the propagation timestamp, and a per-origin signature over the envelope. Signature validation rejects events whose claimed origin does not match the signing key. Replay defense is enforced via the propagation timestamp and a sliding-window idempotency cache.

Steady-state latency. Target propagation from emission at origin to visibility at a peer is under thirty seconds. The public log at /awais/incidents publishes every accepted federation event with its origin and its propagation delta. We expose this number publicly because regression in propagation latency is the single strongest leading indicator of a federation degradation.

Edge to Node bridge. Detection happens at the Vercel edge runtime when possible (low latency, no cold start) and at the Node runtime where Prisma and the federation table live. The bridge is a signed envelope persisted to the federationEvent table that edge runtimes write and node runtimes consume. Cross-runtime trust is anchored by the per-origin signing key, not by runtime identity.

§4 · Strong vs weak

An honest read on what AWAIS does and does not stop.

Security postures that read as “defends everything” are not credible and are not useful. The following is our best engineering read on where AWAIS is strong, where it is adequate, where it is weak, and where it is explicitly out of scope.

Strong against

+SQL injection across parameterized boundaries (R-SQLi).
+Reflected, stored, and DOM-class cross-site scripting (R-XSS).
+Insecure Direct Object Reference across the tenant boundary (R-TENANT).
+Auth bypass to a non-admin account where the bypass depends on a known signature or replay pattern (R-AUTH).
+Rate-abuse, scraping, account enumeration, inventory probing (R-RATE).
+Mesh signature forgery: federation events with an invalid envelope signature are dropped, logged, and escalated (R-MESH).

Adequate against

~Zero-day variants of known vector classes. CVE-feed lag means the first occurrence of a novel variant is defended by category heuristic, not by signature. Mesh propagation closes the loop quickly across verticals once one node has seen it.
~Social engineering of dealer staff. AWAIS enforces MFA on every privileged surface (TOTP, RFC 6238, AES-GCM wrapped secret) but cannot stop a successful pretexting attempt that captures both factors.
~Credential stuffing where the attacker rate-limits themselves below the detection threshold. Rate heuristics narrow the band; they do not eliminate it.

Weak against

−Advanced persistent threat actors with prior insider knowledge of the codebase, the rule corpus, or the federation key material.
−Supply-chain compromise of an upstream dependency (npm, Prisma, Next.js). AWAIS lives at the application boundary; a compromised dependency runs inside the boundary.
−Nation-state-grade compromise of the underlying platform vendors (Vercel, Supabase, Twilio, Stripe). We monitor for symptoms; we do not pretend to defend the substrate itself.

Out of scope

/Physical attack against Gladius staff, offices, or hardware.
/Business-process abuse inside an authorized dealer account (a dishonest manager voiding deals through legitimate UI paths).
/Dealer-side credential reuse with third-party tools Gladius does not operate.

§5 · Comparison

Where AWAIS sits in the landscape.

AWAIS is not a replacement for a CDN web application firewall, a SIEM, or a commercial runtime application self-protection (RASP) product. It sits next to all three, owns the slice they don’t own well in vertical SaaS, and inherits the layered model.

Axis	CDN WAF	SIEM	Commercial RASP	AWAIS
Volumetric DDoS	Strong	—	—	Defers to CDN
App-layer detection	Generic	Post-fact	Strong (per-host)	Strong + cross-vertical
Tenant-isolation audit	—	Possible w/ effort	Possible w/ effort	First-class
Cross-tenant learning	—	Per-org	Per-host	Per-vertical mesh
Vendor lock / per-seat	Bandwidth	Per-GB	Per-host license	Internal — zero per-seat
Incident transparency	Status page	Internal	Internal	Public /awais/incidents

The against-no-defense baseline is omitted on purpose. A production vertical SaaS without an application-layer detection surface is not in the comparison set; it is the CDK-pattern incident waiting to happen. AWAIS exists because a CDN WAF and a SIEM, while necessary, are not jointly sufficient to defend a multi-tenant vertical platform.

§6 · Roadmap & open problems

What we are shipping and what we have not solved.

Q3 2026 — External penetration test. A scheduled engagement with an external security firm against the live federation and all five verticals. Report excerpts will publish to /awais after fix-verification. As of this paper’s publication, the engagement is scheduled and not yet executed.

Q4 2026 — SOC 2 Type II. Type I controls have been mapped; the Type II observation window is in progress. We are not certified yet. The audit trail in the federationEvent table is the primary evidence surface for the detection controls.

2027 — Federated learning across tenants. The current mesh federates across the five verticals Gladius operates. The next horizon is federating attack signatures across tenants — a credential stuffing pattern observed at one dealer becoming a candidate signature across all dealers within minutes. This is on the roadmap and not shipped.

Open problem — safe inter-tenant signature exchange. The hard problem in cross-tenant federation is not the CRDT; it is the trust model. Dealers in the same physical market are competitors. A signature that encodes any fingerprint of one dealer’s traffic risks leaking information about that dealer’s operations to a competitor. Differential-privacy techniques and k-anonymous signature canonicalization are the leading candidates; we have not committed to either, and a published design proposal is dependent on internal review and external researcher input via the bounty program.

§7 · Bounty + red team

We pay people to break this.

AWAIS scores itself against a deterministic synthetic adversary on every build. Synthetic adversaries are useful but not sufficient. The system gets sharper when real researchers throw real probes at it. Our public bounty pays $250–$10,000 per accepted finding with a 72-hour triage SLA. A formal $15,000 best-in-show red-team challenge runs on a sandbox tenant. Scope, severity matrix, and rules of engagement are documented at /awais/red-team.

Appendix A · Glossary

Terms used in this paper.

Rule: A named decision unit that maps an inbound request shape to an action: allow, log, score, throttle, deny. Rules live in code, version with the repo, and are unit-tested against a corpus of known-bad payloads.
Signature: A compact attack-pattern fingerprint — typically derived from a CVE feed entry, a reported incident, or an internal red-team finding. Signatures are the smallest unit a rule consumes.
Pattern: A canonicalized attack template (e.g. `union-select-from-system-tables`). One pattern can have many signature variants. We currently track 261 patterns across the 8 rule categories.
Mesh: The cross-vertical Sentinel federation that allows a signature observed at one vertical (e.g. Gladius CRM) to propagate to the other four (BDC, Stone, Turf, GoFetch) as a CRDT merge.
Federation event: A signed, timestamped record of a signature emitted by one vertical and consumed by another. Carries origin vertical, severity bucket, signature hash, and propagation timestamp.
Severity bucket: One of Low, Medium, High, Critical. Bucket determines downstream actions: log only, throttle, deny + alert, or deny + alert + page-on-call.
Propagation latency: Time between signature emission at the origin vertical and signature visibility at a peer vertical. Steady-state target: under 30 seconds. Public log at /awais/incidents.
Edge→Node bridge: The path a federation event takes from the Vercel edge runtime to the Node-runtime tRPC handlers. Implemented as a signed envelope persisted to the federationEvent table.

References

The rest of the AWAIS surface.

/awaisCategory page, live scorecard.
/awais/meshLive federation visualization.
/awais/incidentsPublic propagation log.
/awais/playbookOperator-facing technical reference.
/awais/red-teamBug bounty + red-team challenge.
/securityPolicy, MSA-grade SLAs.
/api-docsPublic API documentation.

Contact

Reach the people who built this.

Vulnerability report: security@gladiuscrm.com
Research / press: research@gladiuscrm.com
PGP: Available on request to security@gladiuscrm.com.

AWAIS · Gladius Technologies LLC · May 2026 · v1.0

Gladius

Abstract

What this paper covers.

Axis

CDN WAF

SIEM

Commercial RASP

AWAIS

Volumetric DDoS

Strong

—

Defers to CDN

App-layer detection

Generic

Post-fact

Strong (per-host)

Strong + cross-vertical

Tenant-isolation audit

—

Possible w/ effort

First-class

Cross-tenant learning

—

Per-org

Per-host

Per-vertical mesh

Vendor lock / per-seat

Bandwidth

Per-GB

Per-host license

Internal — zero per-seat

Incident transparency

Status page

Internal

Public /awais/incidents