Wingman Logo
Back to Articles
FRAUD PREVENTION USING PROXY: ENVOY & WEBASSEMBLY
Fraud PreventionApril 20, 2025

FRAUD PREVENTION USING PROXY: ENVOY & WEBASSEMBLY

Abstract

A modular, plug-and-play fraud detection pipeline, powered by Envoy Proxy (as a reverse proxy), Rust-based WebAssembly filters (for lightweight inspection and policy enforcement), and Wingman—a real-time fraud detection and prevention engine delivering sub-millisecond decisioning speed. Vendor-agnostic, high-performance fraud firewall that can be deployed in front of any IAM or identity system, intercepting threats before they impact the business.

Introduction

Security teams are under pressure to deliver both immediate threat response and frictionless customer experiences. Traditional IAM solutions offer limited extensibility, often bundling fraud modules as part of closed suites. Wingman, combined with Envoy Proxy and Rust/WASM filters, offers an independent, scalable alternative. It sits transparently in front of your application, enabling real-time decisions—without touching a line of app code.

Envoy Proxy: The Modern Reverse Proxy

Originally developed by Lyft, Envoy Proxy is a high-performance edge and service proxy that powers modern service meshes and microservices.

Why Envoy for Fraud Detection?

  • Acts as a transparent gateway for all incoming requests
  • Enables inline request inspection via WASM filters
  • Language-agnostic: Works with Java, Python, Node, etc.
  • Deployment-flexible: Runs in containers, VMs, or bare metal

WebAssembly + Rust: Programmable Inline Filtering

WebAssembly enables safe, high-performance code execution in sandboxed environments like Envoy.

Why Rust?

  • Memory-safe and thread-safe by design
  • Fast execution, ideal for sub-rms decisions
  • Great ecosystem for compiling to WASM (cargo-wasi, wasmitime)

Wingman

Wingman is a cybersecurity platform purpose-built for real-time identity fraud detection and prevention.

What Sets Wingman Apart

  • Lightning-fast decisions: sub-millisecond response times
  • Zero-latency customer experience
  • API-first design: Easily called from Envoy filters
  • Works with any IAM: Okta, Ping, Auth0, custom systems
  • Pre-authentication protection: Stop bots before they even reach IAM

Wingman in the Architecture

Client → Envoy Proxy (WASM filter) → Wingman API Risk score + action Allow / Step-up / Block request

Example Use Cases

  • Login Protection: Block bots and brute-force attempts
  • MFA Enforcement: Step-up risk-based MFA only when needed
  • Early Threat Detection: Flag suspicious devices or behaviors before reaching app
  • Defense in Depth: Adds a fraud layer before IAM and backend

Benefits

  • Zero App Change: Works as a reverse proxy; no code modifications
  • Real-Time Protection: Inline fraud decisioning under 1ms
  • Flexible: Works across any stack and IAM
  • Scalable: Container-ready, horizontally scalable
  • Secure: Leverages WASM sandboxing and Rust safety
  • Customizable: Extend filters with new logic as needed

The combination of Envoy + WebAssembly + Wingman unlocks a new paradigm of real-time, flexible, and independent fraud prevention. You don’t need to replace your IAM. You don’t need to modify your applications. You just need to run Envoy in front, inject a WASM filter, and let Wingman do the rest. It’s fraud prevention—simplified, accelerated, and production–ready.