June 3, 2026
By
Felipe Zipitria
We are happy to share the full agenda for Open WAF Day Vienna 2026, taking place on Wednesday, June 24, 2026 at the Austria Center in Vienna. Five talks, two connectors, one adaptive honeypot, and a day full of WAF discussions await you.
Schedule All times are local (CEST).
Time Speaker(s) Title 09:45 – 10:00 — Registration & Welcome 10:00 – 10:45 Matteo Pace Embracing Envoy’s Dynamic Modules: Meet the new Coraza connector 10:45 – 11:00 — Coffee break 11:00 – 11:45 Ervin Hegedüs WAF error log analysis at the highest level: ultra-fast filtering and multi-level aggregation with minimal resources 11:45 – 12:45 — Lunch break 12:45 – 13:30 Juan Pablo Tosso Coraza Center: bringing your WAF closer to GitOps 13:30 – 13:45 — Coffee break 13:45 – 14:30 Lukas Funk Ingress NGINX is retired – now what about my WAF rules?! 14:30 – 14:45 — Coffee break 14:45 – 15:30 Adrian Winckles & Gautam Juvarajiya CHAMELEON-REN: Instrumenting Adaptive Honeypots with CRS for Education-Sector Threat Intelligence 15:30 – 16:00 — Closing & Networking Talks Embracing Envoy’s Dynamic Modules: Meet the new Coraza connector Matteo Pace
May 11, 2026
By
Felipe Zipitria
This is Part 7 — the final post — in the CRS 3.3 → 4.25 LTS migration series. The previous six posts covered the overview, configuration, plugins, anomaly scoring, rule changes, and tuning. This post covers the engine layer: what WAF engines CRS 4 supports, how support differs across them, and the changes to container-based deployments.
Choosing the right engine for CRS 4 Brett Sayles on Pexels
May 4, 2026
By
Felipe Zipitria
This is Part 6 of the CRS 3.3 → 4.25 LTS migration series. Part 5 covered rule changes and how to audit your existing exclusions. This post covers the tuning phase itself — the practical work of establishing a clean CRS 4 baseline for your applications.
Fine-tuning for production Dave H on Pexels
Two Migration Strategies There are two approaches to handling false positive tuning during the migration. Neither is universally better — choose based on the size and complexity of your existing setup.
April 27, 2026
By
Felipe Zipitria
This is Part 5 of the CRS 3.3 → 4.25 LTS migration series. Part 4 covered anomaly scoring and reporting. This post covers the rule-level changes: what is new, what is gone, what moved, and how to audit your existing exclusions against the CRS 4 rule set.
Hundreds of rules changed under the hood Egor Komarov on Pexels
The Scale of Change There are hundreds of rule-level changes between CRS 3.3 and CRS 4.0. This is not a point release — it is the result of years of accumulated improvements, a public bug bounty programme, and deliberate architectural cleanup. Understanding the shape of this change helps you plan your tuning work.
April 20, 2026
By
Felipe Zipitria
This is Part 4 of the CRS 3.3 → 4.25 LTS migration series. Part 3 covered the plugin architecture. This post covers anomaly scoring, the reporting model, and paranoia level changes — the areas most likely to affect your baseline after a migration.
Measuring and scoring every request ThisIsEngineering on Pexels
How Anomaly Scoring Changed The CRS 3 Model In CRS 3, every rule that fires adds to a single transaction variable tx.anomaly_score. At the end of phase 2 (for inbound) and phase 4 (for outbound), the total accumulated score is compared against tx.inbound_anomaly_score_threshold and tx.outbound_anomaly_score_threshold. If the score exceeds the threshold, the request is blocked.
April 13, 2026
By
Felipe Zipitria
This is Part 3 of the CRS 3.3 → 4.25 LTS migration series. Part 2 covered crs-setup.conf changes. This post covers the plugin architecture — the most structurally significant change in CRS 4, and the one that requires the most hands-on action from operators who used application exclusion packages in CRS 3.
The Key Change: Application Exclusions Are No Longer in Core In CRS 3.3, the release tarball included a set of optional rule exclusion packages. If you ran WordPress, Nextcloud, phpBB, phpMyAdmin, Drupal, or a handful of other applications, you could include these files to suppress false positives specific to those applications:
April 6, 2026
By
Felipe Zipitria
This is Part 2 of the CRS 3.3 → 4.25 LTS migration series. Part 1 provided an overview of the migration. This post covers the crs-setup.conf changes — the most immediately breaking part of the upgrade for most operators.
If you take one thing from this post: do not reuse your CRS 3 crs-setup.conf with CRS 4 without reviewing every variable in it. Some variables were renamed, some were removed, and several new ones are required for features that did not exist in CRS 3.
March 30, 2026
By
Felipe Zipitria
The release of CRS v4.25.0 LTS marks the moment the CRS 4 generation has its long-term support anchor. If you have been running CRS 3.3.x — waiting for stability before committing to an upgrade — that moment is now.
This is the first post in a series walking through everything you need to know to migrate from CRS 3.3.9 (the last CRS 3 LTS release) to CRS 4.25.0 LTS. The series is not a quick upgrade guide. It is a deliberate, post-by-post treatment of each dimension of the migration so that you can plan and execute without surprises.
March 21, 2026
By
Felipe Zipitria
We are excited to announce that CRS v4.25.0 is the first Long-Term Support (LTS) release for the CRS 4 series. This is a milestone we have been working towards for over two years, and it marks the point where organizations waiting for a stability commitment can confidently deploy CRS 4 in their production environments.
What This Means for Users If you are currently running CRS 4.x, the v4.25.0 LTS gives you a stable foundation that will receive security patches and critical bug fixes for an extended period — without being forced to track our rapid development cycle. You get the protection, without the churn.
February 25, 2026
By
Felipe Zipitria
We are excited to announce the Open WAF Day 2026 in Vienna, Austria!
Following the success of our Barcelona 2025 event, we’re bringing the community together again for a full day of presentations, discussions, and networking centered around Web Application Firewalls, CRS, and related technologies.
Event Details Date: Wednesday, June 24, 2026 Time: 09:00 - 18:00 (CEST) Location: Vienna, Austria Cost: Free attendance Registration Registration is now open! Please register using the form below to secure your spot:
