Deterministic by Design
Tracehound isn't just a firewall. It's a deterministic isolation layer that wraps your application runtime, ensuring strictly defined behavior even under attack.
How Tracehound Works
Every request flows through a deterministic pipeline. No decisions. No variance. Just security.
The Isolation Layer
Tracehound sits between the network and your application logic. Unlike WAFs that inspect packets, Tracehound buffers the entire request lifecycle. It enforces strict invariants on memory usage, processing time, and payload structure before your business logic ever sees a byte.
This means that a "Zip Bomb" or a massive JSON payload isn't just "blocked" — it never even allocates memory in your main heap.
Zero-Allocation Hot Path
Our core pipeline is designed to be allocation-free during the happy path. We use pre-allocated buffers and object pooling to handle requests. This eliminates Garbage Collection pauses during traffic spikes, ensuring predictable latency.
Behavioral Observation (Argos)
While Tracehound enforces strict limits, Argos watches for what happens inside the boundary. It monitors the Node.js event loop, garbage collection statistics, and asynchronous context shifts to detect anomalies that don't violate hard limits but indicate a problem (e.g., a ReDoS attack slowing down the event loop).