Arcjet Brings AI Security Analysis Local — Into Your Code
Security platform provider Arcjet today announced the launch of a local AI model that runs security analysis directly inside application request handlers. Instead of routing traffic through cloud-based security services, the model analyzes threats right where the application runs, giving it access to business context that perimeter tools never see.
This is a response to a problem that’s been nagging developers for years: security tools that block legitimate users along with actual threats. Get too aggressive with your rules, and you’re turning away real customers. Too lenient and attacks slip through. For e-commerce sites and Software as a Service (SaaS) applications, that trade-off hits the bottom line directly.
“Legacy perimeter solutions see packets, not users or business context,” David Mytton, Arcjet’s founder and CEO, told The New Stack. “Our local AI model brings context-aware security analysis into the request path, where you actually understand what’s happening in your application.”
Why False Positives Matter
The false positive problem gets worse in the places where security matters most. Block someone at checkout, and you’ve lost a sale. Flag a legitimate signup as suspicious, and you’ve potentially killed a conversion. Traditional security tools operate at the network level, matching patterns against traffic without understanding whether that traffic represents a real customer or a bot, Mytton said.
Arcjet’s model runs after your application’s security rules fire — bot detection, rate limiting, web application firewall (WAF) protections — and analyzes the request using machine learning (ML) trained on signals across its platform. Because it runs locally with access to your application state, it can see things like session history, user behavior patterns and business logic that inform whether a request is actually suspicious.
The result is what Arcjet calls a “refined” security recommendation that combines rule-based analysis with learned signals. Developers can inspect both the deterministic rule results and the AI recommendation, then decide in code how to handle each request.
“Arcjet’s AI model combines deterministic rules with learned signals to analyze each request and return a refined recommendation you can act on, in code,” Mytton wrote in a blog post.
How Developers Use It
The AI model ships as a separate npm package that installs alongside Arcjet’s SDK. Integration is opt-in and straightforward. Here’s what it looks like in a Next.js form handler:
The model adds one to two milliseconds of latency — fast enough that it works in real-time request handling. Mytton said the team experimented with small language models but found they require about half a gigabyte of memory, which isn’t feasible in serverless environments. Instead, they built a lightweight ML model that runs on the CPU with minimal resource requirements.
Because everything runs locally, sensitive data never leaves your production environment, Mytton said. You can test the same security configuration on your laptop that runs in production, which solves a longstanding problem where security tools exist separately from the application being secured.
Picking Your Battles
Arcjet positions the AI model as one layer in a broader security strategy, not a replacement for existing measures. Developers can choose where to apply AI-powered analysis — maybe just on signup and checkout flows where false positives are most costly, while using faster deterministic rules everywhere else.
The model works alongside Arcjet’s existing features: bot detection, rate limiting, email validation, sensitive information detection and Shield WAF protection. The company is betting that developers want security that integrates into their workflow rather than security that requires managing a separate infrastructure layer.
“Developers aren’t indifferent to security, they just haven’t always had the right tools that speak their language and fit their workflow,” said Kate Holterhoff, a senior analyst at RedMonk, in a statement. “Security tools that don’t integrate with modern development workflows simply won’t get used.”
The Bigger Picture
The approach reflects a broader shift in how security works for modern applications. Bots now outnumber humans online, and AI is making attacks more adaptive and harder to detect with simple pattern matching, Mytton said. Traditional perimeter defenses struggle to keep up.
Mytton said Arcjet is seeing adoption primarily in two scenarios: user signups, where blocking legitimate users damages growth, and e-commerce, where false positives directly cost revenue. One early user customer reduced serverless costs by 66% by blocking scrapers at the application layer instead of processing their requests.
Arcjet has about 1,000 developers using its technology across more than 500 production applications. The company has a 10-person team with engineers spread across Phoenix, San Francisco, Philadelphia and New York. Mytton recently moved from London to New York and is planning to open an office in Manhattan’s Flatiron District.
The local AI model will roll out as a preview to Arcjet customers. The platform currently supports JavaScript applications on Node.js, Bun and Deno, with framework support for Next.js, Remix, SvelteKit and others, Mytton said.
Mytton’s vision is an interesting bet on where application security is headed. Instead of routing everything through centralized security infrastructure, Arcjet is arguing that security works better when it lives close to the code — where you understand what your application is doing and can make informed decisions about what to block and what to allow.
