Yandex Smart Web Security release notes

Written by

Updated at October 23, 2025

Q3 2025

Added new rule sets to the WAF profile: ML WAL, Yandex Ruleset, and OWASP CRS 4.8.0.
- ML WAF (Yandex Malicious Score) leverages ML algorithms to detect and block attacks that evade the signature-based method. Its rules automatically adjust to new attack tactics. We recommend using this rule set as an addition to the OWASP or Yandex Ruleset.
- Yandex Ruleset was developed based on real-world experience of protecting Yandex services. It includes rules to detect known attack patterns (signatures), such as code injections (SQLi, XSS), CVE vulnerabilities, and remote code execution. The rule set is continuously updated to protect against new threats as they emerge.
Yandex rule sets are at the Preview stage.
Implemented advanced logging via Smart Web Security with more flexible log collection settings. Previously, logs were written via Application Load Balancer and contained less information about rules and requests that triggered them.

Logging via SWS is at the Preview stage. To view logs in the SWS interface, send a request to support.
You can now deactivate the use of a Smart Web Security security profile to check traffic on a specific virtual host route. This can be of use when, on some routes, requests come from trusted sources and need not be analyzed.

The disable-security-profile parameter was added to Application Load Balancer route management commands.

This feature is available through the Yandex Cloud CLI, Terraform, and API.

Added a new functionality: domains for protection of websites and web applications hosted in Yandex Cloud or other platforms that do not use the L7 Application Load Balancer.

In addition to protection, we provide a proxy server with load balancing, request analysis and routing, and basic DDoS protection.

The domain protection functionality is at the Preview stage.
Added subscription billing allowing you to predict information security costs and optimize resource spending.

Smart Web Security was certified for compliance with 152-FZ, GOST R 57580, and PCI DSS.

Added the IP blacklist and whitelist feature to manage the traffic and create security rules based on IP reputation analysis. You can use the preset Yandex Cloud blacklists and whitelists or create your own.
Added the calculator for quicker service cost calculations.
Improved low-rate DoS analysis and blocking algorithms.
Optimized the error code page size.
Smart Web Security successfully passed an external audit for 152-FZ, GOST R 57580, and PCI DSS compliance.

Web Application Firewall (WAF) and Advanced Rate Limiter (ARL) entered the General Availability stage.
Changes in the pricing:
- You only pay for legitimate requests.
- Profiles and rules are not billable.
Under basic rules, you can now send requests to Yandex SmartCaptcha.
Implemented sending data events to Yandex Audit Trails: ArlMatchedRequest, WafMatchedExclusionRule, and WafMatchedRule.
API, CLI, and Terraform are now supported.
For traffic conditions that use regular expressions, you can now use case-sensitive string search. For more information, see Regular expression format.

Implemented Web Application Firewall (WAF) to protect web applications against external threats, such as SQL injections, cross-site scripting, and other vulnerabilities. WAF analyzes and filters HTTP requests blocking potentially malicious data.

This feature is available at the Preview stage.
Implemented Advanced Rate Limiter (ARL) to manage web app loads. ARL allows you to set a limit on the number of requests over a certain period of time. This prevents overload and ensures stable operation of the application.

This feature is available at the Preview stage.

The service has entered the General Availability stage.
Added the Yandex SmartCaptcha custom CAPTCHA option.
Added the limit for the maximum number of requests per second (RPS) in total for all load balancer virtual hosts connected to the same security profile.
Added logs of a security profile connected to a virtual host to the Yandex Application Load Balancer log list.
Implemented sending management event audit logs in Yandex Audit Trails.

Now you can create security profiles from a preset template.
Implemented sending metrics to Yandex Monitoring.
Fixed the error of matching a string in the Host condition when creating a security rule.
Improved the stability by implementing a new pattern for Application Load Balancer and Smart Web Security interaction.