Arcjet is a security SDK that provides application-level protection through code-based security rules. The product offers protection against common attacks including OWASP Top 10 vulnerabilities through its Shield WAF component. The SDK integrates directly into application code and supports multiple frameworks including Next.js, Node.js, Bun, SvelteKit, and Python. Security rules are defined in code as middleware or route-level protections, allowing developers to version control and test security configurations alongside application logic. The platform operates with a local-first architecture using WebAssembly for native performance, eliminating the need for agents. Security decisions are made at runtime, providing access to metadata about why requests were allowed or denied, enabling dynamic application logic adjustments. Arcjet includes bot detection capabilities, rate limiting with support for dynamic quotas based on various parameters, email validation, and PII detection and redaction. The product supports IP geolocation metadata including country, region, and ASN information. Additional capabilities include VPN and proxy detection, payment form protection, and GraphQL endpoint protection. The platform offers a DRY_RUN mode for testing rules without blocking traffic and supports sampling for gradual rule rollouts. Security rules can be tested in development environments using standard testing frameworks. Traffic filtering uses Wireshark-like filter expressions based on request characteristics.