What Is Tangate?

Tangate is a CloudFront security product that deploys directly into your AWS account. It uses AI-powered log analysis and real-time edge enforcement to block bots, scrapers, vulnerability scanners, credential stuffing attempts, and other malicious traffic — without sending your data to a third-party vendor.

How It Works

Tangate operates on a three-tier architecture:

  1. Edge Enforcement — A Lambda@Edge function attached to your CloudFront distribution inspects every incoming request against a blocklist cached in S3. Blocked requests receive an immediate 403 response. No external calls are made at request time.

  2. Hourly Analysis — An analysis pipeline runs every hour via EventBridge. It fetches your CloudFront access logs, merges threat intelligence rules with your local rules, and uses AI to classify suspicious traffic. The results update your blocklist in S3.

  3. Threat Intelligence Feeds — Tangate pulls from curated open-source threat intel sources nightly, delivering hundreds of rules covering botnet C2 infrastructure, compromised IPs, malicious user agents, and attack URI patterns.

What Makes Tangate Different

Deploys in YOUR AWS Account

Unlike traditional WAF vendors that route your traffic through their infrastructure, Tangate runs entirely inside your AWS account. Your CloudFront logs, blocklists, decision logs, and AI analysis results never leave your environment. The only data sent externally is lean aggregate telemetry — health signals like "89 blocks applied, 12 log files processed." No IPs, no traffic data, no request bodies.

No Black-Box Vendor Infrastructure

Traditional WAFs are opaque. You send your traffic to a vendor's network and hope for the best. Tangate is transparent: the blocklist is a JSON file in your S3 bucket, decisions are logged with full reasoning, and enforcement happens at your CloudFront edge via standard Lambda@Edge.

Bring Your Own Key (BYOK) AI

You provide your own API key for the AI provider of your choice — Anthropic (Claude), OpenAI (GPT-4o), or DeepSeek. You control the cost. You can adjust the sampling rate (or disable AI entirely) from the dashboard at any time. There is no AI vendor lock-in.

No Agents, No Proxies

Tangate does not require installing agents on your servers or routing traffic through a proxy. It reads your existing CloudFront access logs from S3 and enforces blocks at the CloudFront edge. If you already have CloudFront with S3 logging enabled, deployment takes about 10 minutes.

Threat Coverage

Tangate protects against:

  • Bots and scrapers — Automated tools harvesting your content or probing your infrastructure
  • Vulnerability scanners — Tools like Nessus, Nikto, and SQLMap probing for exploits
  • Credential stuffing — Automated login attempts using leaked credential databases
  • Botnet C2 traffic — Requests from known command-and-control infrastructure
  • Malicious query patterns — SQL injection, path traversal, and code injection attempts
  • Known bad user agents — Agents associated with malware, scraping tools, and exploit kits

Architecture Summary

Component Where It Runs What It Does
Lambda@Edge Your CloudFront edge Blocks requests in real time (5-min blocklist cache)
Analysis Lambda Your AWS account Hourly log analysis + AI classification
Customer Dashboard Your browser (standalone HTML + AWS SDK) View blocks, manage rules, adjust settings
Tangate Backend Tangate SaaS (api.tangate.com) Distributes rules, ingests lean telemetry
Threat Intel Pipeline Tangate operations Nightly feed ingestion from open-source sources

Pricing

$350/month per protected CloudFront distribution. Available as month-to-month or annual contracts.

Includes: AI-powered traffic analysis, global + elevated threat intel rules, edge enforcement, SIEM-compatible output, customer dashboard, local rules override, and BYOK AI.

Cancel within 5 days for a full refund. AI inference costs are paid separately to your chosen provider via your own API key. AWS infrastructure costs in your account are typically under $20/month.

Next Steps