To detect threats, the ModSecurity engine is deployed embedded within the webserver or as a proxy server in front of a web application.

Dependent on the rule configuration the engine will decide how communications should be handled which includes the capability to pass, drop, redirect, return a given status code, execute a script, and more.

ModSecurity was first developed by Ivan Ristić, who wrote the module with the end goal of monitoring application traffic on the Apache HTTP Server.

Ivan stayed on continuing the development of version 2.0 which was subsequently released in October 2006 at the OWASP AppSec conference in Seattle.

This new iteration, libmodsecurity, changes the underlying architecture, separating ModSecurity into a standalone engine that communicates with the web server via an API.

This modular architecture-based WAF, which was announced for public use in January 2018,[7] became libmodsecurity (ModSecurity version 3.0) and has supported connectors for Nginx and Apache.