It is basically something "like" SELinux or AppArmour for apache. A bunch (actually many) core rules are provided for checking http requests, code insertion hacks and so on. Didn't check if it also provides some anti D.O.S. features. Seems like a bitch to configure. There's also a rule generator which scans logfiles and is supposed to learn what's normal, but again a lot of reading I think. Some of the docs talk about tomcat java application servers accessed by apache. Sounds like big business web servers to me.
p.s. Hey, this swear word filter just zapped "hctib" 