17 Best Cloud WAAP & WAF Software in 2024

Introduction to WAF and WAAP

A web application firewall is a security software that observes and filters HTTP/HTTPS traffic between a web application and the internet. 

While this has been available for decades, with the evolution of the threat landscape, WAFs have also added additional capabilities to protect not only web apps but also APIs against a range of attacks, including DDoS and bot attacks.

So, the category has evolved and is currently called Web Application and API Protection (WAAP). 

Even in this article, you will notice that most players listed were operating in the WAF space, but now they offer what are called WAAP platforms.

For the purpose of the article, we will use WAF and WAAP interchangeably.

WAAP encompasses a comprehensive suite of tools, technologies, and practices that detect, prevent, and mitigate attacks, such as cross-site scripting (XSS), SQL injection, and API abuse. 

By implementing a robust WAAP, organizations can fortify their applications and APIs, safeguard sensitive data, and uphold the trust of their users in an ever-evolving threat landscape.

17 Best WAAP (WAF) Tools

1. AppTrana by Indusface
2. Fastly
3. Imperva
4. Akamai
5. Cloudflare
6. Radware
7. AWS WAF
8. Barracuda
9. Microsoft Azure WAF
10. Fortiweb by Fortinet
11. F5
12. ThreatX
13. Sucuri
14. Palo Alto
15. Google Cloud Armor
16. ModSecurity (Open source)
17. NAXSI (Open source)

What Tool Sets Do WAAP Platforms Include?

Since WAAP platforms come in various flavours ranging from commercial ones such as AppTrana and Cloudflare to those offered by public clouds such as AWS and Azure, the capabilities vary from platform to platform. 

That said, most WAAP platforms include a subset of these tools:

Web Application Firewall: WAFs typically sit between the internet traffic and the origin server of the application to filter out any malicious requests before they hit the origin server. They offer a range of capabilities ranging from blacklisting to header inspections to block malicious traffic. For a detailed understanding of how WAF works, read here.

API Security Solution: API security solutions are specialized as they require more granular access controls, have different vulnerabilities, and handle critical data governed by data protection laws and compliance. Look for a solution that will help you discover and document APIs and automate the creation of positive security models. 

DDoS Mitigation Solution: While many WAFs include some level of DDoS protection, the nuances are whether the protection is unmetered and whether they offer some managed services to quickly work with your team on some custom rules to thwart the attack. This is an add-on in public cloud WAFs, such as AWS, and you will have to subscribe to it for a couple of thousand dollars per month.

Bot Protection Solution: Botnets are versatile in that they can be used for a variety of attacks, including running probes to find open vulnerabilities, injecting code into websites to skim critical details such as credit card information, and scraping pricing and inventory information on e-commerce websites to start price wars and inventory stock-outs. Look for a solution with automated capabilities such as CAPTCHA, JavaScript challenges, and managed components such as building workflow-based rules to trip bots.

DAST Scanner: A WAAP platform with both DAST scan and WAF in one platform will give IT teams visibility into open vulnerabilities and how many are already protected on the WAF. This is called a risk-based approach, and AppTrana WAAP is a pioneer.

Runtime Application Self-Protection (RASP): Runtime Application Self-Protection (RASP) is a security technology that can protect applications from a wide range of threats, including zero-day attacks. RASP functions by observing the application during its runtime and identifying potentially malicious actions. RASP agents are difficult to deploy and manage as they change with the programming language and the corresponding upgrades. 

Asset Discovery: Asset discovery involves the process of identifying, cataloging, and mapping external web assets, such as domains, subdomains, IPs, mobile apps, data centers, and APIs. Look for a solution with automated asset discovery as it allows you to easily identify, efficiently scan, and monitor all publicly facing web assets.

Features to Look for in a WAAP Tool

Once you decide on a toolset of your choice, then comes the tricky part of evaluating the features of all these tools. Since this is a mature category, you’ll not go wrong picking any WAF if you want the basic checkbox of “having a WAAP” in place for compliance. 

That said, if you are serious about a solid first layer of defense to protect your applications against zero-day and OWASP top 10 vulnerabilities, DDoS, bot, and API attacks, here are the must-have features you need in any WAAP tool.

Virtual Patching

Despite the best intent, application teams cannot patch vulnerabilities on time. Especially when the vulnerability is in a third-party component or feature development is prioritized. These vulnerabilities could be patched at the WAF to buy the application team enough time to patch these on code. 

The first question to ask is if a WAAP solution has the capability of virtual patching. If it does, the next question is, who is responsible for writing and managing these virtual patches? If you don’t have the security experts in-house to manage virtual patches, look for a WAAP solution that bundles the virtual patching service and the product.

False Positive Monitoring

Each month 200-300 zero-day vulnerabilities are discovered. A best practice that most WAF vendors follow is to release a patch or a rule update to add coverage/protection against these vulnerabilities.

That said, the onus is on your team to test these rules for false positives. For fear of breaking existing code, most users don’t apply these patches on time and run the risk of hackers targeting them as developers take time to patch these on code. Most WAF projects fail because WAF is kept in log mode for fear of false positives.

This is where false positive monitoring is important; find a vendor who takes responsibility for false positive monitoring. In our premium plan on AppTrana, our security researchers work as your extended Security Operations Centre (SOC) team and work with you to ensure a zero false positive guarantee. 

Unmetered DDoS Mitigation & Monitoring Service

While DDoS mitigation is a standard feature in most WAAPs, the differences lie in 1) Pricing, 2) Technology, and 3) Value Added Services

DDoS Pricing

Most WAAP providers have a Gbps model tied to subscription pricing. You’ll be billed according to the next pricing tier if an attack goes beyond that rate. As the first filter, look for WAAP, which gives you unmetered DDoS protection, where no matter what the rate at which the DDoS hits you, you won’t be billed extra. 

Rate Limiting Technology

The only technique available to mitigate DDoS is rate-limiting. That said, most application owners are guilty of either setting too high or too low rate limits. The former will cause the application to go down, and the latter will affect legitimate users from accessing the service.

We believe that a system that recommends rate limits based on user behaviour on a URI, IP, session/host, and geography is part of the solution to this problem. Using this approach, application owners can customize different rate limits for a ‘/login’ vs. ‘/dashboard’ and also customize these per IP, geography, and so on.

That said, rate limits should ideally be applied in tiers where the first tier should be a notification that someone is trying to DDoS you. The next tiers could be interventions to slow the attack using Tarpitting and CAPTCHA. The final tier should be a block, where the server blocks all the DDoS attacks after a set rate limit is breached.

DDoS Protection Services

No matter how granular your rate-limiting is, there is always an outside chance that a hacker can find a weak link in the rate-limiting policy and exploit it. This is where a DDoS monitoring service can quickly help with quick actions. Identifying patterns of DDoS attacks and writing sophisticated rules to thwart specific DDoS attacks, no matter how good the attacker is, there is always a fingerprint that they leave, and this fingerprint can be used to thwart any attacks.

Still, for this, there is a need for a solution that can identify these patterns and experts to review the same and create accurate policies. Solutions like AppTrana provide such a service to customers.

Positive Security Policy Automation for APIs

99% of API attacks could be prevented if developers follow secure coding practices and validate every input in an API. Since that doesn’t happen, creating positive security models on a WAAP is a reasonable plan B. 

Most application teams don’t have WAAP-specific security experts to handle this configuration. So, look for a WAAP solution to help your teams automate positive security policies. 

Workflow-based Bot Protection

JavaScript challenges and CAPTCHA are table stakes for bot protection software that most WAAPs offer. 

Bots are evolving, and some advanced bots need more sophisticated protection. Look for a WAAP that will allow adding workflow-based custom rules. For example, the custom rule should take into account the average time taken per task and the average time taken to complete the whole workflow. That way, custom rules are closely mapped to user behaviour and have a higher chance to trip bots.

A Quick Snapshot Comparison for 17 WAAP Software

Name of WAAP(WAF) Solution	Pricing	Features	Suitable for
AppTrana	Starts at $99. 14-day free trial	1.     Cloud WAF 2.     DDoS Mitigation 3.     API Security 4.     Bot Protection 5.     DAST Scanner 6.     CDN 7.     SSL Certificates (Entrust)	Teams who don’t have security experts in-house but need advanced policies to block attacks at the WAF. AppTrana pioneered the concept of risk-based protection, where the security researchers scan the application and do penetration testing to make sure that the rule sets are targeted to only the weakest links in the application. Managed services, custom rules, DDoS & Bot monitoring, and penetration testing are all bundled in the $399 plan with a 24-hour SLA for virtual patching and a ZERO false positive guarantee. SwyftComply produces a zero-vulnerability, clean report within 72 hours. 24X7 phone, chat and email support even on the $99 plan. Unmetered DDoS is offered as the default in all plans.
Fastly	On Quote	1.     Cloud WAF 2.     DDoS Mitigation 3.     API Security 4.     Bot Protection 5.     CDN	Teams who want flexibility in deploying WAAP. Fastly offers multiple deployment options, including on-prem, cloud, cloud container-native, and so on. Response Security Service, Fastly’s managed services offering for critical security incidents is available only in the “ultimate” plan. Unmetered DDoS is not available.
Imperva	On Quote	1.     WAF (Cloud & on-premise) 2.     DDoS Mitigation 3.     API Security 4.     Bot Protection 5.     DNS 6.     CDN 7.     RASP	Teams who have a hybrid WAAP strategy with both on-premise and cloud models. Cost-effective when you don’t want managed services, and there are hundreds of assets and bandwidth going into terabytes. Among the few WAAP providers that also offer RASP. While difficult to manage, RASP could be a valuable tool to reduce false positives, especially where the application environment does not change often and is standardized across the organization.
Akamai	On Quote	1.     Cloud WAF 2.     DDoS Mitigation 3.     API Security 4.     Bot Protection 5.     DNS 6.     CDN	Teams with a good budget for security software, such as Akamai, are generally priced on the higher side. Their bundled CDN is world-class and suits the media, gaming, and streaming services industries. Configuration and management of Akamai WAAP needs dedicated security engineers with the know-how of Akamai. You also have the option of managed services, but it could be expensive. Unmetered DDoS is not available.
Cloudflare	Starts at $0	1.     Cloud WAF 2.     DDoS Mitigation 3.     API Security 4.     Bot Protection 5.     CDN 6.     DNS & SSL	Teams who have dedicated security experts who can take care of the configuration. DDoS mitigation is very good for e-commerce sites opting for enterprise plan. Unmetered DDoS is an add-on and comes at 5 cents per 10,000 requests. Guided onboarding and managed services are only available in enterprise plans. Chat support is only available starting in the $200 plan.
Radware	On Quote	1.     WAF (Cloud & on-premise) 2.     DDoS Mitigation 3.     API Security 4.     Bot Protection 5.     DNS 6.     CDN	Teams who have a hybrid WAAP strategy with both on-premise and cloud models. Bot protection module available is among the best in the market, so industries particularly prone to bot attacks, including e-commerce and FinTech, could benefit through the bot module. Coming to the downsides, the configuration of the Radware product is quite complex, and you need dedicated security engineers with the product know-how for ongoing maintenance.
AWS WAF	Pay as you go with billing per rule and requests	1.     Cloud WAF 2.     API security 3.     DDoS Mitigation (Add-on) 4.     Bot Protection 5.     DNS 6.     CDN	Teams who are already on AWS and want basic protection against OWASP Top 10. DDoS mitigation is very expensive and is $3000 per month with a minimum commitment of 1 year. Also, if you want advanced protection, you’ll need to buy rule sets from other WAAP providers and then pay per the rule set and the bandwidth consumption. The request body size inspection is only 64KB which is the lowest among all WAAPs, and even protection for legacy API standards such as SOAP and WebSocket is not there or limited.
Barracuda	Starts at $1000 for cloud WAAP	1.     WAF(On-Premise & Cloud) 2.     API security 3.     DDoS Mitigation 4.     Bot Protection 5.     CDN	Teams who have a hybrid WAAP strategy with both on-premise and cloud models. Barracuda also has good products for API discovery and malware scanning for file uploads. Like AWS WAAP, the limit on request inspection is only 64KB. This may not be sufficient as it is easy to send a larger attack payload.
Microsoft Azure WAF	Pay as you go	1.     Cloud WAF 2.     API security 3.     DDoS Mitigation (Add-on) 4.     Bot Protection 5.     DNS 6.     CDN	Teams who are already on Azure and want basic protection against OWASP Top 10. DDoS mitigation is very expensive and is $2944 per month. Also, if you want advanced protection, you’ll need to buy rule sets from other WAAP providers and then pay per the rule set and the bandwidth consumption. The API protection capabilities are quite basic, with no support for Graph QL, SOAP, gRPC, and WebSocket.
Fortiweb by Fortinet	On Quote	1.     WAF(On-Premise & Cloud) 2.     API security 3.     DDoS Mitigation 4.     Bot Protection 5.     CDN	Teams who have a hybrid WAAP strategy with both on-premise and cloud models. You will still need to manage two separate consoles for the appliance and the cloud. Fortinet has good capabilities for DevSecOps teams and offers CI/CD integration. Apart from that, Fortinet uses machine learning for anomaly detection, which could help in reducing false positives. The bot protection module is rated slightly less than Akamai and Radware’s offerings. Finally, managed services are expensive.
Cloud Armor by Google	Pay as you go	1.     Cloud WAF 2.     API security 3.     DDoS Mitigation (Add-on) 4.     Bot Protection 5.     DNS 6.     CDN	Teams who are already on GCP and want basic protection against OWASP Top 10. DDoS mitigation is very expensive and is $3000 per month with a minimum commitment of 1 year. Also, if you want advanced protection, you’ll need to buy rule sets from other WAAP providers and then pay per the rule set and the bandwidth consumption. By default, the request body size inspection is 8KB, the lowest among all WAAPs. This is insufficient, as it is easy to send a payload greater than 8KB. The API protection capabilities are basic, with no support for Graph QL, SOAP, gRPC, and WebSocket.
F5	Pay as you go. Free Trial Available		Teams who have a hybrid WAAP strategy with both on-premise and cloud models. F5 is really strong in out-of-the-box capabilities for reporting and analytics. For many other WAAPs, you’ll need a supplementary BI tool for reporting capabilities. Configuration is a big challenge with F5, and even ongoing maintenance needs dedicated security engineering with the product know-how of F5. Managed services are expensive and cost $1500 per month for DDoS mitigation.
ThreatX		1.     Cloud WAF 2.     API security 3.     DDoS Mitigation (Add-on) 4.     Bot Protection	Teams that want a managed WAAP offering. Similar to AppTrana, ThreatX also talks about risk-based protection. However, the difference is in an application where ThreatX uses machine learning to analyze incoming traffic and then assigns a risk score to reduce false positives. ThreatX also has a good API discovery solution and has support for GraphQL. Since managed services are bundled into the offering, it can be slightly pricey.
Sucuri	Starts at $199 per year	1.     Cloud WAF 2.     API security 3.     DDoS Mitigation (Add-on) 4.     Bot Protection 5.     DNS (Go Daddy) 6.     CDN	Teams are looking for a cost-effective solution to protect WordPress sites with basic protection against OWASP top 10 vulnerabilities. Sucuri is also famous for its malware removal offering. That said, the DDoS and bot offerings are basic compared to more advanced WAAP solutions in this article. Also, managed services and support could be slow to respond given how inexpensive the managed services offering is.
ModSecurity	Free	1.     WAF 2.     Api Security 3.     Bot	Suitable for small applications that are maintained by engineering teams with a lot of security know-how. While ModSecurity will give basic rule sets, any new threats need new rules that the in-house teams have to create. For DDoS, you’ll need to use some other WAAP platform. ModSecurity also doesn’t have a GUI from which you can get attack analytics. You will have to use third-party plug-ins like WAF-FLE.
NAXSI		1.     WAF	Suitable for small applications hosted on the Nginx server and maintained by engineering teams with a lot of security know-how. That, too, works mainly for SQLi and XSS attacks. For all other attack types, you might need to use ModSecurity rules or other WAAPs for advanced functionality, such as DDoS and Bot mitigation.

Detailed Reviews of 17 WAAP Software

1. AppTrana by Indusface

Virtually patch critical vulnerabilities such as SQLi and XSS in 24-hours with a ZERO false positive guarantee.

Features

• Pricing: Starts at $99
• Virtual Patching: 24-hour SLA-backed virtual patching on all critical vulnerabilities found through DAST scanner and penetration testing
• Unmetered DDoS Mitigation: You get billed only for clean traffic no matter how much DDoS gets blocked on AppTrana
• Bot Mitigation: Workflow-based custom rule support to trip even the most advanced bots
• API Discovery: Automate discovery and documentation of open APIs. Download a swagger file from the portal
• API Security: Automate the creation of positive security policies for all your API endpoints
• Bundled VAPT: Find vulnerabilities with the bundled automated web application and API scanner and manual penetration testing
• CDN: Bundled CDN with an option of integrating into all the major CDN providers
• Managed Services: Available on premium plan ($399) and an enterprise plan
• 24X7 Support: Phone, email, and chat support on all plans

Detailed Review

AppTrana is the pioneer in adopting a “risk-based” approach to web application firewalls. The approach is to first scan the applications and APIs with the bundled DAST scanner to find the open vulnerabilities and then tune the rules set to ensure zero false positives.

This is probably the only WAAP in the market that talks about a ZERO false positive guarantee. The bundled managed services team acts as an extended SOC team to work with the application team to ensure that the rules are set to suit every organization adopting AppTrana.

With solutions for DAST scanner, API Discovery, API Security, DDoS Mitigation, Bot Protection, and CDN, this is one of the most complete WAAP solutions in the market.

SwyftComply

Ensuring regulatory compliance requires a clean report with zero vulnerabilities, yet patching open vulnerabilities poses challenges due to reliance on third-party components lacking readily available patches.

With SwyftComply, AppTrana users can quickly generate a spotless, zero-vulnerability report in just 72 hours, making security audits a breeze.

Key features include:

• Built-in DAST scanner for continuous vulnerability detection, even zero days.
• Autonomous patching to protect against all open vulnerabilities on AppTrana WAAP.
• Accessible clean, zero-vulnerability report downloadable within 72 hours.

Block Mode That Offers “Real” Protection

The biggest benefit is that 100% of applications onboarded on the AppTrana WAF are in block mode. Most studies say that, on average, only 53% of WAFs are put in block mode for fear of false positives and misconfiguration that breaks applications.

A WAF in log mode is a glorified log analysis tool and doesn’t serve the core purpose of blocking attacks such as XSS, Code-Injections, and other attacks.

Every application onboarded on AppTrana has a solution engineering team overseeing the deployment to ensure no false positives or misconfigurations for the first 14 days. Even after deployment, false positive monitoring is offered as a service.

Virtual Patching

The standout feature that the product offers is virtual patching. The managed services team makes sure that all Zero-Day vulnerabilities are automatically patched.

In fact, the Log4J vulnerability was patched for all our affected customers in a record time of 24 hours.

Security researchers also extensively test false positives and automatically apply the rules to your application. In most other WAAPs, they just notify about the issuance of a patch, and the onus is on you to use the patch and fix the false positives, if any.

Behavioural DDoS Models

The bane of most rate-limiting systems is that the application owners often do not know what rate limits to apply.

AppTrana provides behavioural models where the system tracks metrics, including max values of requests per session/host, IP, URI, and geography. Then the system recommends what rate limits should start notifying you and what rate limits should block traffic.

This model scales well as these rate limits adapt to changes in traffic behaviour. AppTrana is the pioneer of this behavioural model that determines rate limits, and the only WAAP provider with a comparative feature is Cloudflare.

Positive Security Model Automation for APIs

Automating positive security models is one of the biggest value-adds for APIs on the AppTrana WAAP. The process includes API discovery, API vulnerability scanning, penetration testing, and finally, positive security policy creation on the AppTrana WAAP.

This helps even teams who do not have API documentation on Swagger and Postman. While the swagger file can be automatically downloaded using the API discovery feature, the managed services team also helps create Postman files for critical open APIs.

Five-Minute Onboarding Process with Zero-Downtime

Given the cloud-based deployment, it is very easy to try to AppTrana, as there are no configuration challenges at all. The solution engineering team works on each deployment, and the only requirements needed from customers are 1) a DNS change so that all the traffic is routed through AppTrana and 2) Blocking all IPs from which the origin server accepts traffic and whitelisting only AppTrana IPs.

Therefore, it is a very unobtrusive way to try the platform, and going live in a staggered way is super simple.

Who is it for?

Everyone doesn’t have an in-house team with tech skills in configuration and ongoing maintenance of WAF. This is especially important in regulated industries where deploying a WAF in block mode is extremely important, as data breaches can be debilitating.

AppTrana is particularly strong in banking, financial services, insurance, retail, manufacturing, healthcare, and media industries.

Since the solution is ISO:27001, GDPR, and PCI certified, it works even for some of the most regulated industries.

What is best?

• 100% applications deployed on block mode
• A single dashboard that shows open vulnerabilities against their protection status on the WAF
• 24-hour SLA-backed virtual patching
• Bandwidth savings for applications hosted on AWS through VPC tunnels
• Managed services team is highly rated on Gartner Peer Insights. The team acts as an extended SOC team and helps with custom rules, false positives, DDoS and latency monitoring, and positive security models for APIs
• Value for money as everything from vulnerability scanning to Web App and API Protection is in one platform
• ZERO false positive guarantee

What could have been better?

• On-premise WAAP is not available
• No support for legacy API standards such as SOAP

Verdict

WAAP platform operates on the edge and is often the first line of security against all kinds of attacks. AppTrana is probably the only WAAP that talks about the importance of deploying WAAP on block mode and ensures that 100% of applications deployed are in block mode. The array of services that managed services teams with 24X7 support offer makes this possible. No wonder AppTrana is among the best WAAP platforms available in the market with a rating of 4.9, where 100% of customers recommend the platform on Gartner Peer Insights Cloud WAAP report 2023.

2. Fastly

Unified web app and API security, anywhere

Features

• Pricing: On Quote
• Request Inspection Size: Not known
• Virtual Patching: Available through SmartParse and Templated Rules, but application-specific virtual patching will need managed services.
• Bundled VAPT: Not available
• Behavioural  DDoS Mitigation: Not available
• Bot Protection: Yes
• API Discovery: No
• API Security: Yes
• CDN: Bundled CDN with an option of integrating into all the major CDN providers
• Managed Services: Ultimate plan only 

Detailed Review

Fastly, on its website, claims that 90%+ WAAP deployments are in block mode. The only WAAP other than AppTrana and Imperva to have this claim.

A big reason for that is their proprietary SmartParse technology that helps them identify anomalies better without relying too much on signatures. 

Fastly is also known for integrations into SIEM tools, Slack, DevOps tools, and so on. 

Network Learning Exchange (NLX)

NLX is Fastly’s proprietary IP reputation feed based on anonymized, confirmed malicious activity collected from thousands of Fastly’s distributed software agents. NLX recognizes attack patterns across Fastly’s customer network. This is used to send proactive alerts to defend web apps and APIs.

SmartParse

SmartParse is Fastly’s proprietary technology to evaluate the context of each request and how it would execute to determine if there are malicious or anomalous payloads in requests. SmartParse offers the advantage of near-zero tuning and the ability to promptly initiate threat detection. This is Fastly’s approach to making sure that false positives are minimized and protection starts immediately.

Flexible Deployment Options

Fastly provides the most versatile deployment of a WAF available, protecting applications in containers, on-premises, in the cloud, or at the edge, all through a unified solution.

Response Security Service

Fastly has a managed service offering where it promises a 15-minute SLA for critical responses with direct phone, email, and chat support. 

Who is it for?

Given the deployment options, expertise in CDN, and the number of integrations available, Fastly is a great fit for teams with high technical expertise in deploying WAAP platforms, especially in industries such as Media, IT services, SaaS, and FinTech.

What is best?

• 90% applications deployed in block mode
• Reduction in false positives through SmartParse
• Flexible deployment options
• A range of integrations into SIEM tools, Slack, and DevOps tools 
• Fastly’s default configuration for request inspection is 307KB, which can be increased in the configuration
• Fastly’s Response Security Service is highly rated on review platforms

What could have been better?

• No bundled VAPT, so for compliance reports, you’ll need to engage other VAPT providers for DAST and penetration testing and use the managed services to request virtual patches on application-specific vulnerabilities.
• There are fewer options for rate-limiting customizations to prevent DDoS
• Only the ultimate plan provides access to managed services.

Verdict

Fastly is a solid WAAP offering with feature parity on most components, and SmartParse is a noteworthy feature that helps reduce false positives. No wonder Fastly is also highly rated on Gartner Peer Insights with a rating of 4.9.

3. Imperva

Imperva Web Application Firewall (WAF) stops attacks with near-zero false positives and a global SOC to ensure your organization is protected from the latest attacks minutes after they are discovered in the wild.

Features

• Pricing: On Quote
• Virtual Patching: Basic ones available through core rules set. Application-specific virtual patching will need managed service add-on.
• Bundled VAPT: Not available
• Behavioural  DDoS Mitigation: Not available
• Bot Protection: Add-on
• API Discovery: Add-on for all plans
• API Security: Schema protection is available for all plans
• CDN: Bundled CDN with an option of integrating into all the major CDN providers
• Managed Services: Add on for all plans 

Detailed Review

Imperva, like Fastly, claims that 90%+ WAAP deployments are in block mode on its website.

This could be because Imperva Research Labs does false positive testing before moving the rules into block mode.

Imperva is also among the very few WAAP providers that offer RASP.

Hybrid Deployment

Some industries and government organizations that handle confidential data might want to opt for an on-premise system, and Imperva offers that.

Along with on-premise, Imperva also offers a cloud WAF so organizations that have chosen a hybrid WAAP strategy are in good hands with Imperva.

Integrations

Imperva, like Fastly, is also known for out-of-the-box integrations to data warehouses, SIEM tools, and other DevOps tools.

Integrations are available for amazon s3, elastic, Splunk, Terraform, and many more.

Run-Time Application Self Protection (RASP)

For those who want to reduce false positives even more, Imperva offers RASP that helps even against unknown attack patterns.

RASP goes as far as examining east-west traffic to guarantee the elimination of insider threats as well.

Imperva provides compatibility with the widely used runtimes and databases, such as Java, Node JS, SQL Server, Oracle, and more.

Cost Effective for Large Deployments

Compared to all the large players in the market, Imperva is among the more cost-effective offerings when you don’t opt for managed services.

Who is it for?

For large organizations with hundreds of applications who have in-house resources for ongoing maintenance of the WAAP.

It is also a good fit for large organizations that need a hybrid WAAP that can support both cloud and on-premise data centers with appliances.

What is best?

• By default, Imperva inspects requests of up to 2MB
• RASP could be deployed to reduce false positives. You’ll just have to manage the deployment complexity, especially in heterogenous/ changing dev environments.
• Cloud and On-premise appliance WAAP options available
• Bundled protection against DDoS and Bot attacks

What could have been better?

• No bundled VAPT, so for compliance reports, you’ll need to engage other VAPT providers for DAST and penetration testing and use the managed services to request virtual patches on application-specific vulnerabilities
• API discovery is an add-on
• Managed services are expensive.

Verdict

Imperva is among the oldest WAAP offerings in the market and is a complete offering that offerings web app and API protection against vulnerability, DDoS, and bot attacks. In highly critical and sensitive applications where even internal threats are dangerous, organizations will benefit from implementing RASP.

If you are confident of the ongoing maintenance and need no managed services, you can’t go wrong with picking Imperva, as it is also cost-effective.

4.  Akamai

Embed strong security everywhere your business meets the world 

Features

• Pricing: On Quote
• Request Inspection Size: 8KB by default and expandable to 128KB
• Virtual Patching: Basic ones available through core rules set. Application-specific virtual patching will need managed services add-on.
• Bundled VAPT: Not available
• Behavioural  DDoS Mitigation: Not available
• Bot Protection: Add-on
• API Discovery: Add-on
• API Security: Add-on
• CDN: Bundled CDN with an option of integrating into all the major CDN providers
• Managed Services: Add on for all plans 

Detailed Review

Akamai was one of the first WAF products ever released. It is the oldest WAF that is still in business, as Sanctum was acquired by Google.

Like most modern WAAPs, Akamai App & API Protector bundles WAF, Layer 7 DDoS protection, bot mitigation, and API security into a single solution.

Akamai is also the world’s oldest CDN provider and has the largest market share. Given its strength in CDN, Akamai is powerful in the media, gaming, and streaming industries.

Some key differentiators include:

Adaptive Security

Akamai has more than 400 security researchers who work on continually updating security configurations and policies. These researchers work with machine learning models and real-time threat intelligence feeds to keep the Adaptive Security Engine up to date.

Akamai claims that this process helps them reduce false positives by 5X.

Prolexic

Prolexic is Akamai’s DDoS protection service backed by a 20 Tbps network for DDoS defense and a SOCC that provides 24/7/365 support for a fully managed DDoS protection solution.

Prolexic also has a Network Cloud Firewall that IT teams could use to automate or manually manage access control lists.

Page Integrity Manager

Akamai’s Page Integrity Manager protects websites from JavaScript threats, including web skimming, form jacking, and Magecart attacks. The solution detects compromised JavaScript behaviour and minimizes data theft and UX defacements.

Page Integrity Manager runs in the user’s browser and monitors all JS executions for protected pages. The solution can be deployed in minutes to start analyzing the script executions immediately.

Managed Security Service

While this could be expensive, it is a comprehensive service by Akamai that covers the following:

• Rapid response to security incidents
• Insights through monthly solutions reports, quarterly business reviews, technical security reviews, and postmortems
• Off-hour configuration assistance
• Security health checks, in-depth analyses, and configuration fine-tuning

Who is it for?

Large enterprises have a sizeable budget for security software. While Akamai has customers across industries, it is particularly strong in industries where caching and CDN are big requirements, including media, gaming, and streaming.

What is best?

• API discovery and API security
• Unified platform for Web, API protection against vulnerability, DDoS, and bot attacks
• Client-side threat detection and response
• Edge DNS
• World-class CDN, especially for media-heavy industries
• Managed services are highly rated

What could have been better?

• Akamai is probably the most expensive WAAP offering. It comes with a premium for both the product and the managed services.
• No bundled VAPT, so for compliance reports, you’ll need to engage other VAPT providers for DAST and penetration testing and use the managed services to request virtual patches on application-specific vulnerabilities
• Default configuration supports request inspection size of only 8 KB.
• False positives are a concern.

Verdict

Akamai is among the oldest WAAP offerings in the market and is a complete platform that offers a web app, API protection against vulnerability, DDoS, and bot attacks. Akamai has a big army of security research teams and tens of thousands of customers, and machine learning on these customers’ data gives a good threat landscape and protection.

If cost is not your concern, you will not go wrong with picking Akamai as a WAAP platform, especially if it is a managed offering that will help you cut some of the false positives. 

5. Cloudflare

With Cloudflare, your business will deliver superior experiences through faster performance and world-class application security, all on an integrated and easy-to-use platform. 

Features

• Pricing: Starts at $0
• Request inspection size: 128KB in all plans. It can go up to 500MB for an enterprise plan.
• Virtual Patching: Basic ones available through core rules set. Application-specific virtual patching will need managed services available only on the enterprise plan.
• Bundled VAPT: No
• Behavioural DDoS Mitigation: Available
• Bot Protection: Add-on only available for enterprise plan
• API Discovery: Yes
• API Security: Yes
• CDN: Bundled CDN with an option of integrating into all the major CDN providers
• Managed Services: Add-on available only for enterprise plan  

Detailed Review

As of March 2023, 10% of internet traffic passes through Cloudflare. This marks a substantial implementation of Cloudflare’s WAAP and CDN offerings.

It is safe to say that Cloudflare is the most popular WAAP on the market. This is mainly because of the free plan that Cloudflare provides, which is hugely beneficial to SMBs with small applications and limited traffic.

Here are some standout features that Cloudflare WAAP offers:

DDoS Mitigation

While most DDoS products offered by the WAAP providers are strong, Cloudflare possibly has mitigated some of the world’s largest-scale DDoS attacks ever recorded. This is a testimony to their strong infrastructure that can handle huge DDoS attacks on all applications worldwide.

Like AppTrana, Cloudflare also has a DDoS mitigation system that continuously adapts to user behaviour to ensure that rate limits are tailored.

Remember that unmetered DDoS is only available with an add-on that charges users $.05 for every 10,000 requests.

Global Intelligence

Since Cloudflare processes more than 2 trillion requests daily, the quality of threat intelligence is among the best in the business.

Powerful Bundle for SaaS

Cloudflare’s SSL certificate management, vanity domain support, and powerful DDoS, WAF, and API security products are an excellent combination for the SaaS industry of all scales.

Their flexible pricing in the $0-$200 plans is especially beneficial for start-ups and scale-ups as the scale of the upgrade along with their business.

Who is it for?

The $20 plan provides significant value for SMBs or applications that need a security product to pass a compliance checklist, as it comes with OWASP Top 10 protection. As stated above, they give unmetered DDoS on all plans if you opt for an add-on. The only caveat is the support you’ll get, starting from the $200 plan.

But remember that support in all modes will only be available in the enterprise plan, so in case of a severe DDoS attack, you’ll have to manage it in-house.

On the other hand, in industries such as e-commerce, where the impact of DDoS-related downtime is debilitating, Cloudflare is among the best DDoS mitigation products available. Like AppTrana, Cloudflare has also introduced Behavioural models that ensure DDoS mitigation considers user behaviour to minimize false positives.

What is best?

• DDoS mitigation
• Bundled offering for the SaaS industry
• Threat intelligence feeds that process almost 10% of the internet traffic
• API Gateway
• WAF

What could have been better?

• Support could be better as per reviews on Gartner and G2.
• Request inspection limit of 128KB on plans up to $200 may not be enough.
• No bundled VAPT, so for compliance reports, you’ll need to engage other VAPT providers for DAST and penetration testing and use the managed services to request virtual patches on application-specific vulnerabilities

Need to upgrade to an enterprise plan to get effective protection for enterprises which turns up to be costly, around 3k-5k/month.

Verdict

Cloudflare is a massively popular WAAP platform for millions of websites and applications. For those who require a good WAAP that covers all bases with minimal costs, you won’t go wrong with Cloudflare. But as one scales and needs comprehensive protection, the pricing is not too different when comparing large WAAP providers such as Akamai and Imperva.

Suppose you want managed offering with all the bells and whistles of DDoS monitoring, false positive monitoring, application specific virtual patches. In that case, you’ll have to go for the enterprise plan with a premium.

6. Radware

Radware’s Cloud WAF Service provides enterprise-grade, continuously adaptive web application security protection.

Features

• Pricing: On quote
• Request inspection size: up to 1GB for cloud WAF and could be expanded for on-prem WAF
• Virtual Patching: Basic ones available through core rules set. Application-specific virtual patching will need managed services available only as an add-on.
• Bundled VAPT: No
• Behavioural DDoS Mitigation: No
• Bot Protection: Add-on
• API Discovery: Yes
• API Security: Yes
• CDN: Bundled CDN with an option of integrating into all the major CDN providers
• Managed Services: Add on for all plans and has tiers based on the number of applications

Detailed Review

Like Fastly, Radware also provides several options to deploy WAAP. One key difference between both WAAPs is that Radware also provides an Appliance.

Here are a few standout features as far as Radware is concerned.

Bot Manager

Radware bot manager can also be a standalone product with other WAFs. Crypto Challenge has a feature that uses blockchain-inspired algorithms to create invisible, browser-based challenges that gradually increase in difficulty. These are more powerful bot protection mechanisms than CAPTCHA.

Bundled Managed Services

Like AppTrana, Radware also bundles managed services as part of the subscription. Managed services are important as they help with DDoS and false positive monitoring, custom application-specific virtual patching, and workflow-based bot protection policies.

DefensePro DDoS Protection Service

The availability of 24/7/365 support, along with a powerful DDoS mitigation cloud solution, makes it a very popular DDoS mitigation service for organizations of all sizes.

That said, the DDoS service is not unmetered, so there will be tiers depending on the scale of attacks that get blocked, and you might get billed after the Gbps threshold on your current plan.

Who is it for?

Radware is a solid choice for large enterprises with a hybrid WAAP strategy. The offerings are on-par or better than the competition on specific features, and bundled managed services are of great value. Small and medium-sized businesses might find the pricing high.

What is best?

• 3 WAAP options in appliance, cloud, and Kubernetes
• Bundled managed services
• Bot manager
• API discovery and API Protection

What could have been better?

• No bundled VAPT, so for compliance reports, you’ll need to engage other VAPT providers for DAST and penetration testing and use the managed services to request virtual patches on application-specific vulnerabilities
• Unmetered DDoS not available

Verdict

There are certain industries, especially defense, a government that demands a hybrid WAAP strategy where more confidential data is protected through on-premise appliances and general public-facing websites protected through the API.

7. AWS WAF

Protect your web applications from common exploits.

Features

• Pricing: Pay as you go
• Request inspection size: 64KB
• Virtual Patching: Self-managed
• Unmetered DDoS Mitigation: Application DDoS protection starts at $3000 per month
• Bot Mitigation: Basic protection (add-on rules)
• API Discovery: No
• API Security: Basic capabilities through AWS API gateway
• Bundled VAPT: No
• CDN: Bundled CDN
• Managed Services: No
• 24X7 Support: Only for AWS Shield that is limited to DDoS attacks

Detailed Review

After Cloudflare, AWS WAF might be among the most widely adopted WAFs, especially as AWS is the market leader in cloud PaaS. 

It is extremely easy for teams already on AWS to turn on the AWS WAF. Here are a few noteworthy features:

AWS Shield Advanced

AWS Shield Advanced is a fully managed DDoS protection service, and although it comes at a premium, it is well worth it for those who can afford it.

Regulatory Compliance

AWS is available in 25+ regions worldwide, and no matter what your data privacy guidelines are, complying with those becomes a breeze with AWS WAF.

Pricing

AWS employs usage-based pricing with transparently priced add-ons such as Shield Service and Bot Mitigation. AWS is an easy choice for those looking for a basic WAF that helps them pass compliance.

Who is it for?

AWS native customers who need a basic WAF for protection against standard attacks. Particularly SMBs who are looking to deploy a WAF and pass compliance quickly. 

What is best?

• AWS Shield
• Usage-based pricing
• Compliance

What could have been better?

• Request inspection size is only 64KB
• API security capabilities are basic
• No managed services option for advanced rules and bot mitigation

Everything is an add-on, so you may start small, the cost quickly adds up

Verdict

AWS WAF is a good option for SMBs who quickly want to turn on the WAF capability with minimal costs to pass the compliance requirements.

Like any public cloud WAF, AWS WAF is more of a checkbox than a complete WAAP that protects applications against advanced attacks. Also, if your applications are hosted in a multi-cloud, on-premise, or hybrid environment, you’ll have to opt for a platform-agnostic WAF like AppTrana.

8. Barracuda

Web application security, simplified.

Features

• Pricing: On Quote
• Request inspection size: 64KB
• Virtual Patching: Self-managed
• Unmetered DDoS Mitigation: Yes
• Bot Mitigation: ML-based advanced protection. Workflow-based rules need managed services.
• API Discovery: Yes
• API Security: Yes
• Bundled VAPT: DAST is available but not penetration testing
• CDN: Yes
• Managed Services: Add On
• 24X7 Support: Add On starting at $2,800

Detailed Review 

Like Imperva and Fastly, Barracuda also provides a host of options to deploy the firewall. It includes an appliance, a SaaS solution, and native deployments in all major public cloud providers.

Here are some noteworthy features of Barracuda:

File Upload Antivirus and Malware Scanning

Barracuda WAF analyzes files in a CPU-emulation-based sandbox, using which it detects and blocks malware embedded in the files uploaded into websites or web applications.

Unmetered DDoS Protection

Like AppTrana and Cloudflare, Barracuda provides unmetered DDoS mitigation against layer 3-7 attacks.

API Discovery and Security

Barracuda provides API security for multiple formats, including JSON, REST, and GraphQL.

Like AppTrana, Barracuda also automates the creation of API security policies when you upload the API specification files.

East-West Protection

With Barracuda’s containerized deployment mode, application owners can deploy the same protections between microservices, thereby protecting them from intra-app attacks.

Who is it for?

For organizations with a hybrid WAAP strategy, Barracuda is a good option to evaluate along with Imperva, Radware, Fastly, and F5.

For cloud-native applications hosted on Azure, there’s an option to save bandwidth costs as Barracuda’s WAF-as-a-Service is also hosted on Azure.

What is best?

• Malware scanning for file uploads
• East-West traffic inspection to limit damage
• Azure bandwidth savings
• API security

What could have been better?

• Premium support is an add-on
• If you enable the request inspection limit, 64KB is the maximum request inspection size
• Complaints about support in the review sites

Verdict

Barracuda is on-par on most features and has unique selling points compared to the other Hybrid WAAP providers. It is also rated 4.5 in the Gartner peer insights.

For organizations going with hybrid WAAPs, trying their free trial to compare it against the competition is well worth it.

9. Microsoft Azure WAF

Protect your web applications from common exploits.

Features

• Pricing: Pay as you go
• Request inspection size: 128KB
• Virtual Patching: Self-managed
• Unmetered DDoS Mitigation: DDoS starts at $2944 per month
• Bot Mitigation: Basic protection
• API Discovery: No
• API Security: Basic capabilities through the API gateway
• Bundled VAPT: No
• CDN: Bundled CDN
• Managed Services: No
• 24X7 Support: Only for DDoS Service

Detailed Review

Like the AWS WAF, Azure WAF is extremely easy for teams already on Azure to turn on the WAF.

Here are a few noteworthy features:

Bouquet of Rules in The Marketplace

In the Azure WAF, you have the option of buying rulesets from other leading WAF providers, such as Fortinet and Barracuda. That way, you get more comprehensive protection, and these rules are updated more frequently than the out-of-the-box rules on Azure WAF. That said, subscribing to these rules will cost you a fixed subscription charge and bandwidth cost for traffic that the rules inspect.

Native Security Offerings

When cost is a concern and security teams want to consolidate security software, Azure is a good choice. Azure Firewall (network firewall) and Microsoft Sentinel (SIEM) are good-enough tools.

Regulatory Compliance

Azure is the world leader in availability and supports 60+ regions worldwide. No matter what your data privacy guidelines are, complying with those is super simple with Azure.

Who is it for?

Azure native customers who need a basic WAF for protection against standard attacks. Particularly SMBs who are looking to quickly deploy a WAF and have a checkmark against a compliance checklist.

What is best?

• Usage-based pricing
• Marketplace rules for more granular protection
• Azure Firewall and Microsoft Sentinel
• Compliance

What could have been better?

• Request inspection size is only 128KB
• API security capabilities are basic
• No managed services option for advanced rules and bot mitigation

Verdict

Azure WAF is a good option for SMBs already hosted on Azure and wants to turn on the WAF capability with minimal costs to pass the compliance requirements.

Like any public cloud WAF, Azure WAF is more of a checkbox rather than a complete WAAP that protects applications against advanced attacks. Also, if your applications are hosted in a multi-cloud, on-premise, or hybrid environment, you’ll have to opt for a platform-agnostic WAF like AppTrana.

10. Fortiweb by Fortinet

Protect business-critical web applications from attacks that target known and unknown vulnerabilities

Features

• Pricing: On Quote
• Request inspection size: 100MB
• Virtual Patching: Self-managed or with managed services
• Unmetered DDoS Mitigation: Yes
• Bot Mitigation: Basic protection
• API Discovery: No
• API Security: Basic capabilities through the API gateway
• Bundled VAPT: DAST is available. Not sure if it is part of the FortiWeb product. But VAPT is not available
• CDN: Bundled CDN
• Managed Services: No
• 24X7 Support: Only for DDoS Service

Detailed Review

Fortinet’s N/W firewall FortiGate was among the oldest firewalls. In terms of adoption, FortiGate is the 2nd largest after Palo Alto.

FortiWeb WAAP has a large captive audience and is especially appealing to enterprises already on FortiGate.

Like Imperva, Radware, and F5, FortiWeb is available as an appliance and a cloud service.

Here are some standout features:

FortiGuard Inline Sandbox Service

Like Barracuda, Fortinet also provides a sandbox service to protect organizations from malicious file uploads. A combination of AV, advanced threat filtering, and AI/ML narrows file-based threats. This eliminates false positives to focus on unknown threats that can pose actual risks.

FortiGuard IP Reputation & Threat Intelligence

The FortiGuard IP Reputation Service aggregates malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources collaborating to provide up-to-date threat intelligence about hostile sources.

Machine Learning Based Threat Detection

Like several large players in the WAAP space, Fortinet has also made significant investments in machine learning. They claim that this helps reduce false positives, and this is best tested in an actual trial as applications vary greatly from each other.

Who is it for?

Fortinet is a good option if you already use FortiGuard firewall and have a good budget for the managed services offering – FortiGuard SOC-as-a-Service, which is very comprehensive.

It is also a good option for organizations implementing a Hybrid WAAP.

What is best?

• Sandbox for malware protection
• 100MB request inspection size
• Threat intelligence
• Machine learning capabilities
• CI/CD integration for FortiDAST

What could have been better?

• Despite having a DAST scanner, there’s no visibility of protection status on FortiWeb (unlike AppTrana)
• Managed services are an add-on
• Support could be better as per the review sites

Verdict

Fortinet’s legacy and strength in the network firewall could be a case for also procuring the FortiWeb WAAP if a company is looking at consolidating security vendors.

If consolidation is not a goal, it is well worth evaluating other WAAP providers along with FortiWeb.

11. F5 BIG-IP WAAP

Protect web applications with advanced threat detection and AI/ML intelligence  

Features

• Pricing: On quote
• Request inspection size: 20MB (option to increase to 30MB+)
• Virtual Patching: Self-managed or only available through the annual enterprise subscription
• Unmetered DDoS Mitigation: Unknown
• Bot Mitigation: Yes
• API Discovery: Yes
• API Security: Yes
• Bundled VAPT: No
• CDN: Bundled CDN
• Managed Services: Only in the enterprise plan
• 24X7 Support: On contract and there are tiered models in Premium Support and Premium Plus Support

Detailed Review

The BIG-IP load balancer that F5 provides is a market leader and is highly reputed. The WAAP is usually a bundle that is offered along with BIG-IP.

Here are a few standout features:

Hybrid WAAP

F5 provides both an on-premise appliance and a cloud WAAP like Fastly, Imperva, Radware, and Barracuda. Organizations that require a hybrid WAAP will benefit from F5.

CI/CD Integration

F5 is well-known for its integration into DevOps tools such as Ansible, ServiceNow, and GitLab. Software and product development companies with agile cycles can use these integrations well.

Technical Support

Like AppTrana, F5’s product support is very highly rated. It could be well worth the premium that you pay for support.

Who is it for?

Enterprises that already have F5’s load balancers have a lot of merit in evaluating F5’s Cloud WAAP.

Apart from that, enterprises in software and IT services could benefit greatly through out-of-the-box CI/CD integrations.

What is best?

• Hybrid WAAP
• Load balancer
• CI/CD integration
• Technical support

What could have been better?

• Cloud WAAP is relatively new to the market when compared to the competition
• Support is premium

Verdict

F5 is a solid WAAP with a reputation for good support. If you have a decent budget and want hybrid WAAP and IT services or software industry, F5 is a good option to evaluate.

12. ThreatX

Secure APIs and applications with confidence, not complexity 

Features

• Pricing: On quote
• Request inspection size: Unknown
• Virtual Patching: available
• Unmetered DDoS Mitigation: No
• Bot Mitigation: Yes
• API Discovery: Yes
• API Security: Yes
• Bundled VAPT: No
• CDN: No
• Managed Services: Yes
• 24X7 Support: Yes

Detailed Review

ThreatX provides container-based WAAP that is agentless and deploys in web stack agnostic and cloud-native environments.

Here are a few standout features:

Risk-Based Approach

Like AppTrana, ThreatX also talks about a risk-based approach to application security. The difference is in the approach to risk. While AppTrana with bundled VAPT protects the apps from attacks against weakest links, ThreatX uses attack-centric behaviour analysis to identify and block malicious traffic.

Managed Services

Like AppTrana, ThreatX also has managed services bundled into the pricing. The managed service delivers 24/7 protection and grants access to skilled Layer-7 security analysts, ensuring the security of APIs and applications.

API Catalog & Analytics

The API catalog 2 provides security teams a complete solution for API management and the analysis of attackers targeting them. API traffic analytics provides a high-level overview of an API endpoint’s activity. The insights include attack behaviours detected and protected by ThreatX.

Who is it for?

Teams with limited security expertise in-house would greatly benefit from the managed offering that ThreatX provides.

What is best?

• Risk-based protection
• Fewer false positives
• API discovery and protection
• Bundled managed services
• Container-based deployment

What could have been better?

• Unmetered DDoS is not available
• Few customers outside the US

Verdict

Even among all the WAAP platforms, ThreatX talks about the right terms, including the risk-based approach to application security, minimal false positives, and bundled managed services like AppTrana.

For companies looking for a solution that includes services, ThreatX could be a viable WAAP platform to evaluate.

13. Sucuri

Protect Websites from Hacks & Attacks

Features

• Pricing: $199.99
• Request inspection size: 10 MB
• Virtual Patching: available
• Unmetered DDoS Mitigation: No
• Bot Mitigation: Yes
• API Discovery: No
• API Security: No
• Bundled VAPT: No
• CDN: Yes
• Managed Services: Yes
• 24X7 Support: Only through tickets, but the enterprise plan has other support mechanisms 

Detailed Review

Sucuri and Cloudflare were among the first WAAP providers that made WAF affordable for even SMEs.

Here are a few standout features of Sucuri:

Malware Removal Service

Among all the major WAAPs, Sucuri is the only one that provides a malware removal service. This is also well appreciated and highly rated by users.

Specialization in WordPress, Joomla, and other CMS 

Sucuri’s WAF works especially well for websites designed on open-source CMS platforms such as WordPress and Joomla.

GoDaddy Integration

Since GoDaddy owns Sucuri, especially for SMEs, it is a one-stop solution for DNS, hosting, SSL certificates, and WAF.

Who is it for?

SMBs who operate websites on open-source CMS software such as WordPress and Joomla.

What is best?

• Malware removal service
• Protection for WordPress, Joomla, and other CMS platforms
• One-stop solution from DNS to hosting to WAF

What could have been better?

• Support could be better, and response times are slower as per review sites
• No API security
• No unmetered DDoS

Verdict

Sucuri is like most WAFs available in the public cloud, it offers an affordable solution that is good enough to pass a compliance checklist.

14. Palo Alto

Protect web applications and APIs across any cloud-native architecture, including public or private cloud.

Features

• Pricing: On Quote
• Request inspection size: 10MB
• Virtual Patching: Self-managed or available through managed services in the enterprise plan
• Unmetered DDoS Mitigation: Unknown
• Bot Mitigation: Yes
• API Discovery: Yes
• API Security: Yes
• Bundled VAPT: No
• CDN: Yes
• Managed Services: Yes
• 24X7 Support: Available through support licenses

Detailed Review

In security offerings, Palo Alto probably has the most breadth. Their offering covers network, cloud, edge, and application security.

Here are a few noteworthy features of the Palo Alto Next-Gen WAF:

Network and Application Threat Monitoring

Palo Alto can block both the application and network threats. It is a holistic solution that can protect from malware, ransomware, and block application layer attacks.

Deployment Options

Among all the WAAP providers, Palo Alto probably has the most deployment options available for the Next-Gen WAF. It has appliances, containerized, virtual machines, cloud-specific, and completely SaaS models for deployment.

UNIT 42 Threat Research

Palo Alto’s threat research is world-class. Recognized by over 70 cyber insurance panels, UNIT 42 stands as an approved incident response provider, and it holds preferred partnership with more than 150 worldwide law firms.

Who is it for?

For large enterprises who are looking to consolidate security product vendors, Palo Alto is a good option to consider.

What is best?

• Breadth of security offerings
• Malware and ransomware protection
• Sandbox for malware scanning
• Complete solution from network to application protection

What could have been better?

• Mostly enterprise offerings
• Managed services and support are add-on licenses

Verdict

The breadth of offerings that Palo Alto has in security is second to none, and many of its offerings are highly rated in analyst and customer reviews. Large enterprises who are looking to consolidate security software and vendors will find value in evaluating Palo Alto.

That said, if you are looking for best-of-breed solutions only for “Web and API applications,” some of the other WAAPs listed here have their strengths too.

15. Cloud Armor by Google

Protect your web applications from common exploits.

Features

• Pricing: Pay as you go
• Request inspection size: 8KB (option to increase to 128KB)
• Virtual Patching: Self-managed
• Unmetered DDoS Mitigation: DDoS starts at $3000 per month
• Bot Mitigation: Basic protection
• API Discovery: No
• API Security: Basic capabilities through the API gateway
• Bundled VAPT: No
• CDN: Bundled CDN
• Managed Services: No
• 24X7 Support: Only for DDoS Service

Detailed Review

Like all the public cloud platforms, Cloud Armor is extremely easy to turn on for teams already on GCP.

Here are a few noteworthy features:

Managed DDoS

In the Cloud Armor, you get access to managed services against both network and application layer DDoS attacks.

Regulatory Compliance

GCP is also available in many regions worldwide, albeit fewer than Azure and AWS. Data sovereignty shouldn’t be a challenge for most regions worldwide.

Who is it for?

GCP native customers who need protection against standard attacks. Particularly SMBs who are looking to deploy a WAF and pass compliance quickly.

What is best?

• Usage-based pricing
• Managed DDoS protection
• Compliance

What could have been better?

• Request inspection size starts at only 8KB
• API security capabilities are basic
• No managed services option for advanced rules and bot mitigation

Verdict

Cloud Armor is a good option for SMBs who are already hosted on GCP and want to turn on the WAF capability with minimal costs to pass compliance.

Like any public cloud WAF, GCP is more of a checkbox rather than a complete WAAP that protects applications against advanced attacks. Also, if your applications are hosted in a multi-cloud, on-premise, or hybrid environment, you’ll have to opt for a platform-agnostic WAF like AppTrana.

16. ModSecurity

An open source, cross platform WAF engine for Apache, IIS and Nginx.

Features

• Pricing: Free
• Request inspection size: N/A
• Virtual Patching: Self-managed
• Unmetered DDoS Mitigation: No
• Bot Mitigation: Basic protection
• API Discovery: No
• API Security: Basic
• Bundled VAPT: No
• CDN: No
• Managed Services: No
• 24X7 Support: Not available

Detailed Review

ModSecurity is the rule engine that most modern WAFs use, and they were the pioneers of the negative security model.

Here are a few standout features of ModSecurity:

Open-source and Free

ModSecurity is an open-source WAF and can be installed on most web servers to get basic WAF capabilities. As with any open-source software, a lot of documentation is available, and the community can quickly answer most questions.

Decent Coverage

For an open-source tool, ModSecurity provides decent overage for OWASP Top 10 vulnerabilities and more.

Who is it for?

Teams with many in-house security experts can manage to add rules and test them for false positives.

Even when budget is a concern, given that other free or near-free WAAPs are available, choosing them would be wiser, especially when you don’t have in-house security teams.

What is best?

• Free and open-source
• OWASP Top 10 coverage
• Flexible deployment options

What could have been better?

• False positives must be tested
• No DDoS protection
• No API security

Verdict

ModSecurity is largely responsible for a mature WAAP ecosystem today, and most modern WAAPs use their rule engine.

That said, hackers have evolved and launched more advanced attacks. For any application owner who wants advanced security features, ModSecurity is not enough on its own. You’ll have to use it in conjunction with some other tools or pick other commercial WAAPs that offer more security features.

17. NAXSI

Nginx Anti XSS & SQL Injection

Features

• Pricing: Free
• Request inspection size: N/A
• Virtual Patching: Self-managed
• Unmetered DDoS Mitigation: No
• Bot Mitigation: Basic protection
• API Discovery: No
• API Security: Basic
• Bundled VAPT: No
• CDN: No
• Managed Services: No
• 24X7 Support: Not available

Detailed Review

As the name implies, NAXSI is a third-party Nginx module that provides web application firewall features.

Open-Source and Free

Like ModSecurity, even NAXSI is an open-source module. So, all the associated benefits, including free-to-use, community support, and strong documentation, hold good for NAXSI also.

Flexible Configuration

Various rule sets, including the OWASP ModSecurity Core Rules Set, could be configured to work with the WAF.

Who is it for?

Like ModSecurity, this should also be used by teams with their own servers and security experts who can manage the WAF.

What is best?

• Free and open-source
• SQLi and XSS coverage
• Flexible configuration options

What could have been better?

• False positives must be tested
• No DDoS protection
• No API security

Verdict

For blocking advanced DDoS, bot, and API attacks, it is better to go for other freely available commercial WAAPs in the market, even when the cost is a concern.

Unless you have a strong in-house security team that can help write complex rules to block attacks. Even then, for DDoS, you’ll need to use some cloud-based WAAP.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.