Cloud WAF Pricing: All You Need to Know
Choosing the right Cloud WAF pricing model is like finding the perfect pair of shoes: it’s all about comfort, fit, and style for your organization’s needs.
In this guide, we’ll help you navigate the world of Cloud WAF pricing, exploring different options and factors so that you can find the perfect fit for your web application security requirements.
For those still evaluating Cloud vs. on-prem WAF, here’s a detailed article on why cloud WAFs are better than on-premise WAFs.
Common pricing models for Cloud WAFs: Subscription-based vs. Pay-as-you-go
WAFs provided by public clouds such as AWS and Azure typically price on a pay-as-you-go model.
On the other hand, specialized WAF providers such as Indusface, Akamai, and Cloudflare offer a subscription model.
There are many pay-as-you-go features offered even by subscription providers. The value addition that specialized WAFs provide is the availability of “core rules” that provide by-default protection against OWASP Top 10 vulnerabilities.
In public Cloud WAFs, you’ll typically need to either:
- Develop rule sets on your own, and then you get charged per the rule
- Or, you could subscribe to rule sets provided by WAF providers, and you’ll typically need to pay for the bandwidth/data transfer through the rule sets
That said, several pay-as-you-go features are provided even by specialized WAF providers.
In the next section, we will cover all the factors that affect WAF pricing.
Factors Affecting Cloud WAF Pricing
1. Number of Applications
This is the first parameter that affects pricing. Even within this, there are two models:
a. Domain: One license for the domain, and this includes subdomains too. This model is typically used when similar applications are on different sub-domains, for example, qa.acme.com vs. acme.com.
While you can use this model for sub-domains that host different applications, the possibility of false positives is more as the same rule set is applied on multiple applications.
b. Application: Since every application differs, this model helps get fine-grained protection and custom rules. Usually, the license depends on a per-website model or a Fully Qualified Domain Name (FQDN).
For example, you’ll typically be charged one license for www.acme.com and one more for abc.acme.com.
Cloud WAFs act as filters before traffic hit your origin server. All the traffic passed over to your origin servers is billed as the bandwidth cost.
Here also, there are three models:
a. Requests: The pricing plan might have a set cost for a specific number of requests each month, plus extra charges for any extra requests over the set limit. Another option is that the pricing depends only on the total number of requests, so customers pay for what they use.
b. Peak Mbps : Some WAF companies use a peak Mbps (megabits per second) pricing plan. They charge customers based on the highest bandwidth (mainly in the 95th percentile) used in a set time, like a month. This model looks at the most traffic the WAF handles, not the total requests or data moved. It’s important for organizations with changing traffic or different bandwidth needs.
c. Bandwidth: Some WAFs use a pricing plan based on the bandwidth over the wire. This includes both the request and response data. They charge customers for data moving through the system. This pricing model is easy to understand and works well for many organizations.
As discussed earlier, depending on the WAF provider, you may get charged for the following features:
a. DDoS & Bot Mitigation: This is probably the single most expensive feature addition. As per the application, the subscription to this feature alone typically costs a couple of thousand dollars per month in the subscription. In addition, some vendors even bill you for the bandwidth in case of a DDoS attack. In the case of Indusface AppTrana, DDoS is bundled as part of the monthly subscription plans.
b. API Security: Most popular WAFs now include an API security solution. This category is now called WAAP. However, this is generally priced as an add-on as API security needs special configuration, especially to create a positive security model. The AppTrana WAAP, by default, protects all APIs that are part of the same FQDN. See more details here.
c. Analytics: Getting analytics on the kind of attacks blocked is also, a big add-on, especially if you just get one WAF license and use that to protect multiple applications such as acme.com, payroll.acme.com, crm.acme.com along with acme.com. As these are all different applications, storing attack logs and analytics on these logs would be extremely expensive.
Hence, most WAF providers don’t provide access on a single license. At Indusface, we often suggest taking additional licenses for critical applications requiring attack logs and analysis.
d. DAST scanners: DAST and WAF are not integrated and separate products in most organizations. This is a lost opportunity, as vulnerabilities found on a DAST could quickly be patched on the WAF. This process is called virtual patching, and it buys developers time before they patch these vulnerabilities on code.
At Indusface, we bundle DAST scanner – Indusface WAS as part of the AppTrana WAAP. You save costs on subscriptions and integrate DAST and virtual patching into CI/CD pipelines so that security is handled even in an agile development cycle.
e. CDN: Since WAAP providers have some pricing component dependent on data transfer, enabling a CDN will lead to significant cost savings. In most WAFs, this is an add-on.
f. Support:24X7 phone, email, and chat support is yet another feature that most WAF vendors add only in enterprise contracts. At Indusface, you will get enterprise support at SMB pricing; see the WAAP pricing page here.
Managed Services and WAF Pricing
Managed services play a big part in application security, especially as threats evolve. For example, 200+ application-level critical/high zero-day vulnerabilities are discovered monthly. Compute power is so cheap that a one-hour DDoS attack can be bought for $5, and this will get cheaper.
To combat all of this, any WAAP/WAF solution needs to evolve. While most Cloud WAFs keep the software updated, a key part of defense is the rule set, and unless the security teams have highly skilled security engineers, they wouldn’t be able to touch any of the rule sets.
The other problem is that even if rules are sent as patches, the onus is on the application team to monitor for false positives and ensure 99.99% availability while preventing downtime. Often, application teams do not apply these patches; worse, most WAFs are perpetually in log mode, as in they don’t block any attacks!
Then there’s the problem of DDoS, which is a big ransomware threat, and sophisticated actions such as rate limits, Tarpitting, CAPTCHA, and blocks need careful monitoring as there is a high possibility of false positives.
So managed services are essentially an extended SOC/IT team to help with the following:
- Adding exceptions so that the core rules set don’t break any existing functionality on the application.
- Patching newly found vulnerabilities on the WAF with a guarantee of zero false positives.
- Mitigating DDoS attacks while reducing the impact on genuine visitors.
- Reducing false positives on DAST scanner results by giving detailed proof of vulnerability reports; this is an Indusface exclusive as we are the only ones who bundle DAST with WAF(WAAP).
- Configuring CDN to ensure maximum caching percentages (we have several customers with 95%+ caching %) by finetuning the caching policies.
While every vendor can promise managed services, evaluating the SLAs with which they operate is critical. We highly recommend checking the support response times and SLAs, uptime guarantee, and latency with the vendor.
At Indusface, we are proud to ensure a 24-hour SLA on virtual patches for critical vulnerabilities. You can find more details on the SLA here.
Tips for Selecting the Right Cloud WAF Pricing Model
Here’s a step-by-step framework to help people choose a WAF based on pricing:
1. Identify your organization’s requirements:
- List the web applications you need to protect
- Estimate your average and peak web traffic volume
- Determine the specific features and security controls you need
- Consider the level of technical support and service level agreements (SLAs) you require
2. Research WAF providers
- Compile a list of WAF providers that offer solutions relevant to your organization’s needs
- Investigate each provider’s reputation, customer reviews, and case studies
3. Analyse pricing models:
- Review the different pricing models available for each WAF provider (subscription-based, pay-as-you-go, perpetual license, hybrid)
- Determine which pricing model best aligns with your organization’s needs, budget, and growth projections
4. Evaluate included features and additional services
- Compare the features and services included in each provider’s base pricing
- Identify any additional features or services that may incur extra costs (e.g., advanced threat intelligence, DDoS protection, and managed security services)
5. Assess data center locations and regions
- Check the provider’s data center locations and regions to ensure they meet your performance and compliance requirements
- Determine if there are any additional costs for using multiple data centers or regions
6. Compare technical support and SLAs
- Review the level of technical support included in each provider’s pricing
- Compare the SLAs offered by each provider, focusing on uptime guarantees, performance, support response times, and remedies for non-compliance
7. Calculate the total cost of ownership (TCO)
- Estimate the total costs for each WAF provider, considering factors such as subscription fees, usage-based charges, additional features, support, and potential overage fees
- Calculate the TCO for each provider over a specified period (e.g., one year, three years, five years)
8. Rank various WAF providers
- Rank the WAF providers based on the factors most important to your organization (e.g., TCO, features, support, SLAs)
- Select the top 3 WAF providers that best meet your organization’s needs and budget
9. Run product trials
- Every WAF is a black box and application-specific logic (SSL pinning), for example, could break applications’ workflow
- If such use cases come up that’ll also be a good real-world test for support response times and SLAs
By following this framework, you can systematically evaluate and compare different WAFs based on pricing, features, support, and other factors, ultimately selecting the most suitable and cost-effective solution for your organization.
In conclusion, selecting the right Cloud WAF is crucial for safeguarding your web applications and maintaining a strong security posture. A thorough understanding of Cloud WAF pricing, features, and service level agreements will enable your organization to make informed decisions, ensuring you invest in a solution that fits your budget and provides robust protection against ever-evolving cyber threats.