1 Introduction / Executive Summary

Web Application Firewalls (WAF) have been around for quite some time to protect web applications through the inspection of HTTP traffic. Traditionally WAFs were used within organizations on-premises to protect both internal intranets and externally facing internet web applications. Over time organizations have grown to depend on web applications for doing business with business partners and customers, making it business-critical to maintain and protect a web application.

Since the beginning, WAFs provided protection against a list of common types of web attacks such as SQL injection and cross-site scripting using pattern matching techniques against the HTTP traffic. As the list of attack types continued to grow, the Open Web Application Security Project (OWASP) provided some insight into the most critical security risks to web applications in an effort to give web developers guidance on minimizing these risks. WAFs also provide a level of protection against connection-based Distributed Denial-of-Service (DDoS) attacks that try to overwhelm or disrupt normal traffic to web-based services.

More commonly known as Bots, software robots perform repetitive tasks and can imitate human user behavior. What started as a means to perform useful automated tasks quickly became a tool for malicious web attacks. For example, it is reported that over 30% of all online traffic is due to web bots, in which roughly 25% of those bots among that website traffic are malicious. Some of these malicious bots even attempt to log into user accounts. Given these types of attacks, advanced WAF capabilities are needed to distinguish between automated bots and real users, as well as to detect other abnormal activity using AI Machine Learning, for example.

A focus on Application Programming Interface (API) have been steadily growing, and we are seeing the market covering the protection of APIs in multiple ways such as API gateways, Access Management solutions, and now WAFs are also filling the gap with its own API protection combining Web Application and API Protection (WAAP) capabilities.

This Leadership Compass covers solutions that protect web applications using a Web Application Firewall (WAF). These solutions provide the capability to protect web-based applications, their data, and APIs, which are commonly found in small to large organizations. These solutions must meet the most basic WAF requirements seen in the past and provide more advanced capabilities to meet the new emerging IT requirements that protect against the evolving landscape of attacks seen today on the internet.

1.1 Highlights

• The WAF market is growing, and although maturing it continues to evolve.
• WAF has increasingly become essential to business as a strategic approach to ensure overall IT web application.
• The level of WAF intelligence has become a differentiator between WAF product solutions.
• Beyond basic core WAF capabilities, Bot Management and API protection are two capabilities of emphasis for many of the products evaluated in this Leadership Compass.
• Some level of Web Performance Enhancements appears as a differentiator between WAF product leaders and challenger.
• The Overall Leaders are (in alphabetical order) Cloudflare, F5, Fastly, Imperva, Radware.
• The Product Leaders (in alphabetical order) are Cloudflare, F5, Fastly, Imperva, Radware.
• The Innovation Leaders (in alphabetical order) are Cloudflare, F5, Imperva, Prophaze, Radware.
• Leading vendors in innovation and market (a.k.a. the "Big Ones") in the WAF market are (in alphabetical order) Cloudflare, F5, Imperva, Radware.

1.2 Market Segment

The WAF market started with solutions typically providing OWASP top 10 and other similar protection, signature-based detection of malicious attacks, traffic monitoring, white & blacklisting of IPs and URLs, and other basic capabilities. Later, more advanced WAF capabilities have been added by vendors to keep up with the ever-changing attack vectors on the internet. Today, both negative and positive security models are expected capabilities in modern WAF solutions. These essential capabilities that customers should look for in solutions must meet requirements for protecting their web applications from malicious attacks. Baseline considerations should include capabilities that can scan and detect web attack signatures as well as provide protection from DDoS.

The WAF market has also expanded to include the protection of APIs. While API protection has been a market in itself, typically through API Gateways, this capability has also been seen to be bundled in with other solutions like Access Management solutions and now WAFs. The WAF plus API protection combinations are often marketed as Web Application and API Protection (WAAP). In this Leadership Compass, API protection is included as an essential capability and expected at some level in today's modern WAF solutions.

Beyond the basic capabilities, some thought should be given to how more advanced web attacks can be discovered, such as Bots of various types and other unknown future attack vectors using AI/ML pattern recognition techniques. Further benefits can be gleaned from intelligence feeds regarding global web attacks against other organizations. We see the market evolve to utilize threat intelligence from multiple sources (e.g., AI, analytics, monitoring, detection, device-level fingerprinting, IP reputation), vulnerability remediation, API discovery & protection, bot protection, mobile app protection, compliance reporting, DLP, virtual patching, zero-day protection as some examples.

Today's WAF market has also become heterogeneous regarding the deployment and delivery models. More modern WAFs are implemented with microservice architectures providing more flexible solutions. The IT environments are also migrating to containers and running them on container-based orchestration platforms like Kubernetes, requiring application protection in these types of environments as well. Also, for some organizations, keeping up with new attacks using the traditional signature rule approach is a never-ending process that organizations need to keep on top of if they maintain their WAFs. Some organizations realize the cost of this WAF maintenance overhead or don't have the specific resource skills or expertise in their organization to maintain them properly. Many organizations choose to use a managed WAF service to relieve them of the overhead maintenance and provide the needed expertise. Managed WAF services can vary in how much or how little they manage the WAFs depending on the customer's ability to participate in the WAF configuration and maintenance.

However, this Leadership Compass looks specifically at the WAF market as a distinct segment. The underlying WAF technology can deliver protection to web applications but differs in added capabilities, how it delivers the product, and whether it's a managed or unmanaged solution.

1.3 Delivery Models

Increasingly there is a clear trend in the market to move WAF solutions from an on-premises delivery model to a cloud delivery model. And even though vendors are helping customers to make this transition easier, there will still be valid reasons that organizations will need to maintain an on-premises presence, such as the continued use of legacy and sometimes in-house developed custom systems, among other reasons. Because of this, it is safe to assume that a hybrid delivery model will be a viable option for the foreseeable future. Therefore, this Leadership Compass will consider all delivery models.

Although all delivery models are looked at in this Leadership Compass, it is worth considering each delivery model's pros and cons against the use cases for WAF solutions. For instance, some customers still focus on on-premises products due to specific internal organizational reasons such as security policy requirements. It is also good to be aware that public cloud solutions are generally multi-tenant in most cases, while some cloud services are single tenant. Other approaches use container-based microservice deployments to provide consistent delivery of a vendor's solution, whether cloud-hosted or on-premises. An alternative approach offered is a managed service by a Managed Service Provider that outsources the responsibility for maintaining an organization's Access Management. Ultimately selecting the right WAF solution delivery model will depend on the customer requirements and their use cases.

1.4 Required Capabilities

This Leadership Compass analyzes the WAF solutions ability to provide:

• At a minimum strong core or more traditional forms of WAF protection. This covers many of the most common types of web attacks and are often found in some of the OWASP top 10 or other list of common web attacks.
• More advanced WAF capabilities that protect against the more complex and changing types of web attacks. These more advanced capabilities often protect against malicious web bots.
• Protection against emerging geographic web attack, some level of threat intelligence is needed to understand what, where, and how these types of attacks are forming.
• Some level of API protection, due to the growing use and availability of digital service APIs within organizations and can protect against the OWASP API Security Top 10 API vulnerabilities for example.
• A consolidated or single pane view of all WAF instance as well as dashboard of all attacks, and alerts for example, when configuring, maintaining, and monitoring WAFs.
• Options for IT environment WAF deployments such as on-premises, cloud, multi-cloud, or hybrid.
• A comprehensive set of APIs, exposing the WAF's capabilities via APIs and not just UI/UX
• Support for audit, forensics, compliance, and reporting.
• A modern solution architecture (e.g., how modern is the architectures and the technologies used)
• Support for Administrators and DevOps

We are also looking for comprehensive solutions that incorporate most of the component building blocks needed to implement a full-featured Web Application Firewall (WAF) which include:

• Vendors providing WAF solutions that support one or more types of environments such as on-premises, cloud (public, private, multi-cloud) or hybrid, as well as support for containers, container-based platforms (e.g., K8) or microservices.
• Vendors that provide a managed or unmanaged WAF.
• At a minimum, vendor solutions that deliver protection at the application layer to web applications, and basic rules to protect web applications against common attacks.
• Vendors that can provide solutions that provide capabilities beyond the basic WAF protections.

Excluded are purely open source WAFs. However, there are no further exclusion criteria such as revenue or number of customers. We cover vendors from all regions, from start-ups to large companies.

2 Leadership

Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Compass. The Compass provides a comparison based on standardized criteria and can help identifying vendors that shall be further evaluated. However, a thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based on the specific criteria of the customer.

Based on our rating, we created the various ratings. The Overall rating provides a combined view of the ratings for

• Product
• Innovation
• Market

2.1 Overall Leadership

The Overall Leadership rating is a combined view of the three Leadership categories, i.e., Product Leadership, Innovation Leadership, and Market Leadership. This consolidated view provides an overall impression of our rating of the vendor's offerings in the particular market segment. Notably, some vendors benefit, e.g., from a strong market presence will slightly drop in other areas such as innovation, while others show their strength, e.g., in the Product Leadership and Innovation Leadership, while having a relatively low market share or lacking a global presence. Therefore, we strongly recommend looking at all Leadership categories, the individual analysis of the vendors, and their products to gain a comprehensive understanding of the players in that market segment.

In the Overall Leadership rating chart, we see a maturing market showing small clusters throughout the market spectrum represented by the WAF vendors we chose to represent in our Leadership Compass rating.

In the market for WAF, there are five companies in the Overall Leaders segment. These include Imperva, F5, and Radware as established players with strong offerings and customer base, complemented by Cloudflare and Fastly as relatively younger companies.

Six vendors fall into the Challenger segment clustered at the top and bottom, indicating similar product, market, or innovation levels. The top grouping contains Palo Alto Networks, one newer company Prophaze, and two more established companies UBIKA (previously Rohde & Schwarz Cybersecurity SAS) and Airlock appearing close together. Midway in the Challenger segment, we see United Security Providers with Oracle in the lower third of this segment.

No vendors appear in the Followers section.

Leadership does not automatically mean that these vendors are the best fit for a specific customer requirement. A thorough evaluation of these requirements and a mapping to the product features by the company's products will be necessary.

Overall Leaders are (in alphabetical order):

• Cloudflare
• F5
• Fastly
• Imperva
• Radware

2.2 Product Leadership

Product Leadership is the first specific category examined below. This view is mainly based on the analysis of service features and the overall capabilities of the various services.

Product Leadership, or in this case Service Leadership, is where we examine the functional strength and completeness of services.

Product Leadership is the view in which we focus on the functional strength and completeness of the WAF product. Since the WAF market is relatively mature, we find some challengers, no followers, and just under half of the vendors qualifying for the Leaders segment. As vendors offer a wide variety of WAF capabilities and differ in how well they support these capabilities, organizations need to perform a thorough analysis of their WAF requirements to align their priorities while evaluating a WAF solution.

In Product Leadership, F5 and Imperva appear neck to neck at the top, followed by Cloudflare and Radware close together, and Fastly near the bottom border.

Six of the vendors are spread out in the Challenger section. In the top section, we see Prophaze, UBIKA (previously Rohde & Schwarz Cybersecurity SAS), and Airlock, with Palo Alto Networks and United Security Providers close behind, where we find a range of good products which didn't quite make it into the Leaders sections because of maturity or missing some of the features found amongst the leaders. Near the bottom border of the Challenger section, we find Oracle, which all provide good WAF core capabilities but may be lacking some of the more advanced features seen in the leading WAF solutions.

No vendors appear in the follower section.

Product Leaders (in alphabetical order):

• Cloudflare
• F5
• Fastly
• Imperva
• Radware

2.3 Innovation Leadership

Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require innovation to meet evolving and even emerging business requirements. Innovation is not about delivering a constant flow of new releases. Rather, innovative companies take a customer-oriented upgrade approach, delivering customer-requested and other cutting-edge features, while maintaining compatibility with previous versions.

We have rated half of the vendors as Innovation Leaders in the WAF market, which has driven this market forward through the innovation of their products. The leaders are Imperva, F5, Radware, Cloudflare, and Prophaze.

When looking at the Innovation capabilities, the graphics need to be carefully read given that the x-axis indicates the Overall Leadership while the y-axis stands for Innovation. Therefore, while some vendors are closer to the upper-right edge, others, being a little more to the left, score slightly higher regarding their innovativeness.

In the Challenger section of the Innovation Leadership evaluation, we find the five vendors Fastly, Palo Alto Networks, UBIKA (previously Rohde & Schwarz Cybersecurity SAS), Airlock, and United Security Providers. Given the maturity of WAF solutions, the amount of innovation does not reach the level of the Innovation leaders. The vendors, however, continue to differentiate by innovating in niche areas.

Only one vendor placed in the Followers section due to the amount of innovation we see as limited.

Innovation Leaders (in alphabetical order):

• Cloudflare
• F5
• Imperva
• Prophaze
• Radware

2.4 Market Leadership

Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, number of transactions evaluated, ratio between customers and managed identities/devices, the geographic distribution of customers, the size of deployments and services, the size and geographic distribution of the partner ecosystem, and financial health of the participating companies. Market Leadership, from our point of view, requires global reach.

In the Market Leadership evaluation, we see Imperva clearly at the top, followed by F5, Radware close behind, and Cloudflare primarily for their large global customer base, partner, and support network. Near the bottom section of market leadership, we find Fastly and Palo Alto Networks.

In the Challenger section, we find nearly half of the vendors near the top border, Oracle, Airlock, and UBIKA (previously Rohde & Schwarz Cybersecurity SAS), all with good products but may lack in one or more areas of their customer base, partner, or support network compared to the market leaders. Near the center of the Challengers section, we find United Security Providers with less presence worldwide but a stronger regional presence. Further down is Prophaze, which has a smaller customer base, with some presence in multiple regions worldwide.

Market Leaders (in alphabetical order):

• Cloudflare
• F5
• Fastly
• Imperva
• Palo Alto Networks
• Radware

3 Correlated View

While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor that is delivering a solution that is both feature-rich and continuously improved, which would be indicated by a strong position in both the Product Leadership ranking and the Innovation Leadership ranking. Therefore, we provide the following analysis that correlates various Leadership categories and delivers an additional level of information and insight.

The first of these correlated views contrasts Product Leadership and Market Leadership.

3.1 The Market/Product Matrix

Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of "overperformers" when comparing Market Leadership and Product Leadership.

All the vendors below the line are underperforming in terms of market share. However, we believe that each has a chance for significant growth.In the upper right segment, we find the "Market Champions" leading in both the product and market ratings. This segment contains Imperva at the top, followed by F5, Radware, Cloudflare, and Fastly. The vendors Cloudflare, and Fastly, appear closest to the line showing a good balance between market and product.

In the top middle box, we see Palo Alto Networks with good market presence, although missing some of the capabilities found in the Market Champions WAF solutions.

In the middle of the chart, we see the rest of the vendors providing good but not leading-edge capabilities and therefore are not Market Leaders as of yet. They also have average market success as compared to market champions. These vendors include (in alphabetical order) Airlock, Oracle, Prophaze, UBIKA (previously Rohde & Schwarz Cybersecurity SAS), and United Security Providers.

3.2 The Product/Innovation Matrix

This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between the two views with a few exceptions. The distribution and correlation are tightly constrained to the line, with a significant number of established vendors plus some smaller vendors.

Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.

Here, we see a good correlation between the product and innovation rating. Most vendors are placed close to the dotted line, indicating a healthy mix of product and innovation leadership in the market. Looking at the Technology Leaders segment, we find most of the leading vendors near the center of the box. The top-notch vendors are Imperva, F5, Cloudflare, and Radware with vendors placing closer to the axis depicting a better balance of product features and innovation.

One vendor, Fastly, appears in the top middlebox with good product but less innovation than the leaders. Also, one vendor, Prophaze, is shown in the middle right box indicating stronger innovation than product capabilities shown by the leaders.

In the center box of the chart, we see UBIKA (previously Rohde & Schwarz Cybersecurity SAS), Airlock, Palo Alto Networks, and United Security Providers having more product features and innovation than Oracle, which appear in the left-center box.

3.3 The Innovation/Market Matrix

The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innovation Leaders. This might impose a risk for their future position in the market, depending on how they improve their Innovation Leadership position. On the other hand, vendors which are highly innovative have a good chance for improving their market position. However, there is always a possibility that they might also fail, especially in the case of smaller vendors.

Vendors above the line are performing well in the market as well as showing Innovation Leadership; while vendors below the line show an ability to innovate though having less market share, and thus the biggest potential for improving their market position.

In the upper right-hand corner box, we find the "Big Ones" in the WAF market: Imperva, F5, Radware, and Cloudflare.

Fastly and Palo Alto Networks are in the top middle box, showing a strong market position but less innovation than those in the Big One's category.

Prophaze appear in the middle-right box, indicating stronger innovation than market presence.

The segment in the middle of the chart contains the vendors rated as Challengers both for Market and Innovation Leadership, including Airlock, UBIKA (previously Rohde & Schwarz Cybersecurity SAS), and United Security Providers.

Finally, In the left-most middlebox, we find Oracle, showing a stronger market than innovation position.

4 Products and Vendors at a Glance

This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on Web Application Firewalls. Aside from the rating overview, we provide additional comparisons that put Product Leadership, Innovation Leadership, and Market Leadership in relation to each other. These allow identifying, for instance, highly innovative but specialized vendors or local players that provide strong product features but do not have a global presence and large customer base yet.

Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1.

Product	Security	Functionality	Deployment	Interoperability	Usability
Airlock by Ergon
Cloudflare WAF, Bot Management, DDoS Protection
F5 Distributed Cloud WAAP, BIG-IP Advanced WAF
Fastly Platform
Imperva Application Security
Oracle OCI Web Application Firewall
Palo Alto Networks Prisma Cloud
Prophaze Web Application Firewall
Radware Suite
UBIKA WAAP Products
United Security Providers Secure Entry Server

Table 1: Comparative overview of the ratings for the product capabilities

In addition, we provide in Table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in the previous section. While the rating for Financial Strength applies to the vendor, the other ratings apply to the product.

Vendor	Innovativeness	Market Position	Financial Strength	Ecosystem
Airlock by Ergon
Cloudflare
F5 Networks
Fastly
Imperva
Oracle
Palo Alto Networks
Prophaze
Radware
UBIKA
United Security Providers

Table 2: Comparative overview of the ratings for vendors

5 Product/Vendor evaluation

This section contains a quick rating for every product/service we've included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports and Executive Views available, providing more detailed information.

Spider graphs

In addition to the ratings for our standard categories, such as Product Leadership and Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific capabilities for the market segment researched in the respective Leadership Compass. Although Web Application Firewalls offer a range of abilities, we chose to look at the following eight categories:

• DDoS Protection: Distributed Denial-of-Service (DDoS) is the type of attack that attempts to make an organization's web applications or network unavailable for use by legitimate customers. There are many variants of DDoS attacks, but regardless of the method of attack, DDoS protection should be a fundamental capability to consider.
• WAF Basics: At a minimum, WAFs should provide strong core or more traditional forms of WAF protection. This covers many of the most common types of protections against web attacks and are often found in some of the OWASP top 10 or other list of common web attacks.
• WAF Intelligence: This category looks at the level of intelligence used throughout the WAF capabilities.
• Bot Management: The solutions ability to provide automated bot detection, mitigation, and management as well as its ability to prevent false positives, listing of good vs bad bots or bot scoring as some examples.
• API Protection: This section evaluates the level of API security such as protecting APIs against other attacks through API authentication & authorization, validating API calls against API schema, scanning and/or filtering traffic, or API key management, to name a few API security features.
• Web Performance Enhancements: Web acceleration and CDN support, geographic regional networks, and capabilities such as HTTP optimization, caching and prefetching, compression, SSL/TLS Processing, filtering out ads, or other unwanted content, etc.
• Centralized Management & Reporting: The solutions set of WAF management capabilities and features. This includes a centralized location to configure and manage WAF security policies, rules, dashboards of attacks, monitor WAF availability and performance, alerts, and access to reports, etc.
• Admin & DevOps Support: This category measures the ability to provide IT environmental assistance options for administrators and the operations team to support their tools, automation, and continuous integrations. Also evaluated is the vendor's ability to support developers using the solution's APIs through documentation, tutorials, tools, knowledge-base, and community support/platform for developers.

5.1 Airlock by Ergon - Airlock

Airlock is a single security product by Ergon with multiple services within the Secure Access Hub. The components of Secure Access Hub include Airlock Gateway, Microgateway, and IAM, which can be separately licensed. The Airlock Gateway acts as its Web Application & API Protection (WAAP) solution.

The Ergon Airlock provides a Gateway appliance that acts as a reverse-proxy. Its Gateway comes as a software appliance that can operate on a VM or hardware and includes a WAF and API security, amongst other functionalities. There is also a cloud image for deployment in public/private clouds. The Airlock Gateway can act as a Policy Enforcement Point (PEP) for authentication and authorization. There are dedicated APIs for Airlock IAM, allowing the IAM to manage roles access rights on the Gateway web sessions. It can also enforce authentication and authorization for third-party IdPs using JWT as access tokens. The Airlock Microgateway is a container-based version of the Airlock Gateway, which contains most, but not full feature parity. The Microgateway is intended to work with microservice as a sidecar enabling zero-trust capabilities.

The Airlock solution gives strong core basic WAF protection against known vulnerabilities such as OWASP Top 10 vulnerabilities (web and API top 10s), CWE/SANS Top 25 Vulnerabilities, and WASC Web Security Threats. Airlock does not provide network-layer DDoS protection but as a reverse proxy that protects backend connections covering a range of attacks. For APIs, request throttling is available. Both negative and positive security models are provided.

More advanced features include Airlock Anomaly Shield, which can be used to evaluate and detect anomalous traffic and mitigate undesired bot activity such as content scraping, denial of service, credential stuffing, etc., as well as deterring hackers in the reconnaissance phase. Also, an integrated threat intelligence feed is provided OOB. The threat intelligence feed is furnished by Webroot, which requires an additional service fee, and the Gateway updates the intelligence feed periodically. Bot mitigation techniques are provided, which include dynamic IP blocklist based on behavior, machine-learning based anomaly detection, enforcement of cookie handling, user-agent, and IP range checks.

The Airlock administration portal provides various dashboards such as application and API statistics, attacks, performance and troubleshooting, session and request statistics. Protection to API access is provided through the analysis of REST requests. SOAP requests including WSDL definitions are supported as well, by deploying an add-on. Also supported is ICAP, including an SDK for custom filter creation.

Ergon is a Swiss-based company established in 1984 with over 20 years of experience in application security and access management. Its customers and their partner ecosystem primarily focused in DACH, although growing across the EMEA and the APAC regions. Airlock has a well-established and mature set of IAM and Gateway products with a strong focus on basic WAF and API protection capabilities. Ergon Airlock Secure Access Hub continues to grow its feature set and remains an interesting alternative to other solutions within the DACH EMEA region.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

5.2 Cloudflare - Cloudflare WAF, Bot Management, DDoS Protection

Founded in 2012, with headquarters in San Francisco, California, Cloudflare focuses on web infrastructure and application security solutions. The company has quickly grown from providing a simple "firewall in the cloud" to one of the leading website performance and security services providers. The Cloudflare WAF, Cloudflare Bot Management, and Cloudflare DDoS Protection services are offered for evaluation in this WAF Leadership Compass.

Cloudflare offers strong DDoS protection against layer 3, 4, and 7 attacks. Protection for VoIP protocols such as SIP, RTP, SRTP, VPN tunnels, IPsec, and QUIC, to name a few, are also supported. Its geographical point-of-presence (PoP) has a good global presence with plenty of bandwidth. Cloudflare provides a full range of performance and content delivery features and includes HTTP optimization, caching and prefetching, compression, SSL/TLS processing, as well as filtering out ads or other unwanted content. Its web acceleration and CDN network have a good global reach. Cloudflare also covers what's expected from a baseline set of WAF capabilities and Bot management, API protection, and a good level of WAF intelligence.

Cloudflare uses its own threat intelligence feed generated by its own IP reputation database based on observed behavior across all customer sites and can utilize threat intelligence feeds from multiple sources. However, connectors to third-party Cyber Threat Intelligence sources are not provided. Runtime Application Self-Protection (RASP) capabilities are also not offered, although it can integrate with a wide range of third-party RASP solutions. Cloudflare offers two versions of its bot product, Enterprise Bot Management for top tier protection supplied as an addon and a free version that is included for all customers. Cloudflare also offers a range of API protection capabilities depending on the customer plan, but all API protection is integrated with the WAF OOB. Its API Shield product, which includes advanced features like Abuse Detection (with suggested rate limits) and Schema Validation, targets more nuanced threats. And the company has already begun launching a full API Gateway OOB, with features like mTLS authentication, routing, request transformation (URL, Headers), rate limiting, and quota management, it can also integrate with other third-party Gateways.

Cloudflare WAF is delivered as SaaS and a managed service that runs on its own edge network. It provided no other deployment model options. However, the Premium Success Plan includes a designated support team at the enterprise level. Cloudflare's solutions provide full API support to its functionality through REST, JSON-RPC, GraphQL, logpush for SIEM integration and Webhooks API. It also provides a Go library for CLI capabilities in its public GitHub repository. SDKs are not provided. The product services have been independently certified to support compliance with FIPS 140-2, ISO/IEC 27001, PCI-DSS v 3.2, ISAE 18 SOC 2, HIPAA/HITRUST, and FedRAMP standards, to name a few.

Cloudflare has a substantial customer base within North America with a growing presence in other world regions. Cloudflare offers a strong edge network of its own, although it provides no other deployment alternatives to its customers. Cloudflare provides a good set of WAF, Bot management, and API protection capabilities, which should interest organizations considering its web protection options.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Leader in

5.3 F5 - F5 Distributed Cloud WAAP, BIG-IP Advanced WAF

Established in 1996, F5, Inc has a strong presence with large enterprises in North America and around the globe. F5 is well known for their network-based application technologies, including the F5 Distributed Cloud WAAP and the BIG-IP Advanced WAF evaluated in this Leadership Compass.

F5 offers app-layer DoS protection that monitors application stress and adapts to changes in real-time, with behavioral analysis through machine learning and dynamic signatures mitigating attacks automatically. Basic WAF capabilities include protection against common application attacks such as OWASP top 10 and SQL/PHP protection for both applications and data.

Also included are web and mobile application protection, client fingerprinting, account take over protection, API security, Bot management, and an interesting feature that actively looks for threat campaigns. Credential protection prevents credential theft associated with application-level credential encryptions. Its API security is capable of securing REST/JSON, XML, GraphQL, and GWT API protocols.

Good deployment model options are given since the same WAF engine is used in other solutions like BIG-IP, NGINX App Protect WAF, F5 Distributed Cloud WAAP SaaS, and Silverline WAF managed services. WAF delivery includes containers and microservices, serverless, cloud, and on-premises options. Also offered are its intelligent security threat services, giving predictive behavioral analytics threat intelligence, with risk-based policies used by other horizontal security services, as well as delivering intelligent insights into multi-cloud application risks. BIG-IP Advanced WAF also provides a declarative API or JSON that can be introduced within a CI/CD pipeline for shift-left security.

F5 is a publicly held company headquartered in Seattle, Washington, with a well-established history of providing application security and delivery tools. Beyond solid basic WAF capabilities, BIG-IP Advanced WAF and F5 Distributed Cloud WAAP give a host of advanced WAF abilities. And with F5's acquisition of Shape Security for fraud and abuse prevention capabilities in 2020, and its more recent acquisition of Volterra for edge computing across multiple clouds, will help make it a stronger offering in the WAF market moving forward. F5 should be considered when evaluating WAF solutions.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Leader in

5.4 Fastly - The Fastly Platform

Fastly is a publicly traded company founded in 2011 with headquarters in San Francisco, California, US. Fastly is a provider of an edge cloud platform and in 2020 acquired Signal Science's web application and API security solutions. Fastly provides three separate product lines: the delivery of content and acceleration, securing web applications and APIs, and a globally distributed compute environment for app logic at the edge.

Fastly provides a configurable programmable edge cloud platform with inherent security capabilities that offers developers fine-grain controls, APIs, real-time logging, and supports DevOps tooling. Fastly Next-Gen WAF is a web app and API protection solution that includes Bot mitigation, rate limiting, DDoS mitigation capabilities. Fastly SmartParse provides inline detection of web layer attacks to help reduce false positives through token and context analysis by evaluating aspects of the web request such as headers, encoding, content, etc.

Fastly's nex-gen WAF provides an administrative UI that gives a view into the customer's application environment. Its dashboard is customizable and displays graphs such as attacks, scanners, request and traffic source anomalies, as well as indications of flagged or suspicious IPs as some examples. Also, easy-to-follow timelines of events leading to a blocked event are given. Fastly also offers a managed response security service for customers requiring Fastly's 24/7 customer security operations centers services and direct access to a dedicated security expert.

Fastly offers multiple deployment options including in the cloud, at the edge, embedded with applications, reverse proxy, PaaS, Docker containers, or as a sidecar on Kubernetes as some examples, using agents, or a module - agent combination. API gateway integrations include Kong, Section, and Ambassador solutions. The edge deployment option offers customers the ability to gain protection without software deployment yet realize the same features and reporting as other software-based deployments.

Fastly offers some basic to advanced WAF features with a good Point of Presence throughout the world, giving them some strong web performance enhancement capabilities. Fastly appears in the Overall, Product, and Market Leadership segments and should be considered by organizations as part of its WAF evaluations.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Leader in

5.5 Imperva - Imperva Application Security

Imperva, a cybersecurity solution company headquartered in San Mateo, California, began as a provider of web application firewalls in 2002, then expanded its portfolio to include other product lines. In 2019, Imperva was acquired by private equity firm Thoma Bravo, making it a privately held company and providing a substantial boost in R&D. This Leadership Compass evaluates the Imperva Application Security, which provides for Web Application Firewall, Runtime Protection, Advanced Bot Protection, API Security, Client-Side Protection, Serverless Protection, Attack Analytics, and Imperva Edge Security which includes DDoS Protection, DNS Protection, and Secure CDN.

Imperva provides a single platform with a suite of products. Basic WAF capabilities expected are provided as well as advanced WAF intelligence that uses AI/ML to provide WAF self-tuning to prevent false positives and predict the right WAF configuration. It gives strong support to DDoS protection with low latency, high bandwidth, and forwarding rate capability. Imperva also offers a good geographical point-of-presence (PoP) in most world regions and will be expanding its PoP network by 50% in 2022. It also uses its own threat intelligence feed and can utilize threat intelligence feeds from multiple sources, although connectors are not provided to popular Cyber Threat Intelligence sources. RASP is strongly supported and offered OOB with plugins or agents to applications or as a separate offering. Its RASP supports Java, Dot.Net, Dot.Net core, NodeJS, and Python applications. Integration with third-party RASP solutions is possible such as Contrast Protect, Fortify Application Defender, and Waratek.

The Imperva Advanced Bot Protection can be integrated with the WAF OOB or as a separate offering. Its connectors allow standalone bot protection to run on top of third-party solutions such as Fastly, Cloudflare, F5, AWS Lambda, and Nginx. Its API protection is also available with the WAF OOB or separately and can be integrated with third-party API gateways like RedHat, Kong, or a Nginx-based Gateway. Imperva's API protection solution covers most of the expected capabilities, apart from the verification of API client Authentication and Authorization, although it's on their near-term roadmap. The Imperva administrative UI provides a good, centralized view of the deployed WAF displaying a good set of dashboard indicators regarding insight into web application behavior. OOB reports include PCS DSS compliance operations-related reporting like WAF performance, billing, and security.

Imperva offers both cloud WAF and on-premises WAF platforms, which can optionally be available together as a suite. The on-premises WAF is available as an appliance or virtual appliance, while the cloud WAF is a cloud service. Customers can manage both Imperva WAF Gateway and Imperva Cloud WAF, partners, or the Imperva SOC team. The product is available for IaaS installations on AWS, GCP, and Azure, and its SaaS can be hosted either in its own facilities or on AWS. All of the solution's capabilities are available via REST, LDAP, and RADIUS APIs. Its system configuration is available via a CLI. A mobile Android and iOS SDK is available as part of its Advance Bot Protection and support for the Lua programming language and VCL. Imperva products have been independently certified to support compliance with both ISO/IEC 27001 and PCI-DSS v 3.2standards. 

Imperva's Application and Edge Security capabilities provide a well-rounded set of WAF capabilities. Its customer base covers medium to enterprise organizations, although it may be out of reach for small companies. More specifically, in North America and its expanding presence in the EMEA and APAC regions, organizations would do well to consider Imperva in their WAF evaluations.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Leader in

5.6 Oracle - OCI Web Application Firewall

Based in Texas, Oracle has been a leading provider of cloud infrastructure, database management, and enterprise resource planning software since 2016. The Oracle Cloud Infrastructure (OCI) WAF is based on Zenedge technology, which was acquired by Oracle in 2018. OCI WAF is offered to its customers as a cloud-based managed service.

The Oracle Cloud Infrastructure provides some good basic WAF capabilities. There are a large number of predefined and OWASP rule sets at the most basic core WAF protection level. The OCI WAF can block and alert on requests that pose a threat, such as an SQL injection, cross-site scripting, HTML injection, etc. The WAF can also be used to limit application access based on geographic location or the signature of incoming requests. Rate limiting is available to protect against Layer 7 DDoS attacks covering a range of attack types. Caching and Compression are capabilities that can be enabled on OCI WAF as part of CDN enhancement and not security to provide origin performance and increase resources

OCI WAF provides vulnerability detection and remediation through the collection of vulnerability information, which is conducted by the OCI WAF team, and threat third-party intelligence feeds, such as Webroot. Mitigations come in the form of recommendations from the OCI WAF team and manually created virtual patches or custom rule sets. Some bot management capabilities can detect whether a request is human or a machine bot through interrogation or challenges using techniques such as anomaly detection, JavaScript verification, device fingerprinting, and CAPTCHA.

Although Oracle Cloud Infrastructure provides some API protection such as API access using API keys or always-on encryption for HTTPS public APIs, the WAF itself is not intended to provide a layer of API protection as its core functionality. Management of the Oracle Cloud Infrastructure WAF can be accomplished either through their web UI or via its REST, JSON-RPC, XML-RPC APIs or SDKs.

The OCI WAF provides logging, monitoring, and analytics. WAF metrics monitor the health, capacity, and performance of the WAF policies and their underlying rules. The WAF metrics allow customers to set alarms and notifications triggered when certain thresholds are met. Also, the OCI WAF logs can give visibility into the triggered rules based on the type of attacks and the countermeasures used. OCI WAF logs can be exported to the OCI logging analytics to visualize the patterns, outliers, ML clustering, and linking within a dashboard environment.

The Oracle Cloud Infrastructure (OCI) WAF provides good core WAF capabilities with strength in the number of signature rules to choose from. Although there are some limitations in using the WAF to protect APIs, Bot management is available as a layer on top of the WAF as well as administrative and web application access controls. The Oracle WAF may be of interest to existing OCI customers.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

5.7 Palo Alto Networks - Prisma Cloud

Palo Alto Networks, founded in 2005 in Santa Clara, CA, is a multi-national cybersecurity company, a leading provider of traditional network security tools and modern cloud-native security solutions, and a pioneer in Next-Generation Firewall (NGFW) technology. Prisma Cloud is the Palo Alto Networks platform for securing infrastructure, applications, and data, focusing on cloud-native applications across VMs, container and Kubernetes applications, PaaS platforms, and serverless applications.

Prisma Cloud platform provides little DDoS protection, although it can support several application layer mitigation methods such as checking IP and ASN, an inspection of HTTP/S header content and behavior patterns, as well as the ability to monitor CAPTCHA use. The solution can provide basic WAF protection against known vulnerabilities found in the OWASP Top 10 vulnerabilities (web and API top 10s), CWE/SANS Top 25 vulnerabilities, and the WASC Web Security Threats. Its WAF capabilities include both positive and negative security models, in which the positive security model can be either manually or automatically configured. Its WAF solution's intelligent capabilities can be used to detect malicious traffic, although limited. The platform uses its own threat intelligence feed.

RASP is offered Out-of-the-Box (OOB) with plugins or agents to applications. Bot management is integrated into the solution and comes with OOB. It uses proprietary activity signatures and offers a wide range of signatures and behavioral rules to detect known bots and other automation. API protection is also integrated with the solution, which can perform API schema validation, ensure API protocol conformance, and defend against API DoS attacks. Also provided is the ability to scan OpenAPI definition files to detect insecure configurations and other security-related problems in how APIs are defined. The administrative console provides a consolidated view of protected applications as well as a view into the processes within a container running on a host that gives a container "Radar" network diagram view within the administrative UI.

The Prisma Cloud platform can be deployed on-premises, in cloud, multi-cloud, or hybrid environments. It can be delivered as SaaS, containers, serverless platforms, or software that can be deployed to a server. All components are implemented as microservices, and a wide range of container-based platforms are supported. Container-orchestration systems like Kubernetes are also supported. A managed service can be fully or partially managed on or off the customer premises. The product is available for IaaS installation on various popular platforms, and the SaaS can be hosted on the Google Cloud Platform. Agent deployment is done via CLI, and all other functionality is controlled via APIs such as REST, Webhooks, and Google Pub/Sub. The service has been independently certified to support compliance with the ISO/IEC 27001 standard.

Palo Alto Networks is a well-established company with a strong customer focus in North America and a growing customer base in the EMEA, APAC, and Latin America. Its Prisma Cloud platform is built on a modern architecture with a good set of deployment and delivery options. Organizations with existing DDoS and web performance services or not required of its WAF evaluation should be interested in reviewing the Palo Alto Networks Prisma Cloud platform.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Leader in

5.8 Prophaze - Prophaze Web Application Firewall

Prophaze is a private company founded in 2019 with headquarters in Cochin, Kerala, India. The Prophaze Web Application Firewall (WAF) offers multiple services within a behavioral-based, cloud-native suite that provides a range of WAF capabilities, including Bot and DDoS mitigation features.

Prophaze WAF provides good protection against known vulnerabilities such as OWASP Top 10 vulnerabilities (web and API top 10s), CWE/SANS Top 25 Vulnerabilities, and WASC Web Security Threats. Its solution is capable of SSL/TLS termination, decrypting traffic to analyze the HTTP data, and re-encrypt the SSL/TLS traffic. Both negative and positive security models are supported, and positive security models can be configurated manually or automatically.

More advanced WAF capabilities include WAF intelligence, Bot management, and API protection. For example, WAF intelligence includes attaching analytics with deep inspection and other machine learning techniques to provide anomaly detection. Bot management provides both white and black bot listing, the use of honey pots and captcha, and behavioral-based bot detection is accomplished by fingerprinting each user that visits the domain and other techniques. The API solution is available as a separate offering requiring a separate license and detects or discovers APIs, API schema validation, API routing, API client authentication, and authorization, as some examples. Integration with the Kong API gateway is also possible for microservices and distributed architectures.

The Prophaze WAF administration portal provides an easy-to-use UI with good dashboard graphics, charts, and other metric indicators. Also given is a simple six-step wizard for onboarding a web application.

Prophaze WAF can be deployed on-premises or in the cloud. Delivery options include SaaS, virtual appliance, container-based, software deployed to a server, or as a managed service. The WAF is built on microservice architecture and can be integrated as an ingress controller within a cluster. The Prophaze WAF makes most functionality available via APIs and supports REST, JSON-RPC, XML-RPC, and Webhooks protocols. CLIs are not supported, and only a JavaScript SDK is offered OOB. Good monitoring and logging features are available and integrations with a number of third-party SIEM tools.

Prophaze is a more recent entrant into the WAF market. Its customers are SMB organizations with a small but growing market presence primarily in the APAC region as well some presence in the other areas of the world. Prophaze has a well-rounded set of WAF capabilities with particular strength in API protection and Bot management. Prophaze is an Innovation Leader in this Leadership Compass report with potential market growth, which may be of interest to SMB organizations.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Leader in

5.9 Radware - Radware Suite

Established in 1996, with corporate headquartered in North America and its international headquarters in Tel Aviv, Israel, Radware specializes in application delivery and cybersecurity solutions. Radware provides a single platform with multiple services in a suite, including AppWall standalone WAF, Alteon ADC Integrated WAF, Cloud WAF Service, Kubernetes WAF, Radware Bot Manager, Cloud DDoS Protection Service, and DefensePro products considered here in this Leadership Compass.

Of Radware's suite of services, it shows particular strength in providing a wide range of capabilities to protect against layer 3, 4, and 7 DoS/DDoS attacks, as well as providing low latency, high DDoS bandwidth, and a good forwarding rate. It also supports a global geographical point-of-presence (PoP) network. The solution provides protection against known vulnerabilities such as OWASP Top 10 vulnerabilities (web and API top 10s) and automated threats, CWE/SANS Top 25 Vulnerabilities, and WASC Web Security Threats. It combines a 'negative' security model based on signatures, rules, and expression-based mechanisms, together with a 'positive' security model based on an auto-policy generation engine that automatically maps and learns the application and generates the most optimized security policy based on a machine-learning algorithm. Support for RASP is not available. Radware recently launched its Radware SecurePath architecture, which allows application protection to be deployed in an innovative, API-based out-of-path mode, overcoming some of the challenges of CDN-based WAF services such as DNS routing changes or additional hops.

Radware's strong Bot management capabilities include some innovative features, such as using a proprietary semi-supervised ML algorithm that helps identify the intent behind each request. Also, Radware has recently introduced an interesting and innovative bot crypto challenge-based mitigation scheme. It presents malicious bots with increasingly difficult challenges to solve, forcing the bad bots to use more of their own resources (e.g., CPU) while not impacting the client interface. Radware provides good API protection features, which include parsing the API call, performing validation checks of JSON or XML format, and schema validation against OpenAPI when the APIs are documented. For non-documented APIs, its API discovery capability can build the OpenAPI artifacts automatically. It uses a combination of a positive and negative security model while inspecting the traffic.

All Radware's solutions come with advanced management and automation as well as a reporting and an actionable analytics engine. It provides a combination of negative and positive security models, behavioral analysis, and intent-based analysis to give zero-day protection to applications. Although Radware supports third-party Virtual Patching solution integration, it does not support third-party integrations with alternative API protection, Bot management, or intelligence solutions.

Radware application protection solution supports several deployment models. The on-premises solution includes the standalone AppWall WAF appliance, Alteon ADC with integrated WAF, Bot Management service, ERT Active attackers feed, and layer 7 DDoS Protection, DefensePro. The cloud service for on-prem in cloud deployments comes with Cloud WAF Service, Cloud DDoS Protection Service, Bot Management Service, and ERT Active Attacker's Feed (EAAF). Its support for containerized and cloud applications includes Kubernetes WAF with Bot Management service. Support for container-based platforms includes ContainerD, Docker, and Red Hat. For IaaS installations, AWS, GCP, and Azure platforms are supported, although its SaaS can only be hosted in its own facilities. A managed WAF delivery option allows it to be partially or fully managed by Radware, its partner, or the customer. Access to the solution's capabilities via APIs is limited to REST. Although not available for the Cloud WAF, Kubernetes WAF and AppWall give full CLI support. Radware's products and services have been independently certified to support a wide range of compliance standards, such as HIPPA, PCI DSS, FIPS 197 & 140-2, GDPR, ISO 27001, ISO 27017, ISO 27018, 27032, 28000 & 15408, NIST 800-57, and SOC 1 & 2 Type II. In addition, Radware recently announced it had completed certification of the new ISO 27701, which corresponds with GDPR requirements of Privacy Information Management for PII controllers and processes.

Radware provides good support for medium to enterprise organizations, although providing fewer options for small companies. Their customer base is equally represented in North America, EMEA, and APAC regions, with expansions into Latin America and a strong partner ecosystem in the respective areas. Radware can be considered highly innovative, a leader in each category of this Leadership Compass, and should be considered in an organization's WAF evaluation.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Leader in

5.10 UBIKA (previously Rohde & Schwarz Cybersecurity SAS) - UBIKA WAAP Products

UBIKA (previously Rohde & Schwarz Cybersecurity SAS) offers a broad portfolio of security solutions and is a member of Total Specific Solutions (TSS), a global provider of IT business solutions. UBIKA WAAP Gateway (on premises version) and UBIKA WAAP Cloud (public cloud version) protects both web applications and APIs against exploits as part of its WAAP portfolio.

The UBIKA WAAP products offer good protection against the OWASP Top 10 vulnerabilities and more. The solutions also provide both negative and positive security models. The negative model allows for signature-based and rule-based approaches, while the positive model can be automatically configured with automatic learning or Swagger/OpenAPI 3 upload. Support for statistical analysis and content validation policies is also given. Its DDoS protection is somewhat limited in the types of attacks it can protect against, although the level of attack protection varies depending on the UBIKA products like the SaaS WAF or UBIKA Cloud Protector. Its geographical point-of-presence (PoP) for DDoS support is limited to only a few areas of the EMEA region.

The solution's Bot mitigation is integrated into the WAF, making it available out of the box. It can provide a challenge-based approach to whitelist legitimate web clients while blocking malicious bots. The WAF's intelligence is limited to the detection of malicious traffic through user behavioral analysis to classify good from malicious traffic. However, it can utilize threat intelligence feeds from multiple sources such as Webroot and via the UBIKA WAAP workflow's ability to connect to an external API as a threat intelligence source to get more information about the current client. The UBIKA Gateway and UBIKA WAAP Cloud also provide good API protection that includes API schema validation, rate-limiting, API routing, and can build an API "allow" type of list that can be auto-generated using intelligent techniques or rule-driven. Web acceleration is bundled with the product, and the CDN can be bought as a separate license to integrate with the product. However, global web acceleration and CDN network support are missing.

The UBIKA administrative web interface is straightforward with tab-based navigation. In addition to manual configuration, the solution's UI has a built-in wizard to help guide the administrator through the application security configuration. Workflows can be applied for specific security policies, which can be configured through a graphical interface editor. The editor displays the workflow in an activity diagram format that is easy and intuitive to use. The administrative UI also provides graphical Kibana-based dashboards displaying security information such as web traffic, detected, and types of attack information.

UBIKA WAAP is reverse proxy-based. UBIKA WAAP Gateway can be deployed on-premises as a hardware or virtual appliance or in the cloud on AWS, Azure, or GCP platforms with its public cloud version called UBIKA WAAP Cloud. A WAF-as-a-Service offering is available through its Cloud Protector product. In addition, UBIKA supports a micro WAF deployment with its UBIKA WAAP Container as a cloud-native application protection solution. Docker, Kubernetes, Red Hat OpenShift, and Rancher Labs container-based platforms are supported. All of the UBIKA WAAP Gateway's functionality available through its administrative GUI is also exposed via an API supporting the JSON-RPC protocol. Also, is the ability to delegate the GUI authentication to LDAP or RADIUS server. The majority of its capabilities are accessible via API, although SDKs are unavailable. The solution integrates with third-party threat intelligence solutions like Webroot. With its advanced workflow capabilities, like subrequests, it can integrate with other third-party solutions too.

UBIKA focuses on mid-market to enterprise organizations and supports companies primarily in the EMEA region, with some presence in the APAC region and North America. UBIKA WAAP solutions provide WAF features with Bot management and API protection. UBIKA WAAPs should be of interest to organizations in the EMEA region looking for these capabilities.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

5.11 United Security Providers - USP Secure Entry Server

Providing IT Security for more than 25 years, United Security Providers (USP) is a Swiss software vendor and service provider owned by Swisscom with offices in Bern (headquarters), Zurich, and Minsk. USP has more than 100 security professionals and operates its own 24/7 Security Operations Center. The USP Secure Entry Server® (SES) offers a comprehensive modular suite that includes Web Access Management, Identity Federation, Single Sign-on, and Web Application Firewall capabilities.

The Swisscom Cyber Security eco-system covers a range of security offerings such as application, endpoint, data, and network security, as well as threat detection & response, in which USP is part of. USP has designed SES to provide an Access Management and Identity Federation solution to meet business requirements regarding agility, performance, user experience, and security. The SES WAF component turns the suite into a strong web security platform, by protecting applications and the managed data from common threats.

The DDoS protection service is not part of the USP product, although is available as a dedicated service through Swisscom. The USP SES gives good core WAF capabilities which includes web attack protection against the OWASP Top10, SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), AJAX/JSON web threats, Layer 4-7 DoS and DDoS, Brute force attacks, Sensitive information leakage, Session hijacking, session fixation, Buffer overflows, Replay attacks, and many more.

The WAF component of the USP SES implements a reverse proxy and web application firewall. It adds SSL termination to inspect the connections, protocol, and content validation while it provides secure session management. SES deployment models include hardware and virtual appliances, cloud appliances, and OpenShift Docker containers. Also, support is given for both SIEM and MDM integrations.

An administration UI is provided with some good security dashboard views. The SES security dashboard provides a well-laid-out central management console with a real-time overview of detected and prevented anomalies or attacks. For API security, a broad set of filters and validators within the product itself protects API endpoints such as content filtering, rate limiting, and detection of protocol-specific attacks. API keys can be used to block anonymous traffic and filter logs by API key.

United Security Provider's initial and primary target market is the DACH region of Germany, Switzerland, and Austria, with some growth in southern Europe. It has a greater global reach for its professional service. The SES WAF component turns the product suite into a full web security platform by protecting applications and managed data from common threats. Based on the experiences with the existing, often highly regulated customer base of USP, this component has been in use for high-risk use cases such as core banking. As a result, it has a proven track record for secure and scalable deployments. United Security Providers Secure Entry Server's offering provides good core WAF capabilities that will interest potential customers in their primary target DACH region.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

6 Vendors to Watch

Besides the vendors covered in detail in this document, we observe some other vendors in the market that readers should be aware of. These vendors may not fully fit the market definition but offer a significant contribution to the market space. This can be for their supportive capabilities to the solutions reviewed in this document, for their unique methods of addressing the challenges of this segment or may be a fast-growing startup that may be a strong competitor in the future.

1. Akamai

Akamai Technologies is headquartered in Cambridge, Massachusetts, USA. Founded in 1998, the company is one of the veteran players in the market, providing a broad range of security, performance, and edge services.

Akamai's App and API Performance offering utilizes its CDN to enhance application and API performance and availability and intelligent load balancing. Its App & API Protector offering provides the capabilities expected from a modern WAF. In addition to protection against the OWASP Top 10, it also offers DDoS protection, Bot mitigation, API discovery and protection, automated updates, and self-tuning.

Why worth watching: Watch Akamai Technologies continue to evolve to meet the changing demands of the WAF market.

2. Amazon

Amazon Web Services, Inc. (AWS) is a multinational cloud service provider headquartered in Seattle, USA. AWS was initially formed as a subsidiary of the American retail giant Amazon.com to consolidate and standardize the computing infrastructure powering Amazon's online business. In 2006, the AWS platform was officially launched to offer on-demand access to this infrastructure to customers on a subscription basis, thus making the company the first major player in the cloud computing market.

AWS provides a flexible WAF at multiple levels depending on an organization's business needs. Customers can handle all aspects of the WAF themselves or allow AWS to manage the WAF service for them. AWS WAF offers a set of pre-configured managed rules out of the box through AWS and emerging Common Vulnerabilities and Exposures (CVE) or other WAF capabilities through its AWS Marketplace sellers. It gives near real-time visibility into web traffic. The AWS WAF Bot Control offering can monitor the bot's traffic to applications and block or rate-limit unwelcome bots such as scrapers, scanners, and crawlers. AWS WAF offerings can meet a range of integration requirements and deployment models such as on-premises, cloud, or hybrid models.

Why worth watching: AWS offers flexible WAF capabilities with the ability to addon the necessary WAF related features as needed by its AWS customers.

3. Barracuda Networks

Barracuda Networks, founded in 2003, is an IT provider of security and storage solutions. Barracuda Networks is headquartered in Campbell, California, with offices worldwide. Barracuda Networks Cloud Application Protection offering provides both web application and API (WAAP) protection for workloads in the cloud. The product gives WAF capabilities, including DDoS and Bot protection, API security, and automated security policy compliance. Threat intelligence is based on its global network of sensors and customer traffic, providing ML-based and near real-time detection of threats. The Barracuda WAF can be delivered as a hardware or virtual appliance deployed on-premises or as a container hosted in the cloud.

Why worth watching: Barracuda Networks continues as a provider of WAF-as-a-Service, giving essential WAF and API protection.

4. Citrix

Founded in 1989 and headquartered in Fort Lauderdale, FL, Citrix Systems (Citrix) is a well-established IT vendor and customer base. Citrix has a well-established partner ecosystem and continues to innovate its solutions in the areas of workspaces, virtual apps, and desktops, as well as optimizing the delivery of applications over the Internet and private networks.

The Citrix Web App Firewall is offered as both applications and API protection. It provides core WAF capabilities, as well as AI/ML-based threat detection and Bot management. It analyzes bi-directional web traffic, including SSL encryption, to perform deep packet inspection and validation of both HTTP and XML requests/responses, as well as JSON payload inspections. It also has the ability to detect and log breaches as well as attempted breaches. The Citrix WAF provides a user-friendly GUI to manage policies and out-of-the-box or custom threat signatures. Auditing and compliance reporting and data loss prevention (DLP) support are also available. Its WAF can be delivered as a virtual or hardware appliance, containerized, and public cloud platform.

Why worth watching: Given Citrix's announcement that it will be acquired by Vista Equity Partners and Evergreen Coast Capital affiliates, it will be interesting to see how its platform offerings will evolve.

5. Fortinet

Fortinet is a cybersecurity company founded in 2000 with headquarters in Sunnyvale, CA, in the USA. Fortinet offers a broad range of specialized security gateways and appliances, which provide comprehensive cyber threat protection with centralized management and reporting. Fortinet Web applications and API offering, FortiWeb, offers a suite of capabilities. Its solution protects against the OWASP Top-10 threats, DDOS attacks, malicious Bots, and API protection that supports mobile applications. ML-based threat detection is given in addition to its other signature-based ability. Analytics provides insights into attacks through its reporting tool. Hardware-based acceleration is also offered to its WAF, in which its traffic is secured through encryption/decryption. The FortiWeb Cloud WAF-as-a-Service can be used to protect public cloud-hosted web applications. Other delivery options include hardware appliances, virtual machines, and containers

Why worth watching: As cloud adoption increases, Fortinet FortiWeb provides a flexible WAF that extends into cloud-native CI/CD integrated environments.

6. Google

Google is one of the world's largest cloud service providers. And, for workloads deployed on the Google Cloud Platform (GCP), Google provides its Cloud Armor offering as its WAF and DDoS mitigation service. Google Armor can inspect and filter incoming requests after the SSL termination and integrate with GCP's global load balancing infrastructure. Cloud Armor also offers preconfigured WAF rules based on OWASP ModSecurity Core Rule Set (CRS). More recently, Google has improved on Cloud Armor by adding new rule actions for per-client rate-limiting, Bot Management with reCAPTCHA Enterprise, and protection against Layer 7 attacks using machine learning that is capable of adaptive detection and alerting of anomalous activity, as some examples.

Why worth watching: Watch for Google Cloud Armor offering to continue to grow in new capabilities.

7. HUMAN Security

Human is a cybersecurity company based in New York, New York, United States. The company started as White Ops, then later acquired by Goldman Sachs in 2020. White Ops has since reintroduced itself as Human. BotGuard for Applications protects websites and mobile apps from bot attacks. HUMAN's detection engine gives actionable insights regarding digital transactions across networks and devices to protect against fraud and secure user accounts. Intelligence is collected from applications, APIs, IoT devices, and advertising platforms to identify anomalies in internet traffic patterns through AI/ML. The solutions policy engine allows customers to define rules and policies that determine what traffic gets through.

Why worth watching: Watch Human for further expansion into intelligent Bot detection and fraud protection solutions.

8. LANCOM Systems

LANCOM Systems is a leading European manufacturer of secure network solutions based in Aachen, Nordrhein-Westfalen, Germany. In 2018, LANCOM was acquired by Rohde & Schwarz. The LANCOM R&S Unified Firewall is its Unified Threat Management (UTM) solution. Its UTM provides features such as spam/content filters, application control (AM/AV), and intrusion detection (IDS/IPS) to protect against spam, viruses, malware, advanced persistent threats, and DDoS attacks. It uses integrated Sandboxing and Machine Learning to increase security. It's capable of deep packet and SSL inspection. It also offers a One-Click Security automating its configuration. LANCOM provides an intuitive administrative web interface that gives network diagram views, dashboards of its monitoring, and statistics. The LANCOM R&S Unified Firewall can be delivered as hardware or a virtual, software-based firewall version called LANCOM vFirewall.

Why worth watching: LANCOM R&S Unified Firewall combines multiple security functions into a single device offering additional capabilities beyond typical WAF protections.

9. NEVIS Security

NEVIS Security AG was founded in early 2020 as a spin-off of AdNovum Informatik AG. NEVIS is a Swiss-based company providing software solutions, application management, and professional services in IT security. Its nevisProxy offering provides a reverse proxy with an integrated web application firewall (WAF), which acts as an entry point for applications web traffic. As part of the WAF feature set, it includes DDoS protection, input validation with black and whitelists utilizing self-learning, SSL termination (encryption and acceleration), content inspection, and validation of HTML, XML, and JSON payloads. In addition to core WAF functionality, NEVIS gives additional capabilities, which include virtual patching, HSM support for SSL certificates and their private keys, as well as the ability to extend session protection with custom LUA scripts.

Why worth watching: NEVIS Security integrates WAF capabilities into its nevisProxy, adding to its already strong security product line.

10. ThreatX

Founded in 2014 and located in Louisville, Colorado, United States, ThreatX is a company focused on web application and API protection through its WAAP solution. ThreatX takes a behavior-based and intelligence-centric approach to WAFs. Its risk engine provides traditional WAF and API protection, bot mitigation, and DDoS protection as examples. ThreatX provides more advanced WAF features out-of-the-box using their behavioral analytics approach to threat detection, such as multiple sources of threat intelligence to help mitigated web attacks, as well as more traditional signature rule policies. ThreatX offers agentless container-based reverse proxy deployment options that support both cloud and on-premises deployment models. In addition, a managed service is also available.

Why worth watching: ThreatX continues to provide innovative strategies for WAF and API protection.

11. Wallarm

Wallarm is a private company based in San Francisco, California, United States, that provides end-to-end API Security. Wallarm provides a Cloud WAF And API Protection solution to protect applications and serverless workloads and provides supporting APIs technologies such as REST, SOAP, WebSocket, GraphQL, and gRPC. Wallarm utilizes automation and doesn't require manual tuning. The cloud native WAF provides a centralized administration UI that gives insight into the application and API traffic with dashboards showing top attacks, global heat maps, events, etc. The WAF can be deployed as multi-tenant and includes deployments to Kubernetes clusters.

Why worth watching: Wallarm continued growth into cloud-native environments with API protection solutions.

7 Related Research

Executive View: Ergon Airlock Suite - 72509
Executive View: Oracle Cloud Security Zones
Executive View: Oracle Identity Cloud Service - 80156
Executive View: Palo Alto Networks XSOAR
Executive View: R&S® Trusted Application Factory by Rohde & Schwarz Cybersecurity
Executive View: Radware Kubernetes WAF
Executive View: United Security Providers Secure Entry Server - 79040
Leadership Compass: Access Management - 80757
Leadership Compass: API Management and Security - 80477
Market Compass: Cloud-delivered Security
Leadership Compass: Security Orchestration, Automation and Response (SOAR) - 80016
Market Compass: Web Application Firewalls - 70324

8 Methodology

8.1 About KuppingerCole's Leadership Compass

KuppingerCole Leadership Compass is a tool which provides an overview of a particular IT market segment and identifies the leaders within that market segment. It is the compass which assists you in identifying the vendors and products/services in that market which you should consider for product decisions. It should be noted that it is inadequate to pick vendors based only on the information provided within this report.

Customers must always define their specific requirements and analyze in greater detail what they need. This report doesn’t provide any recommendations for picking a vendor for a specific customer scenario. This can be done only based on a more thorough and comprehensive analysis of customer requirements and a more detailed mapping of these requirements to product features, i.e. a complete assessment.

8.2 Types of Leadership

We look at four types of leaders:

• Product Leaders: Product Leaders identify the leading-edge products in the particular market. These products deliver most of the capabilities we expect from products in that market segment. They are mature.
• Market Leaders: Market Leaders are vendors which have a large, global customer base and a strong partner network to support their customers. A lack in global presence or breadth of partners can prevent a vendor from becoming a Market Leader.
• Innovation Leaders: Innovation Leaders are those vendors which are driving innovation in the market segment. They provide several of the most innovative and upcoming features we hope to see in the market segment.
• Overall Leaders: Overall Leaders are identified based on a combined rating, looking at the strength of products, the market presence, and the innovation of vendors. Overall Leaders might have slight weaknesses in some areas, but they become Overall Leaders by being above average in all areas.

For every area, we distinguish between three levels of products:

• Leaders: This identifies the Leaders as defined above. Leaders are products which are exceptionally strong in certain areas.
• Challengers: This level identifies products which are not yet Leaders but have specific strengths which might make them Leaders. Typically, these products are also mature and might be leading-edge when looking at specific use cases and customer requirements.
• Followers: This group contains vendors whose products lag in some areas, such as having a limited feature set or only a regional presence. The best of these products might have specific strengths, making them a good or even best choice for specific use cases and customer requirements but are of limited value in other situations.

Our rating is based on a broad range of input and long experience in that market segment. Input consists of experience from KuppingerCole advisory projects, feedback from customers using the products, product documentation, and a questionnaire sent out before creating the KuppingerCole Leadership Compass, and other sources.

8.3 Product Rating

KuppingerCole Analysts AG as an analyst company regularly evaluates products/services and vendors. The results are, among other types of publications and services, published in the KuppingerCole Leadership Compass Reports, KuppingerCole Executive Views, KuppingerCole Product Reports, and KuppingerCole Vendor Reports. KuppingerCole uses a standardized rating to provide a quick overview on our perception of the products or vendors. Providing a quick overview of the KuppingerCole rating of products requires an approach combining clarity, accuracy, and completeness of information at a glance.

KuppingerCole uses the following categories to rate products:

• Security
• Functionality
• Deployment
• Interoperability
• Usability

Security is primarily a measure of the degree of security within the product/service. This is a key requirement. We look for evidence of a well-defined approach to internal security as well as capabilities to enable its secure use by the customer, including authentication measures, access controls, and use of encryption. The rating includes our assessment of security vulnerabilities, the way the vendor deals with them, and some selected security features of the product/service.

Functionality is a measure of three factors: what the vendor promises to deliver, the state of the art and what KuppingerCole expects vendors to deliver to meet customer requirements. To score well there must be evidence that the product / service delivers on all of these.

Deployment is measured by how easy or difficult it is to deploy and operate the product or service. This considers the degree in which the vendor has integrated the relevant individual technologies or products. It also looks at what is needed to deploy, operate, manage, and discontinue the product / service.

Interoperability refers to the ability of the product / service to work with other vendors’ products, standards, or technologies. It considers the extent to which the product / service supports industry standards as well as widely deployed technologies. We also expect the product to support programmatic access through a well-documented and secure set of APIs.

Usability is a measure of how easy the product / service is to use and to administer. We look for user interfaces that are logically and intuitive as well as a high degree of consistency across user interfaces across the different products / services from the vendor.

We focus on security, functionality, ease of delivery, interoperability, and usability for the following key reasons:

• Increased People Participation: Human participation in systems at any level is the highest area of cost and the highest potential for failure of IT projects.
• Lack of excellence in Security, Functionality, Ease of Delivery, Interoperability, and Usability results in the need for increased human participation in the deployment and maintenance of IT services.
• Increased need for manual intervention and lack of Security, Functionality, Ease of Delivery, Interoperability, and Usability not only significantly increase costs, but inevitably lead to mistakes that can create opportunities for attack to succeed and services to fail.

KuppingerCole’s evaluation of products / services from a given vendor considers the degree of product Security, Functionality, Ease of Delivery, Interoperability, and Usability which to be of the highest importance. This is because lack of excellence in any of these areas can result in weak, costly and ineffective IT infrastructure.

8.4 Vendor Rating

We also rate vendors on the following characteristics

• Innovativeness
• Market position
• Financial strength
• Ecosystem

Innovativeness is measured as the capability to add technical capabilities in a direction which aligns with the KuppingerCole understanding of the market segment(s). Innovation has no value by itself but needs to provide clear benefits to the customer. However, being innovative is an important factor for trust in vendors, because innovative vendors are more likely to remain leading-edge. Vendors must support technical standardization initiatives. Driving innovation without standardization frequently leads to lock-in scenarios. Thus, active participation in standardization initiatives adds to the positive rating of innovativeness.

Market position measures the position the vendor has in the market or the relevant market segments. This is an average rating over all markets in which a vendor is active. Therefore, being weak in one segment doesn’t lead to a very low overall rating. This factor considers the vendor’s presence in major markets.

Financial strength even while KuppingerCole doesn’t consider size to be a value by itself, financial strength is an important factor for customers when making decisions. In general, publicly available financial information is an important factor therein. Companies which are venture-financed are in general more likely to either fold or become an acquisition target, which present risks to customers considering implementing their products.

Ecosystem is a measure of the support network vendors have in terms of resellers, system integrators, and knowledgeable consultants. It focuses mainly on the partner base of a vendor and the approach the vendor takes to act as a “good citizen” in heterogeneous IT environments.

Again, please note that in KuppingerCole Leadership Compass documents, most of these ratings apply to the specific product and market segment covered in the analysis, not to the overall rating of the vendor.

8.5 Rating Scale for Products and Vendors

For vendors and product feature areas, we use a separate rating with five different levels, beyond the Leadership rating in the various categories. These levels are

• Strong positive: Outstanding support for the subject area, e.g. product functionality, or outstanding position of the company for financial stability.
• Positive: Strong support for a feature area or strong position of the company, but with some minor gaps or shortcomings. Using Security as an example, this can indicate some gaps in fine-grained access controls of administrative entitlements. For market reach, it can indicate the global reach of a partner network, but a rather small number of partners.
• Neutral: Acceptable support for feature areas or acceptable position of the company, but with several requirements we set for these areas not being met. Using functionality as an example, this can indicate that some of the major feature areas we are looking for aren’t met, while others are well served. For Market Position, it could indicate a regional-only presence.
• Weak: Below-average capabilities in the product ratings or significant challenges in the company ratings, such as very small partner ecosystem.
• Critical: Major weaknesses in various areas. This rating most commonly applies to company ratings for market position or financial strength, indicating that vendors are very small and have a very low number of customers.

8.6 Inclusion and Exclusion of Vendors

KuppingerCole tries to include all vendors within a specific market segment in their Leadership Compass documents. The scope of the document is global coverage, including vendors which are only active in regional markets such as Germany, Russia, or the US.

However, there might be vendors which don’t appear in a Leadership Compass document due to various reasons:

• Limited market visibility: There might be vendors and products which are not on our radar yet, despite our continuous market research and work with advisory customers. This usually is a clear indicator of a lack in Market Leadership.
• Declined to participate: Vendors might decide to not participate in our evaluation and refuse to become part of the Leadership Compass document. KuppingerCole tends to include their products anyway if sufficient information for evaluation is available, thus providing a comprehensive overview of leaders in the market segment.
• Lack of information supply: Products of vendors which don’t provide the information we have requested for the Leadership Compass document will not appear in the document unless we have access to sufficient information from other sources.
• Borderline classification: Some products might have only small overlap with the market segment we are analyzing. In these cases, we might decide not to include the product in that KuppingerCole Leadership Compass.

The target is providing a comprehensive view of the products in a market segment. KuppingerCole will provide regular updates on their Leadership Compass documents.

We provide a quick overview about vendors not covered and their offerings in chapter Vendors and Market Segments to watch. In that chapter, we also look at some other interesting offerings around the market and in related market segments.

9 Copyright

© 2024 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole's initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaims all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole does not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks ™ or registered trademarks ® of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts AG, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and making better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.