All Research
Leadership Compass
Please note that a newer version of this paper is available, published on April 08, 2024. You might want to check it out instead.
This report provides an overview of the Web Application Firewall (WAF) market and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing WAF solutions.

1 Introduction / Executive Summary

Web Application Firewalls (WAF) have been around for quite some time to protect web applications through the inspection of HTTP traffic. Traditionally WAFs were used within organizations on-premises to protect both internal intranets and externally facing internet web applications. Over time organizations have grown to depend on web applications for doing business with business partners and customers, making it business-critical to maintain and protect a web application.

Since the beginning, WAFs provided protection against a list of common types of web attacks such as SQL injection and cross-site scripting using pattern matching techniques against the HTTP traffic. As the list of attack types continued to grow, the Open Web Application Security Project (OWASP) provided some insight into the most critical security risks to web applications in an effort to give web developers guidance on minimizing these risks. WAFs also provide a level of protection against connection-based Distributed Denial-of-Service (DDoS) attacks that try to overwhelm or disrupt normal traffic to web-based services.

More commonly known as Bots, software robots perform repetitive tasks and can imitate human user behavior. What started as a means to perform useful automated tasks quickly became a tool for malicious web attacks. For example, it is reported that over 30% of all online traffic is due to web bots, in which roughly 25% of those bots among that website traffic are malicious. Some of these malicious bots even attempt to log into user accounts. Given these types of attacks, advanced WAF capabilities are needed to distinguish between automated bots and real users, as well as to detect other abnormal activity using AI Machine Learning, for example.

A focus on Application Programming Interface (API) have been steadily growing, and we are seeing the market covering the protection of APIs in multiple ways such as API gateways, Access Management solutions, and now WAFs are also filling the gap with its own API protection combining Web Application and API Protection (WAAP) capabilities.

This Leadership Compass covers solutions that protect web applications using a Web Application Firewall (WAF). These solutions provide the capability to protect web-based applications, their data, and APIs, which are commonly found in small to large organizations. These solutions must meet the most basic WAF requirements seen in the past and provide more advanced capabilities to meet the new emerging IT requirements that protect against the evolving landscape of attacks seen today on the internet.

1.1 Highlights

  • The WAF market is growing, and although maturing it continues to evolve.
  • WAF has increasingly become essential to business as a strategic approach to ensure overall IT web application.
  • The level of WAF intelligence has become a differentiator between WAF product solutions.
  • Beyond basic core WAF capabilities, Bot Management and API protection are two capabilities of emphasis for many of the products evaluated in this Leadership Compass.
  • Some level of Web Performance Enhancements appears as a differentiator between WAF product leaders and challenger.
  • The Overall Leaders are (in alphabetical order) Cloudflare, F5, Fastly, Imperva, Radware.
  • The Product Leaders (in alphabetical order) are Cloudflare, F5, Fastly, Imperva, Radware.
  • The Innovation Leaders (in alphabetical order) are Cloudflare, F5, Imperva, Prophaze, Radware.
  • Leading vendors in innovation and market (a.k.a. the "Big Ones") in the WAF market are (in alphabetical order) Cloudflare, F5, Imperva, Radware.
Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use