Although not a new technology by any stretch, web application firewall (WAF) solutions continue their evolution. Today, WAF solutions are cloud-based and protect applications and APIs in hybrid and multicloud environments. WAF solution vendors have expanded their remit to address API attacks and layer 7 DDoS and are working to integrate WAFs with bot management, API security, and client-side security tools to offer complete application protection platforms. This is good news for security pros, who continue to face an onslaught of application-based attacks. To execute successfully, security teams must operate more efficiently than ever and rely on a WAF solution that will limit/eliminate false positives, avoid performance lags, prevent outages, and more completely block attacks that would threaten their credibility with the product team and the business as a whole. Customers purchasing new WAFs or looking to upgrade their current WAF must consider:

  • The best range of features to protect business-critical apps. WAF solution deployments struggle when false positives and false negatives threaten an application’s effectiveness and business value — and cause product leaders and developers to mistrust the security team. An effective WAF protects the application while allowing it to serve customers as intended with minimal friction. This requires solid detection, protection of apps and APIs from a range of attacks, automated policy updates, the ability to effectively create and test new rules, and simple management and configuration features that don’t disrupt the application’s performance and efficacy.
  • The breadth and depth of automation and integrations. All vendors offer infrastructure-as-code (IaC) integrations and APIs to help customers scale WAF deployments and management functions. But security pros will want to check that vendors fully support APIs and IaC templates and keep them up to date with new features and functions. Also, check that integrations with security operations (SecOps), development and operations (DevOps), application scanning, and vulnerability management tools are easy to implement. For SecOps tools like security incident and event management (SIEM) and security orchestration, automation, and response (SOAR), ask about granular data feed options, which help minimize data storage costs, and supported preconfigured dashboards.
  • The vendor’s application protection platform strategy. A few years ago, most WAF solution vendors had acquired or built out adjacent solutions like API security, bot management, and client-side code protection and offered customers a portfolio of loosely coupled solutions. Today, many of these vendors are moving to turn these portfolios into true platforms with a unified management UI, shared context, and simplified pricing model. Security leaders should look at their WAF vendor’s platform strategy to see how it can grow with them and streamline their efforts in one or more adjacent categories.

The Forrester Wave™: Web Application Firewall Solutions, Q1 2025, evaluates 10 of the top WAF vendors’ current offering and strategy and is available now! Forrester customers looking for a deeper dive can also set up an inquiry or guidance session.