Buying WAF

Buyer's guide.

Evaluation criteria

Rule sets. OWASP Core Rule Set is the baseline; vendor-specific rules add coverage. Quality of rule maintenance matters.

False-positive rate. Sample of legitimate traffic that the WAF would block. High rates erode trust and lead to disabled rules.

Performance impact. Latency added per request. Most modern WAFs add < 5ms; some legacy ones add 50-100ms.

Major options

Cloudflare WAF. Bundled with their CDN. Strong rule set, low latency, predictable pricing. Default for Cloudflare-fronted sites.

AWS WAF. Tight AWS integration, per-rule pricing. Customisable; less mature rule set than dedicated vendors.

F5, Imperva, Akamai. Enterprise vendors. Rich features; high cost; established support relationships.

Managed vs self-managed

Managed WAF: vendor maintains rule sets, updates for zero-days. Hands-off; right for most teams.

Self-managed: you write and maintain rules. Suitable for unique applications or compliance environments where vendor rules are insufficient.

Most teams should choose managed. The cost of maintaining rules at vendor quality is large; few teams have the dedicated expertise.

Safe rollout

Start in alert-only (audit) mode. WAF logs what it would block; nothing is blocked. Run for 1-2 weeks; tune rules.

Promote to block mode for low-risk paths first. /api/* might tolerate WAF blocks; checkout flow needs careful evaluation.

Continuous tuning. New false positives surface; rules adjust. Quarterly review of block rates and false positives.

Comparing total cost

Per-request pricing common. AWS WAF $1 per million requests. At 100M monthly: $100/month. At 10B: $10,000/month.

Add-ons: bot management, DDoS protection, API security. Often separate line items; bundle pricing matters.

Operational time: tuning, monitoring, on-call for WAF-related incidents. Real cost beyond licence.