Buying WAF

Buyer's guide.

Evaluation criteria

WAF evaluation is the discipline of comparing rule quality, false-positive rate, and performance impact together. One axis alone produces bad picks; the cheapest WAF that lets attacks through is not actually cheap.

• Rule sets. OWASP Core Rule Set baseline plus vendor-specific add-ons per vendor. Quality of rule maintenance matters more than rule count; stale rules are theatre.
• False-positive rate. Legitimate-traffic block rate per vendor. High rates erode trust and lead to disabled rules; the WAF that pages five times a day gets ignored.
• Performance impact. Per-request latency per vendor. Modern WAFs add under five milliseconds; legacy ones add fifty to a hundred and show up in tail latency.
• Proof-of-value. Thirty to ninety day audit-mode POC per vendor against real traffic. Catches FP rates before purchase rather than after the rollout breaks checkout.

Major options

Three vendor classes cover the market. Cloudflare, AWS, and enterprise (F5, Imperva, Akamai). Each fits a different shape; the choice often follows the existing CDN.

• Cloudflare WAF. CDN-bundled option per vendor. Strong rule set, low latency, predictable pricing; default for Cloudflare-fronted sites.
• AWS WAF. AWS-integrated and per-rule-priced. Customisable; less mature rule set than dedicated vendors but native to AWS-heavy stacks.
• F5, Imperva, Akamai. Enterprise option per vendor. Rich features and high cost; established support relationships for orgs that already have them.
• Existing-stack fit. Integration with the team's CDN and observability per vendor. Catches the wrong-tool pick when the WAF cannot ship logs into the team's actual SIEM.

Managed vs self-managed

Managed versus self-managed is a real choice. Most teams should pick managed; the rule-maintenance cost of self-managed is invisible until the team is six months in.

• Managed WAF. Vendor-maintained rule sets and zero-day updates. Hands-off and right for most teams; the vendor's security research team is bigger than yours.
• Self-managed. In-house rule writing per org. Suitable for unique applications or compliance environments where vendor rules genuinely do not fit.
• Default to managed. Rule-quality cost per team. Few teams have the dedicated expertise to keep self-managed rules current against evolving attack patterns.
• Documented driver. Named rationale per decision. Catches premature self-managed choices made for control rather than need.

Safe rollout

The rollout is its own discipline. Audit-only first, low-risk paths next, continuous tuning. Skipping audit mode is how WAF rollouts become customer-facing outages.

• Alert-only mode first. One to two week audit phase per rollout. The WAF logs what it would block while blocking nothing; the team measures FP rate before flipping enforcement on.
• Low-risk paths first. Public read APIs before checkout per rollout. Revenue-critical flows like checkout need extra evaluation; one bad rule there pays for the whole WAF.
• Continuous tuning. Block-rate and FP review per quarter. Rules adjust as traffic evolves; the WAF is not a deploy-and-forget product.
• Rollback plan. Disable-rule script per rollout. Recovery from a misbehaving rule is one command rather than a configuration deployment.

Comparing total cost

The total cost has three layers. Per-request pricing, add-ons, and operational time. The licence is rarely the largest line item; budget honestly across all three.

• Per-request pricing. AWS WAF runs around one dollar per million per vendor. At 100M monthly: $100; at 10B: $10,000. The slope matters at scale.
• Add-ons. Bot management, DDoS protection, and API security as separate line items per vendor. Bundle pricing matters; add-ons can double the headline cost.
• Operational time. Tuning, monitoring, and WAF-incident on-call per team. Real cost beyond licence; budget two engineers' worth of part-time attention.
• Cost retro. Cost-versus-value review per quarter. Catches over-spending on noise when add-ons are paid for but unused.