Forester 2020 Wave WAF

Licensed for individual use only
The Forrester Wave™: Web Application Firewalls,

Q1 2020
The 10 Providers That Matter Most And How They Stack Up
by Sandy Carielli and Amy DeMartine

February 26, 2020
Why Read This Report Key Takeaways

In our 33-criterion evaluation of web application Akamai Technologies And Imperva Cloud WAF
firewall (WAF) providers, we identified the 10 Lead The Pack
most significant ones — Akamai Technologies, Forrester’s research uncovered a market in which
Alibaba Cloud, Amazon Web Services, Barracuda Akamai Technologies and Imperva Cloud WAF
Networks, Cloudflare, F5 Networks, Imperva, are Leaders; Radware, Barracuda Networks,
Microsoft, Radware, and Rohde & Schwarz and F5 Advanced WAF are Strong Performers;
Cybersecurity — and researched, analyzed, Imperva WAF Gateway, F5 Silverline, Amazon
and scored them. This report shows how Web Services, and Alibaba Cloud are Contenders;
each provider measures up and helps security and Microsoft, Cloudflare, and Rohde & Schwarz
professionals select the right one for their needs. Cybersecurity are Challengers.
Expanded Protection, Threat Intel, And SDLC

Feedback Are Key Differentiators
As development, security, and operations
(DevSecOps) takes hold, WAFs that enable
security leaders to quickly identify and mitigate
a wide range of application threats will lead the
pack. Vendors that can extend protections into
APIs and client-side components; that offer
timely, integrated threat intelligence; and that
natively hook into a customer’s security and
development processes position themselves
to successfully integrate into the DevSecOps
toolchain and delight their customers.
This PDF is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. All other distribution prohibited.
forrester.com
For Security & Risk Professionals
The Forrester Wave™: Web Application Firewalls, Q1 2020

by Sandy Carielli and Amy DeMartine

with Stephanie Balaouras, Matthew Flug, and Peggy Dostie
February 26, 2020
Table Of Contents Related Research Documents

2 To Stay Relevant, WAFs Must Offer More Lay Your Security Tech Foundation
Than OWASP Top 10 Detection
Now Tech: Web Application Firewalls, Q4 2019
3 Evaluation Summary
Top Cybersecurity Threats In 2020
7 Vendor Offerings
8 Vendor Profiles
Leaders Share reports with colleagues.

Strong Performers Enhance your membership with
Research Share.
Contenders
Challengers
12 Evaluation Overview
Vendor Inclusion Criteria
14 Supplemental Material
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
© 2020 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®,
Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research,
Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing
is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals February 26, 2020
To Stay Relevant, WAFs Must Offer More Than OWASP Top 10 Detection
Web application firewalls (WAFs) initially focused on protecting web applications from common
vulnerabilities like SQL injection, cross-site scripting, and other members of the OWASP Top 10. WAFs
remain a fundamental technology for application security protection, but customer requirements have
changed. While the OWASP Top 10 remains a core use case, customers expect WAFs to provide
protection against an ever-broader spate of application attacks, including API-based attacks, client-
side attacks, and even bots. Furthermore, the adoption of DevSecOps means that WAFs must
integrate with the rest of the application development and security infrastructure and help security
leaders quickly identify and respond to application threats. Organizations want more from their WAF
providers — and the degree of negative feedback from vendor-supplied references in this Forrester
Wave warns that, unless vendors adapt, the WAF market is ripe for disruption.
As a result of these trends, WAF customers should look for providers that:
›› Extend beyond traditional WAF protections. As the range of attacks against web applications
increases, WAF providers that merely focus on protecting against the OWASP Top 10 won’t remain
relevant. Over the past year, organizations such as Hostinger and Xiaomi have been subject to
attacks via their APIs, and attackers have breached thousands of sites, including Macy’s and the
Baseball Hall of Fame, through client-side components.1 The leading WAF providers must provide an
integrated approach to old and emerging attack approaches by supporting OAUTH, allowing users to
import API configuration files in multiple formats, and detecting header and referrer verifications.
›› Offer enriched threat intelligence. Robust protection from zero-day attacks and emerging threats
requires an extensive threat intelligence function combined with the ability to automatically push
new, pretested rules to users. WAF providers must leverage a wide range of external threat feeds
and augment them with a dedicated internal team that proactively identifies threats and applies
machine learning to analyze traffic patterns across the customer base. Customers must ask
WAF vendors not only about threat intelligence sources but about how rapidly that intelligence is
analyzed and fed into new rules.
›› Integrate natively with the software development lifecycle (SDLC). While WAFs live in the
deployment side of the application security landscape, developers and security teams leverage
WAF detections to prioritize additional safeguards in developed code. Firms purchase expensive
threat feeds but often ignore the ones they get for free and that are tailor-made for them — the
attack information from their protection technologies. Developers use this attack data to prioritize
what security flaws to fix first or to add additional production protections when fixes are not
imminent, such as custom WAF rules. Look for providers that offer multiple out-of-the-box (OOTB)
integrations with DevOps tools to fit into the deployment process, alerting and notification tools to
reach application owners, and prerelease scanning tools to create and modify WAF rules.
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
Evaluation Summary
The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and
Challengers. It’s an assessment of the top vendors in the market and does not represent the entire
vendor landscape. You’ll find more information about this market in our “Now Tech: Web Application
Firewalls, Q4 2019.”
We intend this evaluation to be a starting point only and encourage clients to view product evaluations
and adapt criteria weightings using the Excel-based vendor comparison tool (see Figure 1 and see
Figure 2). Click the link at the beginning of this report on Forrester.com to download the tool.
FIGURE 1 Forrester Wave™: Web Application Firewalls, Q1 2020
Web Application Firewalls

Q1 2020
Strong
Challengers Contenders Performers Leaders
Stronger
current
offering
Akamai
Technologies
F5 Advanced WAF
Imperva Cloud
Barracuda Networks WAF
Radware
F5 Silverline
Rohde & Schwarz
Imperva WAF Gateway
Cybersecurity
Cloudflare Alibaba Cloud
Amazon
Microsoft Web Services
Weaker
current
offering
Weaker strategy Stronger strategy
Market presence
FIGURE 2 Forrester Wave™: Web Application Firewalls Scorecard, Q1 2020
es
es
ks
ic
gi
AF
rv
or
lo
Se
W
no
et
d
eb
ed
ou
ch
N
W
nc
gh r’s
da
Te
re
C
g
tin
fla
ei te
va
on
cu
a
ai
w res
ab
ud
Ad
am
az
rra
ib
lo
Am
r
Ba
Ak
Fo
F5
Al
C
Current offering 50% 4.07 1.81 1.21 3.18 1.93 3.25
Attack detection 30% 4.40 1.80 1.05 3.90 1.80 4.50
Attack response 20% 3.80 2.40 0.70 3.60 2.40 3.60
Management interface 15% 4.60 2.15 2.40 2.00 2.60 4.40
Zero-day attacks 10% 3.60 1.40 1.10 2.40 1.60 0.50
Reporting and analytics 15% 4.00 1.60 1.30 3.40 1.00 1.90
Feedback loops 10% 3.40 0.90 0.90 2.40 2.10 1.80
Strategy 50% 3.76 2.20 3.60 2.24 1.28 2.24

Product strategy 40% 3.80 1.00 3.00 3.00 1.60 1.60
Market approach 20% 5.00 3.00 5.00 1.00 1.00 3.00
Execution roadmap 10% 1.00 1.00 3.00 3.00 1.00 1.00
Training and community 10% 3.00 1.00 1.00 1.00 1.00 3.00
Performance 20% 4.20 5.00 5.00 2.20 1.20 3.00
Market presence 0% 4.58 1.84 3.10 3.70 3.72 3.09

Installed base 70% 4.40 2.20 4.00 4.00 3.60 2.70
Revenue 30% 5.00 1.00 1.00 3.00 4.00 4.00
All scores are based on a scale of 0 (weak) to 5 (strong).
FIGURE 2 Forrester Wave™: Web Application Firewalls Scorecard, Q1 2020 (Cont.)
ay
ew
AF
y z
at
W
rit ar
G
cu hw
ud
AF
e
lo
se c
lin
er S
gh r’s
C
g
ft
e
er
yb &
tin
ei te
so
ar
rv
rv
lv
C de
w res
dw
ro
Si
pe
pe
h
ic
r
Ro
Ra
Fo
F5
Im
Im
M
Current offering 50% 2.52 3.02 2.34 1.04 2.83 2.06
Attack detection 30% 2.50 3.10 2.30 1.05 2.20 3.60
Attack response 20% 3.60 3.00 3.00 0.70 5.00 2.10
Management interface 15% 1.50 2.80 1.30 1.50 1.80 1.20
Zero-day attacks 10% 2.60 5.00 1.40 0.50 2.40 0.50
Reporting and analytics 15% 3.10 3.00 3.30 1.60 2.50 0.70
Feedback loops 10% 1.00 1.20 2.20 0.70 2.80 2.20
Strategy 50% 2.24 4.44 2.72 2.50 2.96 1.00

Product strategy 40% 1.60 5.00 2.20 3.00 5.00 1.00
Market approach 20% 3.00 3.00 1.00 1.00 1.00 1.00
Execution roadmap 10% 1.00 5.00 5.00 1.00 3.00 1.00
Training and community 10% 3.00 5.00 3.00 0.00 1.00 1.00
Performance 20% 3.00 4.20 4.20 5.00 1.80 1.00
Market presence 0% 1.21 4.09 3.49 2.74 2.00 2.19

Installed base 70% 1.30 3.70 3.70 2.20 2.00 2.70
Revenue 30% 1.00 5.00 3.00 4.00 2.00 1.00
All scores are based on a scale of 0 (weak) to 5 (strong).
Vendor Offerings
Forrester included 10 vendors in this assessment: Akamai Technologies, Alibaba Cloud, Amazon Web
Services (AWS), Barracuda Networks, Cloudflare, F5 Networks, Imperva, Microsoft, Radware, and Rohde
& Schwarz Cybersecurity (R&S) (see Figure 3). F5 Networks and Imperva had multiple products, which
Forrester evaluated separately to highlight the differences when these products are purchased separately.
FIGURE 3 Evaluated Vendors And Product Information
Product version
Vendor Product evaluated evaluated
Akamai Kona Site Defender March 2019

Technologies
Alibaba Cloud Web Application Firewall 4.3.0.0
Amazon Web AWS WAF; AWS Firewall Manager

Services
Barracuda Barracuda Web Application Firewall (Hardware); Barracuda 10.0.1.003

Networks Web Application Firewall (Vx); Barracuda CloudGen Firewall
for AWS; Barracuda CloudGen Firewall for Azure; Barracuda
CloudGen Firewall for Google Cloud
Cloudflare Cloudflare WAF
F5 Networks F5 Advanced WAF 14.1
F5 Networks F5 Silverline WAF
Imperva Imperva Cloud Application Firewall 10/8/19
Imperva Web Application Firewall Gateway 13.5
Microsoft Azure Web Application Firewall (Azure WAF); Azure Log

Analytics; Azure Sentinel
Radware AppWall, Alteon, Cisco WAF, Cisco ACI, AppWall VA, Alteon AppWall 7.5.6,
VA, Cloud WAF Cloud WAF 19.7.3,
Alteon 32.4.00
Rohde & R&S Web Application Firewall 6.5.3

Schwarz
Cybersecurity
Vendor Profiles
Our analysis uncovered the following strengths and weaknesses of individual vendors.
Leaders
›› Akamai Technologies offers a cloud-agnostic WAF solution at the edge. Akamai’s WAF,
Kona Site Defender, is one in a suite of security products that also includes DDoS protection, bot
management, and an API gateway available to Akamai’s CDN customers. Akamai has invested
in API protection, with customers able to import Swagger or RAML files into the management
console. The recent acquisition of ChameleonX hints at Akamai’s roadmap for protecting third-
party scripts from Magecart-like attacks.
In a sea of middling WAF customer references, Akamai stood out among the vendors for its across-
the-board positive reviews, with particularly high marks for attack detection, attack response,
and internal threat intelligence. Customers also appreciated the ability to easily add other Akamai
performance and security products. Some of the customer challenges focused on communication
and relationship — one reference wanted more communication “on when changes are being
made to the underlying rules maintained by Akamai,” while another was frustrated by the frequent
turnover of their account team. Akamai CDN customers are well suited to take advantage of Kona
Site Defender.
›› Imperva Cloud WAF is the more mature of Imperva’s WAF solutions. Previously known as
Incapsula, Cloud WAF is one of two WAF products in Imperva’s portfolio that we evaluated
separately. Imperva offers a full suite of deployment-side application protections — including WAF,
bot management, RASP, DDoS, API security, and analytics solutions — and their go-to-market
approach, called FlexProtect, focuses on solution bundles. In 2019, Imperva introduced a user
community where customers engage with Imperva experts and each other; the community offers
discussion boards, how-to videos, and community blogs.
Ease of use was a common theme among Imperva’s reference customers, who rated the UI highly
and were pleased the product could be both intuitive and effective. However, feedback loops
remain a source of frustration: More than one reference struggles with SIM integration. Customers
seeking a full application security stack and a modern user experience would benefit from
Imperva’s Cloud WAF solution. Note that Cloud WAF is also available as a managed service.
Strong Performers
›› Radware offers customers consolidated security with multiple deployment options.

Radware’s AppWall can be deployed as a virtual or physical appliance, either standalone or on
top of Radware’s application delivery controller (ADC). Radware also offers Cloud WAF as a SaaS
option — deploying 24 Cloud WAF PoPs globally and including the Radware Bot Manager — and
Kubernetes WAF for cloud-native applications. Radware has a strong partnership with Microsoft to
run Cloud WAF on top of Azure and touts itself as the only WAF service running natively in Azure.
Reference customers were complimentary of Radware’s customer interaction — one called

Radware “a great relationship-building organization” — and spoke highly of the onboarding
process and the team’s responsiveness to feature requests. On the flip side, references wanted to
see more from the reporting, such as additional dashboards and response codes, and had mixed
reviews of the management UI. Radware is a strong choice for customers looking for platform
consolidation either in the data center with ADC, WAF, and DDoS protection or in the cloud with
Cloud WAF and bot management.
›› Barracuda Networks offers a range of deployment options. Barracuda WAF is available as a

hardware appliance, as a virtual appliance, or as CloudGen Firewall for AWS, Azure, or Google
Cloud. Barracuda uses the same WAF engine, with a rewritten UI, as the basis for its WAF-as-
a-service offering — Forrester did not review the SaaS offering. Barracuda WAF fully integrates
with the Barracuda Vulnerability Remediation Service, which scans the application and feeds rule
changes to the WAF based on the resultant vulnerability data.
Barracuda has invested in API security, including JSON payload inspection and YAML file import,
with additional features on the roadmap. Barracuda’s reference customers praised the WAF as
offering good value for the price, appreciated the ease of use, and noted recent improvements in
logging. Top criticisms targeted internal threat intelligence and feedback loops. Customers also
wished for “better centralized logging” and “a more responsive UI.” Given the company’s focus on
the CloudGen and SaaS WAF products, customers looking for a public cloud deployment option
should consider Barracuda.
›› F5 Networks’ Advanced WAF offers rich rulesets and centralized management. F5 offers
two WAF products — Advanced WAF and Silverline — that we evaluated separately. Customers
can deploy Advanced WAF as a hardware appliance, as a virtual appliance, or in public cloud —
Advanced WAF is available in AWS, Azure and Google Cloud. F5’s BIG-IQ platform offers a centralized
management console for all WAF deployments, and the company envisions consolidating its WAF
products on top of a single engine. F5 has shifted its go-to-market to position application security as
the central offering rather than an add-on.
Forrester received limited, mixed feedback on F5’s Advanced WAF. Although customer references
praised F5 Networks’ out-of-the-box ruleset — “I can accomplish almost everything I need
to with default signatures” — and gave high marks for attack detection, attack response, and
management, F5 garnered low grades for internal threat intelligence, reporting, and feedback
loops. F5 Advanced WAF is a good option for customers needing a feature-rich platform and who
are willing to manage it.
Contenders
›› Imperva WAF Gateway offers an on-premises solution with a path to the cloud. One of two
WAF products in Imperva’s portfolio that were evaluated separately, WAF Gateway was formerly
called SecureSphere and provides an on-premises solution for industries and regions not ready
to move to cloud. As with Cloud WAF, Imperva includes WAF Gateway as an option in FlexProtect
solution bundles and gives customers access to experts and peers through the user community.
Imperva’s roadmap includes a unified management console and single WAF sensor for its Cloud
WAF and WAF Gateway offerings.
A unified management console would be welcome, since unlike Cloud WAF’s modern UI, WAF
Gateway’s user experience is decidedly out of the mid-2000s. One customer complained, “The
UI has not been updated and feels out of date. It makes management and investigations in the
console very difficult.” Reference customers also criticized feedback loops and struggled with
customer support, but they were enthusiastic about WAF Gateway’s attack detection and response
capabilities. For customers still preferring an on-prem solution and willing to bet on an eventual
cross-sharing of features with Cloud WAF, WAF Gateway remains a viable WAF solution.
›› F5 Networks’ Silverline reduces in-house resource requirements. F5 offers two WAF

products — Advanced WAF and Silverline — that we evaluated separately. F5 Silverline provides
customers with a simplified experience through either an express self-service option or a fully
managed service maintained by F5’s SOC. Silverline WAF Express lets customers select their
targeted rulesets — maintained by the F5 SOC — for popular technology stacks. The F5 team
maintains and updates standard rulesets; upon request, they will also create and tune custom
rules for Silverline Managed WAF customers.
Managed services played heavily into customer feedback — references appreciated they didn’t
have to do the work and praised the F5 team’s responsiveness. However, there was some
frustration with feedback loops, particularly around logging and SIM integration. One customer
noted the WAF tool didn’t export all data to their SIM, “so we have to work around getting
necessary log data to the parties that need it.” Customers also hoped to see more-granular
reporting and the ability to generate and export metrics. Customers unable or unwilling to fully
manage a WAF should consider F5 Silverline’s Managed WAF. Those with apps built exclusively on
common tech stacks should investigate Silverline WAF Express.
›› Amazon Web Services combines several services into a complete security solution. AWS
WAF, for detection and protection, and AWS Firewall Manager, for centralized rule management,
are part of an application security suite that also includes AWS Shield for DDoS protection. The
AWS Management Console provides the management UI for all AWS services and closely ties
together the interfaces for WAF, Firewall Manager, and Shield. Customers can deploy AWS WAF for
applications running in EC2, ECS, Lambda, or on-prem.
AWS’s services collate and feed logs to a SIM, manage metrics and alarms, enrich data, build
queries, and create business intelligence reports. This ecosystem has value but also means
customers must implement an array of services to create a fully functioning WAF. Reference
customers appreciated the AWS native experience and the well-documented APIs but expressed
frustration with reporting and zero-day protection. One reference noted, “In order to meaningfully
use the WAF product, you must create your own rules.” AWS WAF is a good fit for customers
seeking an AWS native solution, undaunted by a plethora of cobbled-together services, and that
appreciate API deployment and configuration.
›› Alibaba Cloud WAF leverages Alibaba Cloud’s presence in the China and AP markets. While
Alibaba Cloud WAF has primarily been a cloud offering in China and available to Alibaba Cloud
customers, the company is expanding into Southeast Asia and plans to address hybrid cloud
through deployment options with other public clouds or on-prem. Alibaba Cloud offers 24x7
customer support groups on the Dingtalk communication and collaboration platform.
Alibaba Cloud’s roadmap highlights API security as a top priority, aligning with Forrester’s
observation that Alibaba Cloud’s API protection is limited. APIs were also a theme with reference
customers, who asked for API and mobile SDKs. Otherwise, references had few complaints, and
gave high marks to Alibaba Cloud WAF’s attack detection and defense against zero-day attacks.
Alibaba Cloud WAF is a good option for customers who want a top player in the China and Asia
Pacific regions that prioritizes a responsive service team.
Challengers
›› Microsoft’s Azure WAF is an early-stage product in a mature market. Microsoft first offered
Azure WAF in 2017 as an integration with an Application Gateway to protect public or private
websites. As of mid-2019, Azure WAF also integrates natively with Azure Front Door at the network
edge, combining application security and performance functions. Azure WAF protects applications
within Azure, hosted in other clouds or deployed on-premises. The product integrates with services
such as Azure Log Analytics and Azure Monitor.
Microsoft could only provide limited customer feedback; references appreciated Azure WAF’s
native integration to Azure Resource Manager but wanted to see more OOTB compliance reporting.
One reference noted, “Until recently, the product was still lacking the ability to create custom
policies,” a common feature long supported by enterprise-class vendors. Feature gaps were a
trend in the Azure WAF evaluation, as the product doesn’t: 1) perform data leak protection; 2)
integrate with vulnerability scanners; 3) offer device fingerprinting; or 4) offer protection against
client-side attacks. Customers might consider Azure WAF if they have more-limited feature
requirements and like Azure WAF’s native integrations.
›› Cloudflare integrations drive flexible and simple customer experience. Cloudflare WAF
integrates with the rest of its suite, including the CDN, load balancing, smart routing, and bot
management. Cloudflare focuses on implementation, with the intention of users configuring WAF
features through the dashboard, the API, and/or Terraform. To address client-side attacks, data
loss prevention, and other custom rules the WAF doesn’t address natively, Cloudflare implemented
the Workers platform to let customers build custom code at the CDN edge. Cloudflare recently
announced the GraphQL Analytics API, which underpins its Firewall Analytics dashboards and
helps customers query and build their own dashboards.
Since our last WAF evaluation, Cloudflare has also invested in a rule creation interface, reporting,
managed rulesets, and predeployment rule testing — features that do not leapfrog the competition
but bring Cloudflare closer to parity. Reference customers all highlighted ease of use or ease of
implementation — one customer referred to Cloudflare as “intuitively usable.” The biggest criticism
was around Cloudflare’s internal threat intelligence, and there were requests for additional logging
features and integrations. Existing Cloudflare customers looking for seamless integration and a
solid user experience should consider the Cloudflare WAF.
›› R&S offers an on-prem, SaaS, and managed solution for the European market. Rohde &
Schwarz Cybersecurity’s Web Application Firewall is available as an enterprise edition and a
business edition. While the enterprise edition includes all features, the business edition targets
SMBs and is positioned as more of an entry-level WAF that supports fewer form factors, fewer
application types, and fewer features. R&S also recently launched Cloud Protector, a cloud-based
WAF available as SaaS or managed service and hosted in European data centers.
Reference customers rated attack detection highly but gave APIs mixed reviews, with one
reference calling the API “lean.” References spoke positively about R&S’s simplicity and usable
management console — the question is, which one? Between the Cloud Protector management
console, the traditional R&S WAF management application, and the Kibana-based dashboard
and reports, R&S is a tale of multiple UIs. The business and enterprise editions support different
functionality — customers must understand the differences and choose wisely. European
customers and others with data sovereignty concerns will appreciate R&S’s on-prem and EU-
hosted options and regulatory alignment.
Evaluation Overview
We evaluated vendors against 33 criteria, which we grouped into three high-level categories:
›› Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic
indicates the strength of its current offering. Key criteria for these solutions include attack
detection; attack response; management interface; protection against zero-day attacks; reporting
and analytics; and feedback loops with developer, SecOps, and prerelease scanning tools.
›› Strategy. Placement on the horizontal axis indicates the strength of the vendors’ strategies. We
evaluated product strategy, market approach, execution roadmap, training and community, and
performance.
›› Market presence. Represented by the size of the markers on the graphic, our market presence
scores reflect each vendor’s installed base and revenue.
Vendor Inclusion Criteria
Forrester included 10 vendors in the assessment: Akamai Technologies, Alibaba Cloud, Amazon Web
Services, Barracuda Networks, Cloudflare, F5 Networks, Imperva, Microsoft, Radware, and Rohde &
Schwarz Cybersecurity. Each of these vendors has:
›› A comprehensive, enterprise-class WAF tool. All vendors in this evaluation offer a range of WAF
capabilities suitable for security pros. Participating vendors were required to have most of the
following capabilities out of the box: attack detection for web applications, including APIs; ability
to block attacks, including zero-day attacks; the use of machine learning to modify rules; and the
ability to visually report attacks.
›› $10 million or more in global WAF revenue. All vendors in this evaluation earned $10 million or
more in global revenue — no more than 90% revenue attributed to a single region — directly from
WAF capabilities.
›› Interest from or relevance to Forrester clients. Forrester clients often discuss the participating
vendors and products during inquiries and interviews. Alternatively, the participating vendor may, in
Forrester’s judgment, have warranted inclusion because of technical capabilities and market presence.
Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply
our research to your specific business and technology initiatives.
Analyst Inquiry Analyst Advisory Webinar
To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
— or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.
Forrester’s research apps for iOS and Android.

Stay ahead of your competition no matter where you are.
Supplemental Material
Online Resource
We publish all our Forrester Wave scores and weightings in an Excel file that provides detailed product
evaluations and customizable rankings; download this tool by clicking the link at the beginning of this
report on Forrester.com. We intend these scores and default weightings to serve only as a starting
point and encourage readers to adapt the weightings to fit their individual needs.
The Forrester Wave Methodology
A Forrester Wave is a guide for buyers considering their purchasing options in a technology
marketplace. To offer an equitable process for all participants, Forrester follows The Forrester Wave™
Methodology Guide to evaluate participating vendors.
In our review, we conduct primary research to develop a list of vendors to consider for the evaluation.
From that initial pool of vendors, we narrow our final list based on the inclusion criteria. We then gather
details of product and strategy through a detailed questionnaire, demos/briefings, and customer
reference surveys/interviews. We use those inputs, along with the analyst’s experience and expertise in
the marketplace, to score vendors, using a relative rating system that compares each vendor against
the others in the evaluation.
We include the Forrester Wave publishing date (quarter and year) clearly in the title of each Forrester
Wave report. We evaluated the vendors participating in this Forrester Wave using materials they
provided to us by December 3, 2019 and did not allow additional information after that point. We
encourage readers to evaluate how the market and vendor offerings change over time.
In accordance with The Forrester Wave™ Vendor Review Policy, Forrester asks vendors to review our
findings prior to publishing to check for accuracy. Vendors marked as nonparticipating vendors in the
Forrester Wave graphic met our defined inclusion criteria but declined to participate in or contributed
only partially to the evaluation. We score these vendors in accordance with The Forrester Wave™ And
The Forrester New Wave™ Nonparticipating And Incomplete Participation Vendor Policy and publish
their positioning along with those of the participating vendors.
Integrity Policy
We conduct all our research, including Forrester Wave evaluations, in accordance with the Integrity Policy
posted on our website.
Endnotes
Source: Daugirdas Jankus, “Security Incident: What We Did to Improve Security of Our Infrastructure,” Hostinger Blog,
1
November 25, 2019 (https://www.hostinger.com/blog/security-incident-what-you-need-to-know/?trifyguhioy8).
Source: Pierluigi Paganini, “Thousands of Xiaomi FURRYTAIL pet feeders exposed to hack,” Security Affairs, October
30, 2019 (https://securityaffairs.co/wordpress/93062/hacking/xiaomi-furrytail-pet-feeders-hack.html).
Source: Lee Mathews, “Baseball Hall Of Fame Website Hacked With Credit Card Stealing Malware,” Forbes, August
9, 2019 (https://www.forbes.com/sites/leemathews/2019/08/09/baseball-hall-of-fame-website-hacked-with-credit-
card-stealing-malware/#6274ca825fa4) and Ali Raza, “Macy’s Suffers Data Breach via Infected Payment Portal,”
BeInCrypto, November 21, 2019 (https://news.beincrypto.com/2019/11/20/macys-suffers-data-breach-due-to-
infected-payment-portal/).
See the Forrester report “Top Cybersecurity Threats In 2020.”
forrester.com
We work with business and technology leaders to drive customer-

obsessed vision, strategy, and execution that accelerate growth.
Products and Services
›› Research and tools
›› Analyst engagement
›› Data and analytics
›› Peer collaboration
›› Consulting
›› Events
›› Certification programs
Forrester’s research and insights are tailored to your

role and critical business initiatives.
Roles We Serve
Marketing & Strategy Technology Management Technology Industry
Professionals Professionals Professionals
CMO CIO Analyst Relations
B2B Marketing Application Development
B2C Marketing & Delivery
Customer Experience Enterprise Architecture
Customer Insights Infrastructure & Operations
eBusiness & Channel ›› Security & Risk
Strategy Sourcing & Vendor
Management
Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
157258

Forester 2020 Wave WAF

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Forester 2020 Wave WAF

Uploaded by

Copyright:

Available Formats

Licensed for individual use only

The Forrester Wave™: Web Application Firewalls,

by Sandy Carielli and Amy DeMartine

Why Read This Report Key Takeaways

Expanded Protection, Threat Intel, And SDLC

The Forrester Wave™: Web Application Firewalls, Q1 2020

by Sandy Carielli and Amy DeMartine

Table Of Contents Related Research Documents

Leaders Share reports with colleagues.

Vendor Inclusion Criteria

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

FIGURE 1 Forrester Wave™: Web Application Firewalls, Q1 2020

Web Application Firewalls

Cloudflare Alibaba Cloud

Weaker strategy Stronger strategy

FIGURE 2 Forrester Wave™: Web Application Firewalls Scorecard, Q1 2020

Strategy 50% 3.76 2.20 3.60 2.24 1.28 2.24

Market presence 0% 4.58 1.84 3.10 3.70 3.72 3.09

All scores are based on a scale of 0 (weak) to 5 (strong).

FIGURE 2 Forrester Wave™: Web Application Firewalls Scorecard, Q1 2020 (Cont.)

Strategy 50% 2.24 4.44 2.72 2.50 2.96 1.00

Market presence 0% 1.21 4.09 3.49 2.74 2.00 2.19

All scores are based on a scale of 0 (weak) to 5 (strong).

FIGURE 3 Evaluated Vendors And Product Information

Akamai Kona Site Defender March 2019

Alibaba Cloud Web Application Firewall 4.3.0.0

Amazon Web AWS WAF; AWS Firewall Manager

Barracuda Barracuda Web Application Firewall (Hardware); Barracuda 10.0.1.003

Cloudflare Cloudflare WAF

F5 Networks F5 Advanced WAF 14.1

F5 Networks F5 Silverline WAF

Imperva Imperva Cloud Application Firewall 10/8/19

Imperva Web Application Firewall Gateway 13.5

Microsoft Azure Web Application Firewall (Azure WAF); Azure Log

Rohde & R&S Web Application Firewall 6.5.3

›› Radware offers customers consolidated security with multiple deployment options.

Reference customers were complimentary of Radware’s customer interaction — one called

›› Barracuda Networks offers a range of deployment options. Barracuda WAF is available as a

›› F5 Networks’ Silverline reduces in-house resource requirements. F5 offers two WAF

Vendor Inclusion Criteria

Engage With An Analyst

Analyst Inquiry Analyst Advisory Webinar

Forrester’s research apps for iOS and Android.

The Forrester Wave Methodology

November 25, 2019 (https://www.hostinger.com/blog/security-incident-what-you-need-to-know/?trifyguhioy8).

See the Forrester report “Top Cybersecurity Threats In 2020.”

We work with business and technology leaders to drive customer-

Forrester’s research and insights are tailored to your

You might also like