11/15/22, 3:30 PM Gartner Reprint

Licensed for Distribution

Magic Quadrant for Cloud Web Application and API

Protection
Published 30 August 2022 - ID G00759361 - 53 min read

By Jeremy D'Hoinne, Adam Hils, and 2 more

The cloud web application and API protection market is growing rapidly. This Magic Quadrant
will help you identify cloud WAAP providers that offer easy-to-use controls and specialized
protections against advanced bots and evolving API attacks.

Strategic Planning Assumptions

By 2024, 70% of organizations implementing multicloud strategies for web applications in production
environments will favor cloud web application and API protection platform (WAAP) services over
WAAP appliances and IaaS-native WAAP.

By 2026, 40% of organizations will select a WAAP provider on the basis of its advanced API
protections and web application security features — up from less than 15% in 2022.

By 2026, more than 40% of organizations with consumer-facing applications that initially relied only
on a WAAP for bot mitigation will seek additional anomaly detection technology from specialized
providers — up from less than 10% in 2022.

Market Definition/Description
Cloud web application and API protection platforms (WAAPs) mitigate a broad range of runtime
attacks, notably the Open Web Application Security Project (OWASP) top 10 for web application
threats, automated threats and specialized attacks on APIs. Cloud WAAPs are cloud-delivered
services that primarily protect public-facing web applications and APIs.

Core capabilities of cloud WAAPs include:

■ Web application firewall (WAF): A WAF combines positive security models, signatures, heuristics
and anomaly detection to detect and prevent exploitation of application vulnerabilities.

■ Distributed denial-of-service (DDoS) protection: This can mitigate volumetric and “low and slow”
attacks by offering sufficient bandwidth, rate limits and anomaly detection. It also offers

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 1/32
11/15/22, 3:30 PM Gartner Reprint

distributed points of presence (POPs) to mitigate attacks closer to their sources.

■ Bot management: This detects malicious behavior from automated sources through reputation-
based, fingerprinting, heuristic and machine learning techniques. It also provides assurance that
authorized bots can get through.

■ API protection: This discovers, categorizes and applies specialized controls to API traffic. It can
also extract policies from API schemes.

Optional capabilities of cloud WAAPs include:

■ Client-side protection.

■ Protection against web defacement.

■ Vulnerability scanning.

■ Mobile app security.

■ DNS services and DNS security.

■ Content delivery network (CDN), load balancing, access management and other features.

Cloud WAAPs may integrate with infrastructure providers, security operation tools, and continuous
integration/continuous delivery (CI/CD) pipelines.

The Context section of this Magic Quadrant explains the change in the scope of this edition and the
impact of this change, especially on vendors that offer WAAP appliances in addition to cloud WAAP
services.

The Market Overview section later in this document highlights some of the recent trends in the WAAP
market.

Magic Quadrant
Figure 1: Magic Quadrant for Web Application and API Protection

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 2/32
11/15/22, 3:30 PM Gartner Reprint

Source: Gartner (August 2022)

Vendor Strengths and Cautions

Akamai

Akamai is a Leader in this Magic Quadrant. It is well-suited to appear on the cloud WAAP service
shortlists of organizations that want to protect business-critical, web-scale applications. This is
especially the case for organizations that have a broad and diverse portfolio of web applications and
APIs.

Akamai is a global cloud and security provider with almost 10,000 employees. It is headquartered in
Cambridge, Massachusetts, U.S. Akamai’s primary offerings include a CDN and application and
application security services. It has continued to expand its security portfolio, notably with the
acquisition of the microsegmentation vendor Guardicore in October 2021.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 3/32
11/15/22, 3:30 PM Gartner Reprint

In November 2021, Akamai updated its offering by merging Web Application Protector (WAP), its
simplified offering for midsize enterprises, with Kona Site Defender. The new product, App & API
Protector, includes some basic bot mitigation. Multiple add-ons are available, including an advanced
security management subscription.

Since the 2021 edition of this Magic Quadrant, the most significant change in Akamai’s WAAP has
been this repackaging of capabilities. Akamai also released Account Protector to protect against
account takeover, an updated version of its Adaptive Security Engine (ASE), and support for
Terraform deployments.

Strengths
■ Platform advantage: By combining and integrating a broad range of web application and web
application security features, Akamai’s global platform appeals to large organizations looking to
make a comprehensive set of features available in front of all their web applications.

■ Advanced capabilities: Akamai offers leading threat intelligence capabilities with its client
reputation feature, and often releases new controls before the rest of the market. This is apparent
in terms of Akamai’s API threat protection capabilities, as it is improving on its existing discovery
and classification capabilities at a time when many other vendors have not even released API
discovery features.

■ Feedback about support: Akamai’s customers continue to rate its support highly, which is a
notable achievement for a large platform provider. Consistently strong customer support creates
trust and drives adoption for Akamai when prospective customers ask for references from their
peers.

■ DDoS: Akamai gets high marks for its DDoS feature evaluation. Although it is relatively rare for
prospective customers to consider DDoS protection a differentiator, spikes in DDoS activity,
especially against APIs, still require strong application and volumetric defenses, which Akamai
provides.

Cautions
■ Price: Gartner continues to hear from prospective customers for whom the high overall price
charged by Akamai is a key reason for expanding their shortlists of vendors or reducing the scope
of Akamai deployments. Midmarket enterprises often prefer a less expensive alternative.

■ Confusion about portfolio transition: Gartner has received feedback from clients that Akamai is
not always clear about whether App & API Protector replaces or complements Kona Site Defender.
Some perceive the subscription reshuffle as a way to make them pay more or to subscribe to more
options.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 4/32
11/15/22, 3:30 PM Gartner Reprint

■ False positives: Akamai has invested in false-positive reduction with its improved ASE, but clients
continue to note a high rate of false positives, especially for bot detections.

■ UI complexity: Akamai has simplified its onboarding process, but still faces the difficulty of
combining many features and modules — for a variety of WAAP use cases, deployment should be
simpler. Users have welcomed the improvement in Terraform support, but they remain more likely
to use the UI, and report that Akamai’s ASE and traditional policy management could be more
integrated.

Amazon Web Services

Amazon Web Services (AWS) is a Challenger in this Magic Quadrant. AWS WAAP is suitable for
clients looking for native controls, a platform approach and vendor consolidation. Premium
professional services for developers and integration with DevOps tools make it a popular shortlist
candidate for application teams.

AWS is a cloud service provider (CSP) subsidiary of Amazon. It is headquartered in Seattle,

Washington, U.S. It offers several application and API security products, including a network firewall
(AWS Network Firewall), managed DDoS and WAF (AWS Shield Advanced). AWS’s WAF is primarily
available on the top of Application Load Balancer (ALB) or Amazon CloudFront (AWS CDN).

Since the 2021 edition of this Magic Quadrant, AWS has made feature enhancements to its WAAP
offering and expanded its CDN and WAAP infrastructure in Asia/Pacific. The feature updates related
to WAAP include enhancements to application layer DDoS mitigation and bot mitigation, the addition
of versioning and roll-back capability for managed rules.

Strengths
■ Infrastructure: AWS focuses on increasing its infrastructure’s global availability. AWS’s WAF is
deployed on all CloudFront POPs. It is available in 25 AWS Regions (general availability) and more
than 310 CloudFront edge nodes with over 310 POPs. In 2021, AWS added over 80 POPs, including
in Asia/Pacific.

■ DDoS mitigation: AWS has a comprehensive DDoS mitigation offering through AWS Shield and the
AWS WAF service. AWS offers mitigation for very high volumes of traffic, including attacks from
bots. AWS Shield protects against layer 3, 4, and 7 volumetric and application-based DDoS attacks.
AWS Shield DDoS protection is available in Standard and Advanced forms. Shield Standard
protection is included at no additional cost for all AWS customers.

■ Pricing: AWS uses a transparent, consumption-based pricing model that is easy to understand and
manage; it is published clearly on its website. AWS offers optional security features, such as bot
control, CAPTCHA, and account takeover prevention as chargeable add-ons to the base WAF
service. It also offers a Free Tier for bot control and account takeover prevention, with usage cap.
Shield Standard is also offered to all AWS customers as a basic DDoS mitigation service.
https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 5/32
11/15/22, 3:30 PM Gartner Reprint

■ Managed ruleset: AWS Managed Rules (AMR) is a strong WAAP feature. New feature
enhancements, such as account takeover protection and WAF CAPTCHA configuration based on
rate, attributes and labels from AMR, improve the product’s administration and deployment. A
JavaScript/mobile SDK enables the AMR feature to protect the application’s login page against
credential-stuffing attacks and other anomalous login activities.

Cautions
■ API security: AWS lags behind in terms of API threat protection, compared with many WAAP
vendors. It offers only direct support to JSON payloads, and supports GraphQL through AWS
AppSync integration. It also lacks machine learning (ML) features for API threat protection and
ML-based autodiscovery to categorize API endpoints.

■ Insufficient customization: Some AWS customers find the lack of ability to customize WAF rules a
drawback. They also regret the relative lack of detailed logging and monitoring alerts on the
dashboard.

■ Catchup strategy: AWS’s WAAP lacks innovation. To close feature gaps, AWS continues to
regularly add features that are already offered by leading competitors. As a result, clients for
whom best-of-breed bot mitigation and API threat protection are key criteria often select other
vendors.

■ Single cloud use case: AWS’s WAAP is a suitable candidate for application teams looking for
native controls, but it lacks visibility to network security teams and enterprises with hybrid and
multicloud environments, compared with offerings from many other WAAP vendors.

Barracuda

Barracuda is a Niche Player in this Magic Quadrant. It has headquarters in Campbell, California, U.S.
It performs well for existing Barracuda customers and relatively small enterprises, but faces strong
competition for larger enterprise pure-play cloud WAAP deals.

Barracuda Cloud Application Protection includes web application security products and services, the
most important being Barracuda’s cloud WAAP (Barracuda WAF-as-a-Service) and WAAP appliances
(Barracuda Web Application Firewall). The vendor also offers bot management (Barracuda Advanced
Bot Protection), DDoS and threat intelligence services. In recent months, Barracuda has added an
initial version of automated discovery of APIs and support for GraphQL.

In April 2022, investment firm KKR announced its intention to acquire Barracuda. In the past,
Barracuda has changed hands several times, without noticeable adverse impacts on its WAAP
product portfolio or roadmap.

Strengths

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 6/32
11/15/22, 3:30 PM Gartner Reprint

■ Modular UI: Barracuda’s modular approach to security enables organizations to advance their
WAAP deployment by adding new categories of controls as they make progress.

■ Accessible control refinements: Convenient risk-scoring and recommendation engines make it

easier to tackle refinements of controls, after an initial deployment.

■ API threat protection: Barracuda continues to enhance its API discovery and controls. It has
introduced new features such as a “confidence level” when discovering APIs and dedicated
configuration for graphQL. Gartner has limited feedback on these new capabilities, however.

■ Security for file uploads: Barracuda’s WAAP provides a good combination of malware inspection
and form protection for applications that require secure file uploads (for example, applications
that receive applicants’ resumes).

Cautions
■ Visibility in shortlist: Barracuda’s cloud WAAP struggles for visibility beyond Barracuda’s existing
customers in North America. When customers do evaluate Barracuda, Gartner tends to receive
feedback that the product is good enough but does not stand out.

■ Bot mitigation: Barracuda, which acquired a bot mitigation vendor in 2019, is not innovating
advanced bot management features as quickly as its leading competitors in the WAAP market.
Tuning of bot mitigation is primarily a back-end activity, which is not transparent to end users.
Response options are less flexible than those of leading competitors, and, until recently, dedicated
advanced credential protection features were lacking.

■ Incident response: Barracuda’s real-time incident response depends too much on external
integrations. Native event views are basic and lack some reports that security operations centers
(SOCs) use for external communication about their activities.

■ Support quality: Feedback from Barracuda customers about its support varies greatly. Many
express concern about the time it takes to get a precise answer when an issue concerns more
than a basic configuration.

Cloudflare

Cloudflare is a Leader in this Magic Quadrant. It is based in San Francisco, California, U.S. It has
quickly become very visible on cloud WAAP shortlists seen by Gartner, and has developed a set of
security features to compete with other Leaders.

Cloudflare has more than 3,000 employees, who are building its portfolio of cloud-delivered
application and security services. Its application security portfolio includes a cloud WAAP offering
(Cloudflare WAF), and DDoS and client-side protection (Cloudflare Page Shield).

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 7/32
11/15/22, 3:30 PM Gartner Reprint

In recent months, Cloudflare has continued to expand beyond application protection and delivery.
Recent WAAP features include API discovery, scheme ingestion and semiautomated rate limiting.
The vendor also improved its bot mitigation module.

Strengths
■ Threat intelligence: Cloudflare’s large base of small and midsize business (SMB) and personal
customers helps feed its global threat intelligence in order to detect new attacks more quickly. The
vendor combines its own analysis with third-party feeds, and recently acquired Area1 Security,
which further diversifies its sources.

■ Expanding presence in Asia/Pacific: Cloudflare’s infrastructure in Asia/Pacific is already one of

the most developed in the WAAP market. The vendor continues to invest in this region, as is
shown, for example, by a recent increase in its hiring.

■ Pervasive presence: Cloudflare has a strong ecosystem of channel and technical partnerships.
These make Cloudflare an extremely common choice by organizations in their infancy. They also
mean that its technology is an important one to work with for application platforms.

■ Platform advantage: By making security service edge (SSE) features available, Cloudflare has
increased the chance of it being selected for enterprise platform and consolidation projects. This
has considerably increased its attractiveness to large enterprises.

Cautions
■ Lack of hybrid deployment: Cloudflare is a pure-play cloud-delivered WAAP provider. Its offering
lacks the option to run as an agent, a Kubernetes sidecar or a containerized WAAP. The lack of
these hybrid deployment options might deter organizations deploying API architecture and looking
for a way to monitor east-west traffic.

■ Support: Although there have been some improvements to Cloudflare’s presales support,
Cloudflare’s larger enterprise customers continue to expect more consistent and better postsale
support. Gartner observes discrepancies in phone support quality and occasional failures to follow
up requests consistently.

■ Forensic analysis: Large enterprises with in-house SOCs continue to complain about Cloudflare’s
basic reporting capabilities and insufficient embedded features for incident response drill-down,
although these have improved recently.

■ User interface: Gartner continues to receive comments from users stating that Cloudflare’s
management interface can appear cluttered and confusing. Although they like its embedded
dashboards, they would like to see easier ways to perform custom security configuration from the
UI. Cloudflare has, however, recently updated its WAAP UI, based on customer feedback.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 8/32
11/15/22, 3:30 PM Gartner Reprint

F5

F5 is a Niche Player in this Magic Quadrant. Headquartered in Seattle, Washington, U.S., F5 is a large
vendor, with roots in the application delivery controller market, that now provides a portfolio of
application delivery and security products. It employs more than 6,500 staff, including a large web
application security team. F5’s WAAP portfolio includes multiple solutions. Its main cloud-based
WAAP offering is Distributed Cloud WAAP, built by combining its BIG-IP Advanced WAF, Volterra and
Shape Security acquisitions. It also offers managed services (Silverline Web Application Firewall),
Silverline DDoS Protection, Silverline Shape Defense, and a new cloud-managed Distributed Cloud
Account Protection service for fraud prevention. F5 also offers an appliance-based WAF (BIG-IP
Advanced WAF) and a lightweight module for NGINX called App Protect.

F5 launched its Distributed Cloud WAAP product in February 2022, combining Shape, Volterra and F5
WAAP technology into a single cloud-based WAAP platform. This is an important milestone in F5’s
strategic transition to a cloud-native platform. F5 has also acquired Threat Stack to improve its ability
to provide cloud security and compliance for infrastructure and applications.

Strengths
■ Ease of reporting: Distributed Cloud WAAP’s management console includes useful reporting
features out of the box. These include the ability to view the health of microservices through a
service mesh view and transactions of APIs through a service graph and API endpoint reports.

■ Flexibility of pricing model: F5 offers a free tier to enable organizations to get started with load
balancing and very basic WAF policies for its Distributed Cloud WAAP, which appeals to small and
midsize organizations.

■ Managed-service and support team investment: F5 invests heavily in its support capability and
keeps a good number of personnel in both its managed service and support teams. Customer
feedback about Distributed Cloud WAAP is limited because of this offering’s recent release, but F5
has a strong reputation for support.

■ Product strategy: Consolidating into a distributed cloud platform backed by many modules shows
good vision from F5 in responding to the market trend for consolidation of WAAP features.

Cautions
■ Distributed WAAP is new and maturing: Early feedback from clients indicates that F5’s new
Distributed Cloud WAAP is still a work in progress and does not have feature parity with Silverline
at the time of writing. F5 has, however, announced progress in reaching feature parity with the
June 2022 version of Distributed Cloud WAAP.

■ Disjointedness of WAAP portfolio: F5 continues to invest in separate WAAP products, which leads
to feature disparities. For example, the iRules feature is not carried over into the Distributed Cloud
WAAP offering (it is replaced by Service Policies). Organizations that adopt multiple F5 WAAP
https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 9/32
11/15/22, 3:30 PM Gartner Reprint

products for hybrid WAAP scenarios need to evaluate the operational complexity of managing
different WAAP policies.

■ Complexity of configuration: Within Distributed Cloud WAAP, every origin pool and WAAP instance
is tied to a load balancer configuration and requires configuration for load balancers in addition to
WAAP policies.

■ Roadmap execution: The shift from on-premises WAF appliance vendor to cloud WAAP provider is
proving challenging for F5. Distributed Cloud WAAP remains a work in progress, and the UI
reproduces configuration workflows that sometimes mimic an appliance form factor. F5 has made
slower progress than its leading competitors in terms of key capabilities such as bot mitigation,
application security and API threat protection, as it has focused its efforts on rebuilding features
for its new platform.

Fastly

Fastly is a Challenger in this Magic Quadrant. Headquartered in San Francisco, California, U.S., Fastly
is a CDN and DDoS provider that offers a cloud-based WAAP through integration of its Signal
Sciences acquisition. The Fastly Next-Gen WAF solution can be deployed as a runtime agent on top
of an NGINX proxy and as a WAAP service. The foundation of Fastly’s technology places minimal
focus on traditional signatures. It relies on its proprietary SmartParse engine, which uses a
proprietary mix of rules to parse requests: vendor rules; templated rules, with some customization;
and custom rules (“power rules”).

Since the 2021 edition of this Magic Quadrant, Fastly has introduced edge rate limiting and a
managed service called Response Security Service (RSS). It has also added support for GraphQL
inspection and HTTP/3.

Strengths
■ Flexibility of deployment model: Fastly’s deployment model lets customers deploy its WAAP in
multiple environments, such as the Fastly edge cloud. They can also deploy it in various ways,
such as within a traditional application, as a reverse proxy, or integrated with containers and
platform as a service (PaaS) environments.

■ Sales and support experience: Customers give Fastly high scores for its lower-than-expected
false-positive rates, after tuning. Clients rate Fastly highly for overall sales and support, praising
both the timeliness of its responses and the quality of its support team.

■ Native DevOps support: Fastly supports native integration with containers. It also offers support
for Terraform, as well as a variety of other DevOps tools for integration, such as Ansible.
Additionally, there is integration with Slack for alerting. Customers praise Fastly’s capabilities, with
integration for DevOps teams being the reason that many choose Fastly over other WAAP vendors.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 10/32
11/15/22, 3:30 PM Gartner Reprint

■ Ease of onboarding: Fastly customers frequently identify ease of onboarding in blocking mode as
a strength of Fastly’s product, especially when they are migrating from a legacy WAF that required
a large number of tuning policies.

Cautions
■ Slowness of roadmap execution: Fastly introduces new features more slowly than many vendors
in this market. This results in a widening capability gap between Fastly and its competitors in
areas such as API and application security features.

■ International presence: Although Fastly has invested in expanding its sales staff outside North
America, it still derives most of its revenue from U.S. customers. Clients outside North America
looking to utilize Fastly’s edge should verify how it is supported in their country.

■ Bot management features: Fastly continues to lag behind its main competitors in terms of bot
mitigation capabilities, and client feedback indicates that its bot reporting is weak. Fastly lacks a
curated credential-stuffing database and still offers only basic blocking techniques, such as
blocking based on velocity.

■ Native reporting: Fastly customers frequently complain that integration with a third party is
required for richer and more flexible reporting capabilities.

Fortinet

Fortinet is a Niche Player in this Magic Quadrant. Fortinet sells a WAAP service called FortiWeb
Cloud. It also offers a WAAP appliance product line called FortiWeb, which is shortlisted mainly by
existing network firewall customers who want to consolidate on a single vendor.

Headquartered in Sunnyvale, California, U.S., Fortinet is an established infrastructure and security

vendor with over 10,000 employees. Its primary product line remains its range of FortiGate firewall
appliances, but it has developed a large portfolio of security products and is slowly expanding into
cloud services.

During the evaluation period for this Magic Quadrant, Fortinet acquired Sken.ai, a DevSecOps
application security vendor, which could enhance the ability of Fortinet’s WAAP to integrate with
dynamic DevSecOps teams or pipelines and processes. Feature updates to Fortinet’s WAAP service
include a new threat analytics service, ML for anomaly detection updates, and ML-based API
discovery and protection.

Strengths
■ Market dynamics: FortiWeb Cloud’s presence is growing faster than the average for offerings in
this market, albeit from a small base. Fortinet is able to benefit from its large global customer
base by adding its cloud WAAP offering to existing deployments of Fortinet solutions.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 11/32
11/15/22, 3:30 PM Gartner Reprint

■ Geographic presence: Fortinet has an established global presence and a large sales channel. Its
strong direct presence in EMEA and high number of local support centers helps with initial presale
and postsale interactions.

■ Investment in machine learning techniques: Fortinet has advanced its ML techniques over the
past few years. It provides clear ML dashboards with detailed explanations of the use of ML.

■ Threat intelligence: FortiWeb’s risk-scoring view includes a trend-level history view that enables
users to compare their organization’s threat level with the average threat level within Fortinet’s
customer base.

Cautions
■ Hybrid deployment: Fortinet’s cloud WAAP cannot be managed from FortiManager, Fortinet’s
central management platform. Fortinet customers with hybrid deployments (appliances and cloud
WAAP) must manage their appliances using FortiManager and FortiWeb Cloud from a portal. This
limits Fortinet’s supposed advantage for central management of hybrid WAAP deployments.

■ Architectural limits: When competing with CDN-based WAAP providers, Fortinet’s architectural
limitations, such as the lack of a tunnel mode, the absence of remote hardware security module
(HSM) support and inability to run custom code at the edge, reduce its appeal.

■ Bot mitigation: Despite recent improvements, FortiWeb Cloud’s bot mitigation features are not yet
on a par with those of many of its competitors. This is especially true for advanced response
capabilities and when managing authorized bots. Prospective customers should seek peer
feedback on this feature, as most improvements are recent.

■ Customer experience: Clients often express dissatisfaction with the basic logging features of
FortiWeb Cloud. Although the number of FortiWeb cloud POPs has increased, customers continue
to request more POPs for FortiWeb Cloud, especially outside the Americas.

Imperva

Imperva is a Leader in this Magic Quadrant. It is headquartered in San Mateo, California, U.S. Imperva
has a long history in application security, and is well known for making advanced features available in
a cloud WAAP form factor. Imperva is a privately held application and data security vendor, part of
Thoma Bravo’s portfolio of security vendor equity investments.

Imperva Cloud WAF is the vendor’s cloud WAAP service offering. It is part of the “Imperva Anywhere”
portfolio, which also includes a WAAP gateway (the Imperva Web Application Firewall Gateway),
database security (Imperva Data Security) and other security services, including DNS security and
runtime application self-protection (RASP).

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 12/32
11/15/22, 3:30 PM Gartner Reprint

In the past year, noticeable changes have included improved Imperva’s CDN and caching features,
support for external HSMs, and numerous improvements to the advanced bot protection service,
including a new tarpit action.

Strengths
■ Product maturity: Longtime Imperva customers appreciate the stability and incremental
improvement of the UI, and the additional security controls. They trust the results of the threat
intelligence feeds and consider that the overall product gives good protection out of the box.

■ Event analytics: Imperva relies on multiple ML approaches for bot mitigation and for event
aggregation that shows promise for simplifying the management and incident response process.

■ Account takeover detection: The Imperva Account Takeover Protection module includes several
interesting features, such as detection of credential stuffing, and is designed to determine
malicious intent from successful logins or impossible logins.

■ Application security portfolio: The “Imperva Anywhere” strategy resonates with security teams
willing to centrally manage WAAP enforcement points in different form factors and to consider
adjacent application security approaches, such as RASP and database security.

Cautions
■ Executive churn: Over the past few years, Imperva’s leadership has changed a lot, especially in its
sales and distribution channel teams. Although its product strategy remains consistent, Gartner
has observed some adverse impact on Imperva’s roadmap execution and overall market presence
in the past 12 months.

■ DevOps deployment: Imperva’s cloud WAAP offering can be deployed as a sidecar proxy on Envoy,
but is not available as a containerized WAAP offering. Imperva lags behind other vendors in
supporting this deployment use case.

■ Global infrastructure: Imperva often struggles against its CDN competitors due to direct
comparisons of distributed infrastructure and presence. Imperva’s presence in Asia/Pacific lags
behind that of its direct competitors. Its cloud service does not have local POPs in China and has
only two in India.

■ Customer experience: Imperva’s customers would like to see it be more responsive when it comes
to supporting features regarded as “low-hanging fruit.” They highlight its late support for TLS 1.3
and lack of single sign-on (SSO) for back-end applications, and they expect better certificate
management.

Microsoft

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 13/32
11/15/22, 3:30 PM Gartner Reprint

Microsoft is a Niche Player in this Magic Quadrant. Its Azure Web Application Firewall (WAF) remains
basic, compared with the majority of competing offerings, but the desire to consolidate on fewer
vendors remains a key reason why organizations choose it.

Microsoft is a large IT and digital workplace vendor, based in Redmond, Washington, U.S. It has a
large product portfolio. Its infrastructure as a service (IaaS) and PaaS offering, Microsoft Azure,
includes a WAF (Azure WAF) built on top of its CDN (Azure Front Door), which is also available with
its application delivery solution (Azure WAF on Azure Application Gateway). Microsoft also offers
other security products, notably DDoS protection, API security and a security information and event
management (SIEM) tool (Microsoft Sentinel).

In the past 12 months, Microsoft has added multiple features. These include a new proprietary WAF
engine, updated bot classification and Default Rule Set 2.0, based on Microsoft threat intelligence,
which adds anomaly-based scoring and support for JSON and XML through Azure Front Door.

Strengths
■ Infrastructure: Microsoft is expanding its global Azure infrastructure to increase its presence in
different regions of the world. Microsoft Azure now has 179 POPs and over 60 Azure regions. In
the past 12 months, Microsoft has added 25 POPs.

■ Breadth of security portfolio: Microsoft has a huge product portfolio. In addition to Azure
products, it offers multiple security, compliance and identity applications, artificial intelligence and
other product lines. Many of its product lines have a huge market share, which makes Microsoft a
desirable vendor for organizations seeking to consolidate their technology vendors.

■ Customer feedback: Azure WAF customers praise its integration with Azure Front Door CDN and
other native Azure tools. Microsoft also offers WAF integration with Microsoft Sentinel, which
many customers recommend.

■ Volumetric DDoS: Microsoft offers volumetric DDoS protection to mitigate the impact of large
numbers of attacks. It has a highly distributed infrastructure to protect against distributed
volumetric DDoS attacks. Microsoft also offers a subscription to its DDoS rapid response team for
help with configuration or forensic investigation.

Cautions
■ Bot mitigation: Azure WAF offers only basic bot mitigation and lacks features offered by the
majority of WAAP vendors. It lacks features such as fingerprinting, JavaScript challenges, and ML
capabilities to detect good and bad bots. This makes it less desirable for enterprises seeking
mature bot mitigation within their WAAP solution.

■ API security: Azure WAF offers only basic API threat protection. It lacks features such as
autodiscovery and categorization of APIs, which are being offered by many WAAP competitors.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 14/32
11/15/22, 3:30 PM Gartner Reprint

This makes it a less desirable candidate for mature API threat protection integrated as a WAAP
feature.

■ Pace of execution: Azure WAF lacks many of the standard features offered by the majority of
WAAP vendors. Microsoft’s execution timelines for closing security feature gaps in its WAAP
products are longer than those of other competitors.

■ Customer feedback: Azure WAF customers find its logging and monitoring feature to be basic and
its integration with third-party SIEM products to be challenging. Azure WAF also lacks native
incident response alerts for the OWASP API top 10 threats.

Radware

Radware is a Visionary in this Magic Quadrant. It is trying to apply its differentiated approach to
application security, which combines ML techniques and rules, to the cloud WAAP segment. Radware
is also heavily invested in providing innovative WAAP form factors for DevOps environments.

Radware is based in Tel Aviv, Israel and Mahwah, New Jersey, U.S. It is primarily known for its DDoS
protection (DefensePro and Cloud DDoS Protection Service). Radware offers WAAP in various form
factors, including appliances, in a containerized envelope (Kubernetes Web Application Firewall
[KWAF]) and as a cloud WAAP service (Cloud WAF Service).

Since the 2021 edition of this Magic Quadrant, Radware has added API threat protection features to
its cloud WAAP, including API discovery and automated detection of API changes. It has also
introduced a feature that automatically detects potential false positives and notifies customers of
potential signature changes to minimize false positives.

Strengths
■ Suitability for DevOps environments: SecurePath, a fully managed, out-of-band cloud WAF
deployment mode with connectors to NGINX and Amazon CloudFront, appeals to cloud architects
and DevOps teams looking for nonintrusive third-party web app security.

■ Innovation: Radware’s recent roadmap includes advances in application security. Examples

include automated false-positive detection and the introduction of SecurePath.

■ Security techniques: Gartner clients value the automated learning approach that Radware takes,
even if they are using it only on a “trust but verify” basis.

■ Threat research team: Radware effectively packages its threat research with support from its
emergency response team (ERT). It also provides detailed technical blog posts that demonstrate
the depth of its knowledge in this area.

Cautions

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 15/32
11/15/22, 3:30 PM Gartner Reprint

■ Transition strategy: Radware is continuing with its transition from appliance-based application
delivery controllers to cloud and application security. Radware’s success in selling cloud WAAP
services is not yet on par with that of the large platform and CDN providers.

■ Fragmentation of management consoles: Radware’s cloud portal can only manage its cloud
WAAP. Radware’s appliance management console handles appliances and Kubernetes containers.
Hybrid use cases therefore require the use of at least two management consoles, which limits the
advantage of using the same vendor. The most frequent complaint Gartner hears from Radware
customers is about the weakness of its management capabilities.

■ Solution architecture: Radware’s ad hoc attack signature set is less extensive than those of the
leading vendors in the market. This causes some non-Radware WAF users to question the efficacy
of its solution.

■ Bot mitigation: Over the past 12 months, customer feedback about Radware’s bot mitigation
module’s ease of use has worsened. This is often due to configuration options that are less
granular and intuitive than those of Radware’s leading competitors.

ThreatX

ThreatX is a Niche Player in this Magic Quadrant. This cloud-native security startup vendor, which
was launched in 2015 and has its main headquarters in Boston, Massachusetts, U.S., is expanding its
operations around the world. It relies on its automated, risk-based classification of events to
differentiate itself from other WAAP providers.

The ThreatX WAAP Platform comprises containerized processing units, which can be deployed in
various environments, and a cloud-hosted analysis engine. ThreatX offers managed security
services, including a 24/7 managed SOC supported by a small team and automated procedures.

Since the 2021 edition of this Magic Quadrant, ThreatX has introduced API discovery, schema
ingestion and support for GraphQL, which complement its API protection features by showing
discovered API endpoints. It has also made available a modernized Attack Dashboard.

Strengths
■ API discovery: ThreatX has introduced intuitive API autodiscovery, and is increasingly being
shortlisted for API protection-centric use cases.

■ Capabilities: ThreatX’s WAAP offers three options for blocking: risk-based, per request and manual
(detection only). Most clients like the ability to combine the risk-based approach with the per-
request blocking option as it ensures limited risk and limited impact in the event of false positives.

■ Product strategy: ThreatX’s container-driven product strategy gives it early traction in the
distributed WAAP space, and could be useful for monitoring east-west API traffic.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 16/32
11/15/22, 3:30 PM Gartner Reprint

■ Customer experience: ThreatX receives high marks from customers for its ease of deployment
and customer support, which, among other things, responds quickly to requests for rule
customization.

Cautions
■ Geographic strategy: ThreatX operates primarily from the U.S. Its management console is
available only in English, as is its product documentation. Support is delivered from U.S.-based
locations and Estonia. ThreatX has yet to introduce many POPs outside North America.

■ Size of team: Although ThreatX’s platform can be used without managed services, the vendor
strongly encourages use of these services, which are included in the cost of its WAAP platform.
Given the small size of ThreatX’s support team, large organizations should check whether ThreatX
can support them with these included services.

■ Learning curve: ThreatX has a relatively small, but growing, customer base. It takes a proprietary
approach that relies on detecting attacker behavior and lacks good explainability and fine-grained
configuration options. Organizations that do not use its managed services may require additional
training to make full use of the platform for optimal protection.

■ Bot mitigation: ThreatX lacks some features that its competitors offer. It offers only a limited
number of the bot mitigation features often requested in customers’ RFIs, such as bot farm
detection, mouse and keyboard analytics, and a predefined set of good bots. It also lacks client-
side protection.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of
these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's
appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we
have changed our opinion of that vendor. It may be a reflection of a change in the market and,
therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added
None.

Dropped
None.

Inclusion and Exclusion Criteria

Each vendor of a cloud WAAP corresponding to the description in the Market Definition/Description
section of this Magic Quadrant was considered for inclusion if:

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 17/32
11/15/22, 3:30 PM Gartner Reprint

■ Its offering(s) can protect applications and APIs running on different types of host environments,
such as web servers, service containers and PaaS.

■ Its WAF technology is known to be approved by qualified security assessors as a solution for
Payment Card Industry Data Security Standard (PCI DSS) Requirement 6.6, which covers the
OWASP top 10 threats, in addition to others.

■ It offers a cloud WAAP as a service.

■ Its cloud WAAP service was generally available as of 1 January 2021.

■ Its data centers are in at least two metropolitan areas, separated by a minimum of 250 miles, on
separate power grids.

■ It offers an SLA, with a minimum of 99.9% availability, with committed financial penalties in case
of failure to meet the SLA.

■ Its cloud WAAP service demonstrates global presence, features and scale relevant to enterprise-
class organizations. It must have either:

■ Generated $20 million in cloud WAAP revenue during 2021 and had at least 80 enterprise
customers use its cloud WAAP products under support as of 31 December 2021, including:

■ At least 25 net new enterprise cloud WAAP customers in 2021.

■ Or generated $5 million in annual recurring revenue (ARR) for its cloud WAAP, for the 12 months
of 2021, and had two years of compound annual revenue growth (CAGR) of at least 50%.

■ It demonstrates at least the minimum signs of global presence by:

■ Presenting Gartner with strong evidence that more than 10% of its cloud WAAP service’s
customer base is outside its home region (the Americas, EMEA or Asia/Pacific).

■ Offering a POP in at least two of the following regions: North America, EMEA and Asia/Pacific.

■ It offers 24/7 support, including phone support — in some cases, this is an add-on, rather than
being included in the base service.

■ It is a significant player in the market, as determined by Gartner on the basis of its market
presence, competitive visibility or technology innovation.

■ It is a top provider in terms of Gartner-estimated market share or mind share for relevant
segments of the overall WAAP market.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 18/32
11/15/22, 3:30 PM Gartner Reprint

■ It is the subject of inquiries from users of Gartner’s client inquiry service, and has competitive
visibility, client references and local brand visibility.

■ Its WAF technology provides more than a repackaged ModSecurity engine and signatures.

■ It provides evidence to show that it meets the above inclusion requirements.

WAAP and WAF vendors not included in this Magic Quadrant may have been excluded for one or
more of the following reasons:

■ The vendor primarily has a network firewall or IPS with a non-enterprise-class WAAP.

■ The vendor is:

■ Primarily a managed security service (MSS) provider and its WAF/WAAP sales are mostly part
of broader MSS provider contracts.

■ A service provider using third-party WAF or WAAP technology.

■ A WAAP provider offering a cloud WAAP in the form of WAAP virtual machines (VMs) managed
by third parties.

■ The vendor offers only a fully managed WAAP, with no self-service.

■ The vendor is not actively providing WAAP products to enterprise customers, or has minimal
continued investment in the enterprise WAAP market.

■ The vendor has minimal or negligible apparent market share among Gartner clients, or is not
actively shipping products.

■ The vendor is not the original manufacturer of the firewall product. This includes hardware OEMs,
resellers that repackage products that would qualify from their original manufacturers, and carriers
and internet service providers that offer managed services. We assess the breadth of OEM
partners as part of the WAAP evaluation, and do not rate platform providers separately.

■ The vendor has only a host-based WAF, WAAP, web access management (WAM), RASP or API
gateway (these are considered distinct markets).

Honorable Mentions
In addition to the vendors included in this Magic Quadrant, Gartner tracks vendors that did not meet
our inclusion criteria because of a specific vertical market focus and/or shortcomings in terms of
WAAP revenue and/or competitive visibility in WAAP projects. The following merit mention here:

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 19/32
11/15/22, 3:30 PM Gartner Reprint

■ Alibaba Cloud is a large cloud service provider based in China. It offers the Alibaba Cloud Web
Application Firewall (with built-in bot management and API protection features) and Alibaba Anti-
DDoS products as part of its cloud service offering. It appeals to customers who are implementing
cloud services from Alibaba. Alibaba Cloud did not qualify for inclusion in this Magic Quadrant due
to its more regional presence and the lack of feature parity for WAF and DDoS protections outside
its home region.

■ Citrix is a large infrastructure and security vendor based in the U.S. In 2020, it launched Citrix Web
Application and API Protection (CWAPP), a cloud-based WAAP service. While expanding CWAPP,
Citrix continues to be successful at selling its WAF as an add-on to its application delivery
controllers (ADCs). Citrix did not qualify for inclusion in this Magic Quadrant primarily because it
did not meet the customer thresholds for cloud WAAP service.

■ Cloudbric is a cloud-native web application security vendor based in South Korea. It is a spinoff
from Penta Security Systems, which offers WAAP appliances (called WAPPLES). Cloudbric’s
WAAP as a service is primarily available in the vendor’s home region. Cloudbric did not qualify for
inclusion in this Magic Quadrant due to insufficient presence outside its home region.

■ Google is a large cloud service provider headquartered in the U.S. Google is investing in WAAP-
related services, including Cloud Armor for DDoS protection and a web application firewall,
reCAPTCHA Enterprise to combat automated bots and detect online fraud, and Apigee for API
protection. Google is not included in this Magic Quadrant because it did not have a generally
available cloud WAAP offering as of 1 January 2021.

■ Indusface is a WAAP vendor based in India. It sells the AppTrana WAAP solution primarily bundled
with managed services. It continues to attract positive feedback from customers who use its
product and like its managed-services approach to WAAP. Indusface did not qualify for inclusion in
this Magic Quadrant because it offers a primarily managed solution and lacks sufficient presence
outside its home region.

■ NSFOCUS is a security vendor based in China. It offers a cloud WAAP service and a range of
appliance and WAAP service offerings that appeal to clients looking for a WAAP in China, and it
continues to grow its presence in other regions. NSFOCUS did not qualify for inclusion in this
Magic Quadrant because it did not meet the thresholds for cloud WAAP service and had
insufficient presence outside its home region.

Evaluation Criteria
Ability to Execute
Product or Service: This criterion includes the core cloud WAAP technology offered by the
technology provider that competes in and serves the defined market. It also includes current product

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 20/32
11/15/22, 3:30 PM Gartner Reprint

or service capabilities, quality, feature sets and skills, whether offered natively or through OEM
agreements and partnerships, as defined in the Market Definition/Description section. Strong
execution means that a vendor has demonstrated to Gartner that its products or services are
successfully and continually deployed in enterprises. Execution is not primarily about company size
or market share, although these factors can considerably affect a company’s Ability to Execute.
Some key features, such as the ability to support complex deployments (including on-premises and
cloud options) with real-time transaction demands, are weighted heavily. Product evaluation also
considers other cloud WAAP core security functions. These include DDoS protection services, bot
management (such as bad-bot mitigation and good-bot management) and API threat protection,
which might be bundled or integrated with WAF features.

This year’s evaluation increases the importance of delivering specialized controls when protecting
APIs. Integration with other markets, such as those for cloud access service brokers (CASBs) and
application security testing (AST), is evaluated as well, but more lightly.

This year’s evaluation increases the importance of delivering specialized controls when protecting
APIs.

Overall Viability: This criterion assesses the organization’s overall financial health, and the financial
and practical success of the business unit. Also assessed are the likelihood that individual business
units will continue to invest in a cloud WAAP, offer cloud WAAP products and advance the state of
the art within the organization’s portfolio of products.

Sales Execution/Pricing: This criterion encompasses the technology provider’s capabilities in all
presales activities and the structure that supports them. It includes deal management, pricing and
negotiation; presales support; and the overall effectiveness of the sales channel. It also includes deal
size, and the use of the product or service in large enterprises with critical public web applications,
such as banking and e-commerce applications. Low pricing will not guarantee strong execution or
client interest. Buyers want good results even more than they want bargains. Buyers balance cloud
WAAP security requirements and pricing; they do not consider best pricing only.

For cloud WAAP providers with multiple security products, or a WAAP appliance offering, this
criterion also evaluates the ability to craft a pricing model adapted to a cloud WAAP. This model
should not inherit characteristics from pricing models used for other product offerings that are
unsuitable for a cloud WAAP.

Market Responsiveness/Record: This criterion assesses the ability to respond, change direction, be
flexible and achieve competitive success as opportunities develop, competitors act, and security
trends and customer needs evolve. It includes a vendor’s responsiveness to new or updated web
application frameworks and standards, as well as its ability to adapt to market dynamics (such as the
relative importance of PCI compliance) and changes. This criterion also considers the provider’s

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 21/32
11/15/22, 3:30 PM Gartner Reprint

history of releases, but gives greater weight to its responsiveness during the most recent product life
cycle.

Marketing Execution: This criterion assesses the clarity, quality, creativity and efficacy of programs
designed to deliver the organization’s message. It is aimed at influencing the market, promoting the
brand and business, increasing product awareness, and establishing positive identification with the
product, brand and organization among buyers. This mind share can be driven by a combination of
publicity, promotional activities, thought leadership, word of mouth and sales activities.

Customer Experience: This criterion assesses the relationships, products, services and programs
that enable clients to be successful with the products that are being evaluated. Specifically, it
includes the ways in which customers receive technical support or account support. It can also
include ancillary tools, customer support programs (and the quality thereof), the availability of user
groups, and SLAs that enable the organization to operate effectively and efficiently on an ongoing
basis.

Operations: This criterion evaluates the organization’s ability to meet its goals and commitments.
Factors include the quality of the organizational structure. For vendors with multiple WAAP form
factors (such as appliances), this criterion evaluates the organization’s alignment with the offer of a
cloud-delivered WAAP. For vendors with a broad security portfolio, it also evaluates the ability to
maintain focus on the cloud WAAP service offering.

Table 1: Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product or Service High

Overall Viability Medium

Sales Execution/Pricing High

Market Responsiveness/Record High

Marketing Execution Medium

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 22/32
11/15/22, 3:30 PM Gartner Reprint

Evaluation Criteria Weighting

Customer Experience High

Operations Medium

Source: Gartner (August 2022)

Completeness of Vision
Market Understanding: This criterion assesses the vendor’s ability to understand buyers’ wants and
needs, and to translate that understanding into products and services. Vendors with the most vision
listen to and understand buyers’ requirements, and can shape or enhance them. They also determine
when emerging use cases will greatly influence how the technology has to work. Vendors that better
understand how changes in web applications affect security receive higher scores. Trends include
cloud, IaaS, agile methodologies, web services and microservices, continuous integration, and the
growing importance of APIs.

Marketing Strategy: This criterion looks for a clear, differentiated set of messages that is
consistently communicated throughout the organization and externalized through the website,
advertising, customer programs and positioning statements. Assessment includes the vendor’s
ability to communicate effectively about how its solution is a good fit for emerging use cases.

Sales Strategy: This criterion looks for a strategy that uses an appropriate network of direct and
indirect sales, marketing, service and communication affiliates to extend the scope and depth of a
vendor’s market reach, skills, expertise, technologies, services and customer base. The ability to
attract new customers who need web application security only is weighted heavily.

Compared with the 2021 edition of this Magic Quadrant, this criterion has been revised to reflect
strategies adapted to cloud-delivered WAAP and “as a service” offerings.

Offering (Product) Strategy: This criterion assesses a vendor’s approach to product development
and delivery, with an emphasis on differentiation, functionality, methodology and feature sets, in
relation to current and future requirements. As attacks change and become more targeted and
complex, we give heavy weightings to vendors’ efforts to move their WAAPs beyond rule-based web
protections that are limited to known attacks by, for example:

■ Combining rules, heuristics and ML to detect abnormal behaviors.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 23/32
11/15/22, 3:30 PM Gartner Reprint

■ Using a weighted scoring mechanism based on a combination of techniques to shape the WAAP’s
responses.

■ Providing updated security engines to handle all protocols and standards updates, and remaining
efficient in relation to changes in how older web technologies are used.

■ Providing dedicated protection techniques for emerging web application use cases, such as
mobile and Internet of Things (IoT) applications.

■ Offering bot mitigation that is not limited to reputation-based controls.

■ Providing API protection.

■ Analyzing user behavior.

■ Countering evasion techniques actively.

■ Enabling a positive security model with automatic and efficient policy learning.

In this year’s Magic Quadrant, we have increased the weighting for delivery of differentiated security
controls when protecting APIs, including automated discovery and anomaly detection.

This criterion also evaluates the depth of features provided, especially features that ease
management of the solution, and its integration with other solutions, such as SIEM tools, API
gateways and other technologies (CASBs, for example).

Vertical/Industry Strategy: This criterion assesses the vendor’s strategy to direct resources, skills
and offerings to meet the specific needs of individual market segments, including vertical industries.
Vendors focusing on a single vertical receive lower scores. Vendors with differentiated vertical
strategies and the ability to reproduce success across several verticals receive higher scores.

Innovation: This criterion examines the direct, related, complementary and synergistic layouts of
resources, expertise or capital for investment, consolidation, defensive or preemptive purposes. It
includes product innovation and quality differentiators, such as:

■ New methods for detecting web attacks and avoiding false positives.

■ Resistance to evasion and detection of new attack techniques.

■ A management interface, monitoring and reporting that contribute to easy web application setup
and maintenance, better visibility, and faster incident response.

■ Automated delivery of detection and protection.

■ Ability to integrate with DevOps processes and tools.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 24/32
11/15/22, 3:30 PM Gartner Reprint

■ Integration with companion security technologies, which improves overall security.

Geographic Strategy: This criterion assesses a vendor’s strategy to direct resources, skills and
offerings to meet the specific needs of geographies outside its “home” country or region. This can
happen directly or through partners, channels and subsidiaries, as appropriate for the geography and
market. This criterion considers a vendor’s infrastructure (POPs), but is not limited to technical
components. It also considers how the vendor adapts its strategy to local cloud demands and
privacy requirements.

Table 2: Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding High

Marketing Strategy Medium

Sales Strategy Low

Offering (Product) Strategy High

Business Model NotRated

Vertical/Industry Strategy Low

Innovation High

Geographic Strategy Medium

Source: Gartner (August 2022)

Quadrant Descriptions
https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 25/32
11/15/22, 3:30 PM Gartner Reprint

Leaders
Leaders can shape the market by introducing additional capabilities to their offerings, raising
awareness of the importance of those features and being the first to do so. Leaders also meet
enterprises’ requirements for different uses of web application security.

Leaders have strong market shares and steady growth, but these alone are not sufficient to qualify as
a Leader. Leaders in the cloud WAAP market require strong distributed infrastructure and must
ensure high-level security and smooth integration into a web application environment. They also
require advanced web application behavior learning; superior ability to block common threats (such
as SQL injection [SQLi], cross-site scripting [XSS] attacks and cross-site request forgery [CSRF]),
protect custom web applications and avoid evasion techniques; strong deployment, management
and real-time monitoring; and extensive reporting. Leaders should also provide, and regularly
improve, DDoS protection, and be ahead of the market in terms of bot mitigation and API security
capabilities.

In addition to providing technology that is a good match for customers’ requirements, Leaders exhibit
superior vision and execution for anticipated requirements, and drive evolution in web applications
that requires changes to the security paradigm.

Challengers
Challengers have a sound customer base, but do not lead in terms of security features. Challengers
draw on existing clients from other markets (such as the IaaS and CDN markets) to sell their cloud
WAAP technology, rather than competing to win deals through product differentiation. Challengers
may be well-positioned and have good market shares in a specific segment of the WAAP market
(such as a specific cloud infrastructure segment), but do not address the entire market (and may not
be interested in doing so).

Visionaries
Visionaries provide key innovations to address web application security concerns. They devote many
resources to security features that help protect critical business applications against targeted
attacks. However, they lack the ability to influence a large portion of the market. They either have not
expanded their sales and support capabilities on a global basis, or they lack the funding to execute
with the same capabilities as Leaders or Challengers. They also have a smaller presence in the cloud
WAAP market, as measured by installed base, revenue size or growth, or in terms of overall company
size or Gartner’s assessment of long-term viability.

Niche Players
The Niche Players quadrant primarily includes vendors of cloud WAAPs that are a good match for
specific use cases (such as PCI compliance) or vendors with a limited reach in relation to cloud
WAAP deployments. The cloud WAAP market includes several European and Asian vendors that

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 26/32
11/15/22, 3:30 PM Gartner Reprint

serve clients in their regions well with local support, and that can quickly adapt their roadmaps to
specific needs, but that do not sell outside their home countries or regions.

Even when selling large-scale products, some Niche Players offer features that only suit the needs of
SMBs.

Niche Players may also have a small installed base because their cloud WAAP products are recent, in
transition, or limited, according to Gartner’s criteria, by various factors. These factors may include
limited investment or capabilities, and other inhibitors to providing a broader set of capabilities to
enterprises both now and during the next 12 months.

Niche Players may be in the early stages of building a broader product. Inclusion in the Niche Players
quadrant does not reflect negatively on a vendor’s value within its more narrowly focused service
spectrum.

Context
This Magic Quadrant evaluates vendors of WAAP offerings that are delivered as cloud services
(WAAP services), in contrast to previous editions that covered vendors of both appliances and cloud
WAAP technologies. This change alters the customer expectations we have considered and the
relative positions of evaluated vendors.

WAAP vendors with an existing appliance portfolio are now evaluated primarily for their cloud
WAAPs. Vendors are now evaluated against other cloud WAAP vendors only. This changes their
positioning, as WAAP appliances are not weighted as in the previous Magic Quadrant.

Gartner’s inclusion and exclusion criteria include a requirement to derive meaningful revenue from
outside a vendor’s home region, as well as a requirement for a minimum number of customers for
the WAAP service. This has led to the exclusion of some smaller or more regional vendors (see the
Honorable Mentions section).

The adjacent WAAP appliance market is closer than the cloud WAAP market to its WAF roots and
many of the vendors evaluated in this Magic Quadrant have their appliance technology at the core of
their cloud WAAPs. Some organizations continue to select WAAP appliances, instead of cloud
WAAPs, to ensure a unified management and reporting console across on-premises and cloud data
centers. Additional reasons to use WAAP appliances include insufficient, or a complete lack of, cloud
WAAP POPs in a particular country, other local data residency regulations, and discomfort with the
consumption-based licensing of cloud WAAPs.

The cloud WAAP market includes historical WAAP appliance providers that are building a cloud
presence by using infrastructure as a service (IaaS) and offerings from CDN and IaaS providers.
Because many local or platform providers might wrap a WAF around a ModSecurity engine, and use
one of the available rule sets, many legacy WAF solutions are available and compete with WAAP
offerings. These products are not evaluated in this Magic Quadrant.
https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 27/32
11/15/22, 3:30 PM Gartner Reprint

Gartner generally recommends that clients consider products from vendors in every part of a Magic
Quadrant, based on their specific functional and operational requirements. This is especially true for
the cloud WAAP market, which includes many relatively small vendors, as well as larger vendors that
derive only a small share of their revenue from cloud WAAP offerings. Product selection decisions
should be driven by organization-specific requirements. These relate to factors such as deployment
constraints and scale, the relative importance of compliance, the characteristics and risk exposure of
business-critical and custom web applications, and vendors’ local support and market
understanding.

Security managers considering cloud WAAP deployments should first define their deployment
constraints, especially their:

■ Tolerance for a full, in-line reverse proxy with blocking capabilities in front of web applications.

■ TLS decryption/re-encryption and other scalability requirements.

■ Detailed needs for bot management, especially advanced and nonintrusive responses.

■ Requirements to protect applications hosted on multiple cloud and on-premises locations.

■ Ability to secure the more recent API architectures (such as Microservices architectures).

Market Overview
The overall cloud WAAP market is mature, though some segments are quite dynamic, such as bot
management and API threat protection. Unlike the WAAP appliance market, which is dominated by
replacement purchases, the cloud WAAP market continues to experience double-digit growth, thanks
to new customers, new applications to protect, and shifts from appliances to cloud-delivered
security.

In the past 12 months, cloud WAAP has been the dominant form factor for new deployments in the
Americas and EMEA. The remaining WAAP appliance deployments continue to fuel many renewal
purchases, especially in the form of virtual appliances. The WAAP appliance form factor is also a
serious contender for hybrid deployments.

API security is becoming a key part of WAAP evaluations in situations where WAAP providers
compete against more specialized API threat protection vendors. Gartner has observed noticeable
improvements in some API protection offerings from vendors evaluated this year. However, API
protection features integrated into cloud WAAPs often look like initial versions and tend to lack
depth, especially in terms of providing context relevant to API specialists in alerts and business
context management for discovery modules. More vendors have introduced decent API discovery
capabilities in the past year.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 28/32
11/15/22, 3:30 PM Gartner Reprint

Providers of the more mature bot mitigation modules face reinvigorated competition from the
remaining bot mitigation specialists, and have focused their efforts on a few differentiators:

■ Fine-grained categorization of malicious and authorized bots.

■ Better controls against human-operated bots (“hu-bots”), especially CAPTCHA- solving services.

■ Alternatives to traditional intrusive CAPTCHA services.

■ Ability to distinguish between good and bad human actors, particularly to mitigate account
takeovers.

Growth in the use of ML to detect and reduce false positives has leveled off in the past year, with no
noticeable improvements and a slight de-emphasization from vendors that reflects general market
fatigue about “ML hype.” ML could still be useful to overcome the more complex challenge of
managing WAAP configurations at scale, while providing the right combination of change workflow
management, reliable configuration auditing and change traceability, and a good mix of global, per-
group and per-application settings. However, Gartner has not observed any noticeable improvement
in this area.

Distributed WAAP Emerges as a Separate Segment of the WAAP Market

A growing number of cloud WAAP vendors are adding deployment options for the more automated
cloud applications: Kubernetes sidecars, containerized WAAPs and WAAP agents. The future of this
segment remains unclear, however. But embedded WAAPs cannot replace cloud-delivered WAAPs for
every use case and requirement such as DDoS protection or the ability to deploy quickly in front of
hundreds of applications hosted on various environments.

Distributed WAAPs are intended to improve DevSecOps practices to secure newly developed
applications through “shift left” techniques, but they do not address the “shift right” needs of legacy
and third-party applications. In future, large enterprises with mature DevOps practices will demand a
combination of cloud gateway WAAPs and distributed WAAPs to enable DevSecOps and better
protect existing applications.

WAAP controls, deployed closer to the applications they protect, could provide benefits such as:

■ Gathering of better contextual information from applications and details of who or what is
accessing a microservice, which could help reduce the false-positive rate.

■ Classification of, and protection against, new categories of threats to microservices environments
through the use of dedicated, unsupervised ML techniques.

■ Enabling application development teams to declare application context programmatically and

WAAPs to automatically enforce or modify the correct security rules at runtime.
https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 29/32
11/15/22, 3:30 PM Gartner Reprint

The most likely scenario for the coming months is that WAAP agents, containers and VMs will be
components of an integrated network and distributed WAAP. Centralized but flexible management
and monitoring remains one of the biggest challenges for distributed WAAPs to overcome if they are
to become a reality at scale. Vendors must also identify which features are most suitable for
distributed WAAPs, such as specific, targeted protections for certain workloads, and which should be
enforced at the network level, such as API discovery and bot mitigation.

Evaluation Criteria Definitions

Ability to Execute
Product/Service: Core goods and services offered by the vendor for the defined market. This
includes current product/service capabilities, quality, feature sets, skills and so on, whether offered
natively or through OEM agreements/partnerships as defined in the market definition and detailed in
the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization's financial health, the
financial and practical success of the business unit, and the likelihood that the individual business
unit will continue investing in the product, will continue offering the product and will advance the
state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that
supports them. This includes deal management, pricing and negotiation, presales support, and the
overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve

competitive success as opportunities develop, competitors act, customer needs evolve and market
dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the
organization's message to influence the market, promote the brand and business, increase
awareness of the products, and establish a positive identification with the product/brand and
organization in the minds of buyers. This "mind share" can be driven by a combination of publicity,
promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be

successful with the products evaluated. Specifically, this includes the ways customers receive
technical support or account support. This can also include ancillary tools, customer support
programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the
quality of the organizational structure, including skills, experiences, programs, systems and other
vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 30/32
11/15/22, 3:30 PM Gartner Reprint

Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate
those into products and services. Vendors that show the highest degree of vision listen to and
understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout

the organization and externalized through the website, advertising, customer programs and
positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and
indirect sales, marketing, service, and communication affiliates that extend the scope and depth of
market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that
emphasizes differentiation, functionality, methodology and feature sets as they map to current and
future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the
specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital
for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the
specific needs of geographies outside the "home" or native geography, either directly or through
partners, channels and subsidiaries as appropriate for that geography and market.

© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written
https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 31/32
11/15/22, 3:30 PM Gartner Reprint

permission. It consists of the opinions of Gartner's research organization, which should not be construed as

statements of fact. While the information contained in this publication has been obtained from sources believed to
be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment
advice and its research should not be construed or used as such. Your access and use of this publication are
governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any third party. For
further information, see "Guiding Principles on Independence and Objectivity."

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send
Feedback

© 2022 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

https://www.gartner.com/doc/reprints?id=1-2AZ6CD08&ct=220831&st=sb 32/32