Cloud Web Application and API Protection Magic Quadrant

The market for protecting cloud web applications and APIs is expanding quickly. You can use this Magic Quadrant to find cloud WAAP providers that provide simple controls and specialised defences against sophisticated bots and changing API attacks.
Planning assumptions for the future
Cloud web application and API protection platform (WAAP) services over WAAP appliances and IaaS-native WAAP will be preferred by 70% of organisations implementing multicloud strategies for web applications in production environments by 2024.
By 2026, 40% of organisations will choose a WAAP provider based on their web application security features and advanced API protections, up from less than 15% in 2022.

Initially relying solely on a WAAP for bot mitigation, more than 40% of organisations with consumer-facing applications will seek out additional anomaly detection technology from specialised providers by 2026, up from less than 10% in 2022.
Definition/Description of the Market
The Open Web Application Security Project’s (OWASP) top 10 for web application threats, automated threats, and specialised attacks on APIs are among the runtime attacks that are mitigated by cloud web application and API protection platforms (WAAPs). Cloud WAAPs are cloud-delivered services that mainly safeguard web applications and APIs with a public facing.
Cloud WAAPs’ fundamental capabilities include:

Web application firewall (WAF): To find and stop the exploitation of application vulnerabilities, a WAF combines positive security models, signatures, heuristics, and anomaly detection.
Distributed denial-of-service (DDoS) protection: By providing enough bandwidth, rate limits, and anomaly detection, this can lessen the impact of volumetric and “low and slow” attacks. Additionally, it provides distributed points of presence (POPs) to thwart attacks near their origins.
Bot management: uses reputation-based, fingerprinting, heuristic, and machine learning techniques to identify malicious behaviour coming from automated sources. Additionally, it guarantees that legitimate bots can pass through.
API protection is the process of identifying, classifying, and implementing specialised controls on API traffic. From API schemes, it can also extract policies.

The following features are optional for cloud WAAPs:

Client-side security.
protection from website vandalism.
vulnerability Scanning.
security for mobile apps.
DNS security and services.
Access control, load balancing, and content delivery network (CDN) are some additional features.

Continuous Integration/Continuous Delivery (CI/CD) pipelines, security operation tools, and infrastructure providers can all be integrated with cloud WAAPs.

The scope change for this edition and its effects, particularly on vendors that provide WAAP appliances in addition to cloud WAAP services, are explained in the Context section of this Magic Quadrant.

Some recent trends in the WAAP market are highlighted in the document’s Market Overview section.

Strengths and Warnings of the Vendor
Akamai
Within this Magic Quadrant, Akamai is a Leader. It is a good choice to show up on organisations’ shortlists for cloud WAAP services if they want to safeguard web-scale, mission-critical applications. This is particularly true for businesses that have a wide variety of web applications and APIs.
With almost 10,000 employees worldwide, Akamai is a provider of security and the cloud. Its main office is in Cambridge, Massachusetts, in the US. The main services provided by Akamai are a CDN, application development, and application security. It has kept growing its security portfolio, most notably through the October 2021 acquisition of microsegmentation vendor Guardicore.

By combining Web Application Protector (WAP), its streamlined offering for midsize businesses, with Kona Site Defender in November 2021, Akamai updated its selection. App & API Protector, the new product, includes some fundamental bot mitigation. There are numerous add-ons available, including a subscription for advanced security management.
The biggest modification to Akamai’s WAAP since the 2021 edition of this Magic Quadrant has been this repackaging of capabilities. In addition, Akamai released an updated version of its Adaptive Security Engine (ASE), support for Terraform deployments, and Account Protector to guard against account takeover.

Strengths

Platform advantage: Akamai’s global platform appeals to large organisations looking to make a complete set of features accessible in front of all their web applications by combining and integrating a wide range of web application and web application security features.
Advanced capabilities: Akamai frequently releases new controls before the rest of the market and offers leading threat intelligence capabilities through its client reputation feature. This can be seen in how Akamai is enhancing its existing discovery and classification capabilities for API threat protection at a time when many other vendors haven’t even released API discovery features.
Customers continue to give Akamai’s customer service high marks, which is an impressive accomplishment for a major platform provider.

When potential customers ask their peers for recommendations, consistently excellent customer support builds trust and encourages adoption for Akamai.
DDoS: Akamai’s DDoS feature evaluation receives high marks. Although DDoS protection is not frequently seen as a differentiator by potential clients, spikes in DDoS activity, particularly against APIs, still call for robust application and volumetric defences, which Akamai offers.
Price warning: Gartner continues to hear from potential clients who believe that Akamai’s high overall price is a major factor in their decision to narrow their shortlist of vendors or scale back their Akamai deployments. A less expensive option is frequently preferred by midmarket businesses.

Confusion regarding portfolio transition: Client feedback to Gartner indicates that Akamai isn’t always clear regarding whether App & API Protector replaces or works in conjunction with Kona Site Defender. Some people think the change in subscriptions is an attempt to get them to pay more or sign up for more services.
False positives: Despite Akamai’s efforts to reduce false positives with its improved ASE, clients have complained that the number of false positives is still high, particularly for bot detections.

UI complexity: Although Akamai has simplified the onboarding process, combining numerous features and modules continues to be challenging. Deployment should be easier for a variety of WAAP use cases. The enhanced Terraform support has been well received by users, but they still prefer the UI and feel that Akamai’s ASE and conventional policy management could be better integrated.
Web Services from Amazon
In this Magic Quadrant, Amazon Web Services (AWS) is a Challenger. Clients looking for platform controls, vendor consolidation, and native controls should consider AWS WAAP. It is a well-liked shortlist candidate for application teams due to its integration with DevOps tools and premium professional services for developers.

Amazon’s subsidiary AWS is a cloud service provider (CSP). Its main office is in Seattle, Washington, in the US. It provides a number of application and API security products, such as managed DDoS, WAF, and a network firewall (AWS Network Firewall) (AWS Shield Advanced). Application Load Balancer (ALB) or Amazon CloudFront are the two main platforms that AWS’s WAF is typically built upon (AWS CDN).
Since the 2021 edition of this Magic Quadrant, AWS has expanded its CDN and WAAP infrastructure in Asia/Pacific and added new feature to its WAAP offering. Versioning and roll-back capabilities for managed rules, as well as improvements to application layer DDoS and bot mitigation, are among the WAAP feature updates.
Infrastructure advantages: AWS prioritises expanding the accessibility of its infrastructure worldwide.

All CloudFront POPs have the AWS WAF installed. It is generally accessible in 25 AWS Regions and has more than 310 CloudFront edge nodes with more than 310 POPs. Over 80 POPs, including some in Asia/Pacific, were added by AWS in 2021.
DDoS mitigation: Through AWS Shield and the AWS WAF service, AWS has a comprehensive DDoS mitigation offering. For extremely high volumes of traffic, including bot attacks, AWS provides mitigation. Layer 3, 4, and 7 volumetric and application-based DDoS attacks are protected from by AWS Shield. There are two levels of AWS Shield DDoS protection: Standard and Advanced. All AWS customers receive Shield Standard protection without paying any additional fees.

Pricing: The consumption-based pricing model used by AWS is transparent, simple to manage, and readily available on the company’s website. As paid add-ons to the standard WAF service, AWS provides optional security features like bot control, CAPTCHA, and account takeover prevention. Additionally, it provides a Free Tier with a usage limit for bot control and account takeover prevention. All AWS clients have access to Shield Standard as a free DDoS mitigation service.
Managed ruleset: A powerful WAAP feature is AWS Managed Rules (AMR). The administration and deployment of the product are improved by new feature enhancements like account takeover protection and WAF CAPTCHA configuration based on rate, attributes, and labels from AMR.

The AMR feature can defend the application’s login page from credential-stuffing attacks and other unusual login activities using a JavaScript/mobile SDK.
Cautions
API security: When compared to many WAAP vendors, AWS falls short in terms of protecting against API threats. Only JSON payloads are directly supported, and GraphQL is supported via integration with AWS AppSync. Additionally, it lacks machine learning (ML) capabilities for API threat defence and ML-based autodiscovery for API endpoint classification.
Not enough customization The inability to modify WAF rules is a drawback that some AWS customers find to be problematic. They regret the dashboard’s comparatively scant provision of alerts for thorough logging and monitoring.
Catch-up technique: The WAAP offered by AWS is not particularly inventive. AWS continues to regularly add features that are already provided by top competitors in order to fill feature gaps.

As a result, customers who place a high value on best-of-breed bot mitigation and API threat protection frequently choose different vendors.
Single cloud use case: In comparison to products from many other WAAP vendors, AWS’s WAAP is a suitable option for application teams looking for native controls, but it lacks visibility for network security teams and businesses with hybrid and multicloud environments.
Barracuda
In this Magic Quadrant, Barracuda occupies a niche market. It operates effectively for current Barracuda customers and relatively small businesses, but faces stiff competition for larger enterprise pure-play cloud WAAP deals. Its headquarters are in Campbell, California, in the United States.

Barracuda’s cloud WAAP (Barracuda WAF-as-a-Service) and WAAP appliances are among the company’s most crucial web application security products and services (Barracuda Web Application Firewall). The vendor also provides DDoS, threat intelligence, and bot management (Barracuda Advanced Bot Protection) services. In recent months, Barracuda has added support for GraphQL and an initial iteration of automated API discovery.
Investment company KKR declared its intent to buy Barracuda in April 2022. Barracuda has changed ownership several times in the past without any obvious negative effects on its WAAP product roadmap or portfolio.
Strengths
Organizations can advance their WAAP deployment by adding new categories of controls as they advance thanks to Barracuda’s modular approach to security.

Accessible control refinements: After an initial deployment, it is simpler to handle refinements of controls thanks to practical risk-scoring and recommendation engines.
Protection against API threats: Barracuda keeps improving its API discovery and controls. It has added new features like dedicated configuration for graphQL and a “confidence level” when finding APIs. However, Gartner’s feedback on these new capabilities is scant.
Barracuda’s WAAP offers a strong combination of malware inspection and form protection for applications that demand secure file uploads (such as those that accept resumes from applicants).
Cautions

Shortlist visibility: Barracuda’s cloud WAAP struggles to gain recognition in North America outside of Barracuda’s current clientele. Gartner frequently hears from customers who have used Barracuda that it is adequate but not exceptional.
Bot mitigation: Barracuda, which in 2019 bought a vendor that specialised in bot mitigation, is not developing advanced bot management features as quickly as its top rivals in the WAAP market. Bot mitigation tuning is primarily a back-end process that is invisible to users. Response options are less adaptable than those of top competitors, and until recently, there were no dedicated advanced credential protection features.
Real-time incident response on Barracuda is overly reliant on integrations from outside sources.

Native event views are simplistic and lack some of the reports used by security operations centres (SOCs) to inform the outside world of their operations.
Suppport level: Customers’ opinions of Barracuda’s support are very diverse. When a problem goes beyond a simple configuration, many people express concern about the length of time it takes to receive a precise response.
Cloudflare
A Leader in this Magic Quadrant is Cloudflare. Its headquarters are in San Francisco, California, in the US. It has developed a set of security features to compete with other Leaders and has quickly established itself on Gartner’s cloud WAAP shortlists.
More than 3,000 people work for Cloudflare, which is expanding its suite of security and application delivery services in the cloud.

A cloud WAAP offering (Cloudflare WAF), as well as DDoS and client-side protection, are all part of its application security portfolio (Cloudflare Page Shield).
Over the past few months, Cloudflare has kept growing beyond just application delivery and protection. API discovery, scheme ingestion, and semi-automated rate limiting are recent WAAP features. The vendor also enhanced its module for bot mitigation.
Threat intelligence: Cloudflare’s substantial customer base of small and midsize businesses (SMB) and individuals feeds its global threat intelligence in order to more quickly identify new attacks. In addition to incorporating its own analysis with outside feeds, the vendor recently acquired Area1 Security, further enhancing the variety of its data sources.
Increasing presence in Asia and the Pacific In the WAAP market, Cloudflare’s infrastructure in Asia/Pacific is already among the most advanced.

The vendor has recently increased its hiring, as evidence of its continued investment in this area.
Strong ecosystem of channel and technical partnerships: Cloudflare is widely present. These factors have made Cloudflare a very popular option for startups. Additionally, they imply that working with its technology is crucial for application platforms.
Platform advantage: Cloudflare’s availability of security service edge (SSE) features has increased the likelihood that it will be chosen for enterprise platform and consolidation projects. Due to this, large businesses find it to be much more appealing.
Cautions
Lack of hybrid deployment: Cloudflare delivers WAAP entirely from the cloud. The ability to operate as an agent, Kubernetes sidecar, or containerized WAAP is absent from its offering.

The absence of these hybrid deployment options may discourage businesses from implementing API architecture and seeking a method to track east-west traffic.
Support: Although Cloudflare’s presales support has seen some advancements, the company’s larger enterprise clients still demand more reliable and superior postsale support. Gartner notices variations in the calibre of phone support and sporadic failures to follow up on requests consistently.
Forensic analysis: Despite recent improvements, large enterprises with in-house SOCs still complain about Cloudflare’s basic reporting features and lack of embedded features for incident response drill-down.
User interface: Users continue to complain to Gartner that Cloudflare’s management interface can be disorganised and perplexing

Although they enjoy the embedded dashboards, they would like to see more user-friendly methods for configuring unique security settings. On the other hand, Cloudflare recently updated its WAAP UI in response to user feedback.
In this Magic Quadrant, F5 F5 is a Niche Player. F5, a significant vendor with its main office in Seattle, Washington, in the United States, has its origins in the market for application delivery controllers but now offers a range of application delivery and security products. More than 6,500 people work there, including a sizable web application security team. The WAAP portfolio from F5 offers a number of solutions. Distributed Cloud WAAP, which was created by fusing its acquisitions of BIG-IP Advanced WAF, Volterra, and Shape Security, is its primary cloud-based WAAP product.

A new cloud-managed Distributed Cloud Account Protection service for fraud prevention is also available, along with managed services like Silverline Web Application Firewall, Silverline DDoS Protection, and Silverline Shape Defense. A lightweight NGINX module called App Protect and an appliance-based WAF (BIG-IP Advanced WAF) are also available from F5.
In February 2022, F5 released its Distributed Cloud WAAP product, a cloud-based WAAP platform that combined Shape, Volterra, and F5 WAAP technology. This is a crucial turning point in F5’s strategic shift to a platform that is cloud-native. To enhance its capacity to offer cloud security and compliance for infrastructure and applications, F5 has also acquired Threat Stack.
Strengths
Reporting is simple: The management console for Distributed Cloud WAAP comes standard with helpful reporting capabilities.

A service mesh view, a service graph, and API endpoint reports are a few examples of how these can be used to monitor the functionality of microservices and the transactions of APIs.
Flexibility of pricing: F5’s Distributed Cloud WAAP, which caters to small and midsize organisations, offers a free tier to enable organisations to get started with load balancing and very basic WAF policies.
Investment in managed services and support teams: F5 makes significant investments in its support capacity and retains a sizable workforce in both its managed services and support teams. Due to Distributed Cloud WAAP’s recent release, there hasn’t been much customer feedback, but F5 has a solid support track record.

Product management: F5 responded to the market trend for consolidation of WAAP features with good vision by consolidating into a distributed cloud platform supported by numerous modules.
Cautions
The development of distributed WAAP is recent. Early client feedback suggests that F5’s new Distributed Cloud WAAP is still a work in progress and does not, as of this writing, have feature parity with Silverline. However, F5 has reported progress toward achieving feature parity with the Distributed Cloud WAAP version scheduled for release in June 2022.
The WAAP portfolio is fragmented because F5 keeps funding different WAAP products, which results in feature inconsistencies. For instance, the Distributed Cloud WAAP offering does not include the iRules feature (it is replaced by Service Policies).

For hybrid WAAP scenarios, businesses that use multiple F5 WAAP products must assess the operational difficulty of managing various WAAP policies.
Configuration complexity: Every origin pool and WAAP instance within Distributed Cloud WAAP is connected to a load balancer configuration and needs load balancer configuration in addition to WAAP policies.
Implementing the roadmap For F5, the transition from a vendor of on-premises WAF appliances to a cloud WAAP provider is challenging. The Distributed Cloud WAAP is still under development, and the user interface replicates configuration workflows that occasionally resemble an appliance form factor.

Due to its focus on rebuilding features for its new platform, F5 has made less progress than its top competitors in areas like bot mitigation, application security, and API threat protection.
Fastly
Within this Magic Quadrant, Fastly is a Challenger. Fastly, a CDN and DDoS provider with headquarters in San Francisco, California, the United States, also provides a cloud-based WAAP through the integration of its Signal Sciences acquisition. The Fastly Next-Gen WAF solution can be set up as a WAAP service or as a runtime agent on top of an NGINX proxy. Fastly’s technology is built with little emphasis on conventional signatures. It uses its own proprietary SmartParse engine to parse requests, which employs a unique combination of rules: vendor guidelines;

Custom rules (or “power rules”), templated rules with some customization, and both.
Fastly has introduced edge rate limiting and a managed service called Response Security Service since the 2021 edition of this Magic Quadrant (RSS). Additionally, HTTP/3 and GraphQL inspection support have been added.
Strengths
Modularity of the deployment process: Customers can deploy Fastly’s WAAP in a variety of settings, including the Fastly edge cloud, thanks to the company’s deployment model. Additionally, they can deploy it in a variety of places, including traditional applications, reverse proxies, container environments, and platform as a service (PaaS) environments.

Experience with sales and customer service: After tuning, customers give Fastly high marks for its lower-than-expected false-positive rates. Customers give Fastly high marks for overall sales and support, praising the effectiveness of its support staff as well as the promptness of its responses.
Native DevOps support: Quickly enables native container integration. Additionally, it supports a variety of other DevOps integration tools, including Terraform and Ansible. Slack integration is also available for alerting purposes. Customers laud Fastly’s capabilities, and many choose it over competing WAAP providers because of its integration with DevOps teams.

Onboarding simplicity: Fastly customers frequently cite this feature of the company’s product as a strength, especially when they are switching from a legacy WAF that required a significant number of tuning policies.
Cautions
Execution of the roadmap is carried out slowly compared to other vendors in this market. New features are introduced more slowly. The capability gap between Fastly and its rivals in areas like API and application security features consequently widens.
International presence: Although Fastly has made investments to increase its sales staff outside of North America, the majority of its income still comes from American clients. Customers outside of North America who want to use Fastly’s edge should find out how it is supported there.

Bot management features: According to client feedback, Fastly’s bot reporting is lacking, and it continues to lag behind its main competitors in terms of bot mitigation capabilities. Fastly still only provides the most fundamental blocking strategies, like blocking based on velocity, and lacks a well-curated credential-stuffing database.
Native reporting: Fastly customers frequently gripe that more flexible and rich reporting capabilities require integration with a third party.

https://www.gartner.com/doc/reprints?id=1-2AYNV8N1&ct=220830&st=sb