Cloud WAF Pricing: All You Need to Know

Choosing the right Cloud WAF pricing model is like finding the perfect pair of shoes: it’s all about comfort, fit, and style for your organization’s needs.

In this guide, we’ll help you navigate the world of Cloud WAF pricing, exploring different options and factors so that you can find the perfect fit for your web application security requirements.

For those still evaluating Cloud vs. on-prem WAF, here’s a detailed article on why cloud WAFs are better than on-premise WAFs.

Common Pricing Models for Cloud WAFs: Subscription-based vs. Pay-as-you-go

WAFs provided by public clouds such as AWS and Azure typically price on a pay-as-you-go model.

On the other hand, specialized WAF providers such as Indusface, Akamai, and Cloudflare offer a subscription model.

There are many pay-as-you-go features offered even by subscription providers. The value addition that specialized WAFs provide is the availability of “core rules” that provide by-default protection against OWASP Top 10 vulnerabilities.

In public Cloud WAFs, you’ll typically need to either:

1. Develop rule sets on your own, and then you get charged per the rule
2. Or, you could subscribe to rule sets provided by WAF providers, and you’ll typically need to pay for the bandwidth/data transfer through the rule sets

Here is a simple representation of how a subscription model may typically look like: 

Plans	Features	Usually Suitable for
Basic	Basic web traffic filtering and protection against common web exploits with limited requests	Small websites or applications with low traffic
Advance	Basic plan features + some advance protection features	Medium-sized businesses with moderate traffic
Premium	Advanced DDoS and bot mitigation measures  API security and more	Large enterprises with high traffic and complex needs

That said, several pay-as-you-go features are provided even by specialized WAF providers.

In the next section, we will cover all the factors that affect WAF pricing.

Factors Affecting Cloud WAF Pricing

1. Number of Applications

This is the first parameter that affects pricing. Even within this, there are two models:

a. Domain: One license for the domain, and this includes subdomains too. This model is typically used when similar applications are on different sub-domains, for example, qa.acme.com vs. acme.com.

While you can use this model for sub-domains that host different applications, the possibility of false positives is more as the same rule set is applied on multiple applications.

If you also want to safeguard your UAT (User Acceptance Testing) sites with a WAF, the UAT sites will be treated as separate domains for pricing. 

b. Application: Since every application differs, this model helps get fine-grained protection and custom rules. Usually, the license depends on a per-website model or a Fully Qualified Domain Name (FQDN).

For example, you’ll typically be charged one license for www.acme.com and one more for abc.acme.com.

2. Data

Cloud WAFs act as filters before traffic hit your origin server. All the traffic passed over to your origin servers is billed as the bandwidth cost.

Here also, there are three models:

a. Requests: The pricing plan might have a set cost for a specific number of requests each month, plus extra charges for any extra requests over the set limit. Another option is that the pricing depends only on the total number of requests, so customers pay for what they use.

b. Peak Mbps : Some WAF companies use a peak Mbps (megabits per second) pricing plan. They charge customers based on the highest bandwidth (mainly in the 95^th percentile) used in a set time, like a month. This model looks at the most traffic the WAF handles, not the total requests or data moved. It’s important for organizations with changing traffic or different bandwidth needs.

c. Bandwidth: Some WAFs use a pricing plan based on the bandwidth over the wire. This includes both the request and response data. They charge customers for data moving through the system. This pricing model is easy to understand and works well for many organizations.

3. Features

As discussed earlier, depending on the WAF provider, you may get charged for the following features:

a. Unmetered, Behavioural DDoS & Bot Mitigation: : This is probably the single most expensive feature addition. As per the application, the subscription to this feature alone typically costs a couple of thousand dollars per month in the subscription. In addition, some vendors even bill you for the bandwidth in case of a DDoS attack. In the case of Indusface AppTrana, DDoS is bundled as part of the monthly subscription plans.

b. API Security: Most popular WAFs now include an API security solution. This category is now called WAAP. However, this is generally priced as an add-on as API security needs special configuration, especially to create a positive security model. The AppTrana WAAP, by default, protects all APIs that are part of the same FQDN. See more details here.

c. Vulnerability Analysis and Manual Penetration Testing: DAST and WAF are not integrated and separate products in most organizations. This is a lost opportunity, as vulnerabilities found on a DAST could quickly be patched on the WAF. This process is called virtual patching (also known as custom rules), and it buys developers time before they patch these vulnerabilities on code. 

To further enhance protection coverage, organizations can opt for manual penetration testing to identify business logic vulnerabilities and patch them as well with the custom rules. 

With AppTrana WAAP, you get a DAST scanner (Indusface WAS) with bundled manual penetration testing as part of the premium plan. You save costs on subscriptions, outsourcing pen testing, and integrating DAST and virtual patching into CI/CD pipelines ensuring that security is handled even in an agile development cycle. 

 d. Fully Managed WAAP: Managed WAAP is a critical add-on offering you must look for to combat advanced threats faster. Organizations often have a limited SOC team to handle tasks such as WAF onboarding, policy tuning, DDoS and bot attacks monitoring, removing false positives, and protecting against vulnerabilities and zero-day threats. Managing the entire WAF in real– time, 24*7*365, can be resource, time, and cost-intensive, depending on your IT and application landscape. 

A key component of a fully managed WAAP service is the ability to implement custom rules/virtual patching. With virtual patching, vulnerabilities that are open in the application can be patched virtually at the WAAP level, providing immediate protection from attacks on those vulnerabilities. This not only safeguards the application from potential threats but also gives companies the necessary time to fix the vulnerabilities in their code. AppTrana supports unlimited custom rules in its premium and enterprise plans, ensuring tailored protection for each application’s specific needs. 

With managed WAF/WAAP, the vendor takes care of all the heavy lifting mentioned above, unlocking your SOC teams’ bandwidth for compliance and other important tasks. Managed WAF not only saves thousands of dollars but also helps combat cyber threats faster due to the vendor’s expertise in the application security space. 

 e. Origin Server Protection: Unlike many WAAP vendors, AppTrana includes origin protection by default. During the onboarding process, customers are required to route their DNS traffic through the WAF, where WAF acts as a reverse proxy. 

They then whitelist the WAF’s IPs and block all other traffic to the origin server. This ensures that the origin server is not accessible directly from the internet, preventing attackers from bypassing the WAF and accessing the server through its IP. While origin protection is often an add-on feature in many WAFs, it is crucial for comprehensive security. 

 f. Integrations: Most of the WAF providers provide the below integrations as add–ons with their plans: 

• CI/CD: Integrating WAAP into the CI/CD pipeline (SIEM, SOAR, Jenkins, and JIRA) to automate security testing, patch management, and incident response. 

• SIEM: Integrating with SIEM  providers such as SumoLogic, RSA, Splunk, McAfee, and more, enabling you to push logs for attacks/requests into your internal systems. 

• Single Sign-On (SSO): SSO integrations for teams to securely log in with existing corporate credentials or via identity management providers like Okta, AWS, Azure and Google Cloud. 

g. Analytics: Getting analytics on the kind of attacks blocked is also, a big add-on, especially if you just get one WAF license and use that to protect multiple applications such as acme.com, payroll.acme.com, crm.acme.com along with acme.com. As these are all different applications, storing attack logs and analytics on these logs would be extremely expensive.

Hence, most WAF providers don’t provide access on a single license. At Indusface, we often suggest taking additional licenses for critical applications requiring attack logs and analysis.

h. CDN: Since WAAP providers have some pricing component dependent on data transfer, enabling a CDN will lead to significant cost savings. In most WAFs, this is an add-on.

i. Support:24X7 phone, email, and chat support is yet another feature that most WAF vendors add only in enterprise contracts. At Indusface, you will get enterprise support at SMB pricing; see the WAAP pricing page here.

Exploring the WAAP pricing model with Vivek Gopalan, VP of Products at Indusface. 

Understand which features are included in the subscription and which are add-ons by the WAF providers. 

Below is a brief comparison highlighting the differences between AppTrana WAAP, Cloudflare, Akamai, and Imperva WAFs, including features that are included in the subscription versus those that are add-ons. 

Features in plan	AppTrana WAAP	Cloudflare WAF	Akamai WAF	Imperva WAF
Unmetered Behavioural DDoS	Included	Included	Surge Cap	Surge Cap
Advanced Bot Protection	Included	Add-on	Included	Add-on
Fully Managed WAAP	Included	Add-on	Add-on	Add-on
SLA Based Virtual Patching	Included	Enterprise only	Enterprise only	Add-on
Zero False Positives Guarantee	Included	Not available	Not available	Not available
Penetration Testing	Included	Not available	Add-on	Add-on
API Discovery & Security	Included	Included	Add-on	Add-on

Comparing all the included features and add-ons, as shown above, will help you quickly understand the price-to-value proposition. 

Managed Services and WAF Pricing

Managed services play a big part in application security, especially as threats evolve. For example, 614+ application-level critical/high zero-day vulnerabilities are discovered monthly. Compute power is so cheap that a one-hour DDoS attack can be bought for $5, and this will get cheaper.

To combat all of this, any WAAP/WAF solution needs to evolve. While most Cloud WAFs keep the software updated, a key part of defense is the rule set, and unless the security teams have highly skilled security engineers, they wouldn’t be able to touch any of the rule sets.

The other problem is that even if rules are sent as patches, the onus is on the application team to monitor for false positives and ensure 100% availability while preventing downtime. Often, application teams do not apply these patches; worse, most WAFs are perpetually in log mode, as in they don’t block any attacks!

Then there’s the problem of DDoS, which is a big ransomware threat, and sophisticated actions such as rate limits, Tarpitting, CAPTCHA, and blocks need careful monitoring as there is a high possibility of false positives.

So managed services are essentially an extended SOC/IT team to help with the following:

• Adding exceptions so that the core rules set don’t break any existing functionality on the application.
• Patching newly found vulnerabilities on the WAF with a guarantee of zero false positives.
• Mitigating DDoS attacks while reducing the impact on genuine visitors.
• Reducing false positives on DAST scanner results by giving detailed proof of vulnerability reports; this is an Indusface exclusive as we are the only ones who bundle DAST with WAF(WAAP).
• Configuring CDN to ensure maximum caching percentages (we have several customers with 95%+ caching %) by finetuning the caching policies.

While every vendor can promise managed services, evaluating the SLAs with which they operate is critical. We highly recommend checking the support response times and SLAs, uptime guarantee, and latency with the vendor.

At Indusface, we are proud to ensure a 24-hour SLA on virtual patches for critical vulnerabilities. You can find more details on the SLA here.

In fact, we go further and offer a feature called SwyftComply, where we guarantee a clean zero-vulnerability report within 72-hours. This report could be used to pass application security audits. 

Tips for Selecting the Right Cloud WAF Pricing Model 

Here’s a step-by-step framework to help people choose a WAF based on pricing:

1. Identify your organization’s requirements:

• List the web applications you need to protect
• Estimate your average and peak web traffic volume
• Determine the specific features and security controls you need
• Consider the level of technical support and service level agreements (SLAs) you require

2. Research WAF providers

• Compile a list of WAF providers that offer solutions relevant to your organization’s needs
• Investigate each provider’s reputation, customer reviews, and case studies

3. Analyse pricing models:

• Review the different pricing models available for each WAF provider (subscription-based, pay-as-you-go, perpetual license, hybrid)
• Determine which pricing model best aligns with your organization’s needs, budget, and growth projections

4. Evaluate included features and additional services

• Compare the features and services included in each provider’s base pricing
• Identify any additional features or services that may incur extra costs (e.g., advanced threat intelligence, DDoS protection, and managed security services)
• Review the level of technical support included in each provider’s pricing
• Compare the SLAs offered by each provider, focusing on uptime guarantees, performance, support response times, and remedies for non-compliance

5. Calculate the total cost of ownership (TCO)

• Estimate the total costs for each WAF provider, considering factors such as subscription fees, usage-based charges, additional features, support, and potential overage fees
• Calculate the TCO for each provider over a specified period (e.g., one year, three years, five years)

6. Rank various WAF providers

• Rank the WAF providers based on the factors most important to your organization (e.g., TCO, features, support, SLAs)
• Select the top 3 WAF providers that best meet your organization’s needs and budget

  7. Run product trials

• Every WAF is a black box and application-specific logic (SSL pinning), for example, could break applications’ workflow
• If such use cases come up that’ll also be a good real-world test for support response times and SLAs

By following this framework, you can systematically evaluate and compare different WAFs based on pricing, features, support, and other factors, ultimately selecting the most suitable and cost-effective solution for your organization.

In conclusion, selecting the right Cloud WAF is crucial for safeguarding your web applications and maintaining a strong security posture. A thorough understanding of Cloud WAF pricing, features, and service level agreements will enable your organization to make informed decisions, ensuring you invest in a solution that fits your budget and provides robust protection against ever-evolving cyber threats.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.