16 OCT 2018

WAF solutions in comparison: 2018 Gartner Magic Quadrant for WAF

Gartner begins his 2018 Magic Quadrant for WAF making a point about the situation regarding WAF technology. In fact, in recent years, WAF technology has been used less and less by companies, prefering Cloud technology which is evolving much faster.

WAF can protect companies against web attacks such as SQLInjection and Cross-Site Scripting. This protection can be ensured by using techniques of analysis and inspection of web requests based on Signature (a term that is usually used to indicate the signature of a known attack), smart dictionaries and profiling defense applications to have a greater accuracy of the rules to be applied (URL and valid parameters, input that the user can insert).


WAF: what is it and what is it for?

WAF, which stands for Web Application Firewall, is a technology for protecting corporate web applications. WAF protects companies and their data from various cyberattacks such as bots, DoS and DDoS.

In the Gartner 2018 Magic Quadrant for Web Application Firewalls (WAF), Gartner considers only WAFs implemented externally to web applications.

Before going into a more detailed description of WAF vendors, let’s see where Gartner places the vendors in its 2018 Magic Quadrant for Web Application Firewalls (WAF):

  • Leaders: Imperva and Akamai;
  • Challengers: F5, Cloudfare, Fortinet, Barracuda Networks and Citrix;
  • Niche players: Amazon Web Service, Ergon Informatik, Microsoft, Instart and Rohde & Schwarz Cybersecurity;
  • Visionaries: Oracle and Radware.


As you can see, there are many WAF vendors that Gartner analyzes in its 2018 Magic Quadrant for WAF, but in our article we will focus on:

  • Imperva and Akamai: the 2 leaders;
  • F5 and Fortinet: both challengers;
  • Oracle: the visionary.



In the 2018 Magic Quadrant for WAF Imperva is positioned by Gartner as a market leader. Imperva is a Web Application Firewall (WAF) service that stands out for its security and innovation. It offers both a traditional WAF service (SecureSphere WAF) and one dedicated to cloud (Incapsula). On the latter, in particular, it faces fierce competition. SecureSphere WAF has both a physical and a virtual appliance. Imperva also offers products for database security, security services and managed SOCs.



Imperva is one of the few WAF vendors which is in many countries and offers both a traditional and a cloud-specific WAF service. Aware of cloud importance, Imperva strategy is focusing primarily on Incapsula.

Imperva is perfect for any type of organization, both for those looking for a high degree of security in WAF appliances, and for those that are facing migration from a traditional environment to a cloud one. Incapsula and SecureSphere users can count on excellent customer support. Both can benefit from analysis functions for attacks, recently released by Imperva. Furthermore, recently Imperva has released a first version of role-based administration for Incapsula.


Critical issues:

The reorganization that Imperva is experiencing could work to its disadvantage because, especially for the SecureSphere product line, there could be a slowdown in the releases of services and features. Incapsula does not support Single Sign-On (SSO) functionalities such as SAML 2.0, a feature that customers would like to have along with more flexibility and better reports. Imperva is focusing on Incapsula, but customers are not yet sure whether or not to leave SecureSphere for Incapsula because SecureSphere has many more functionalities. Regarding customer service, Gartner reports that SecureSphere has better support than Incapsula, which generally uses standardized and non-customer-focused responses. Finally, regarding price, Imperva has higher prices for its services than its competitors.



Akamai is the other WAF vendor positioned in the quadrant of leaders in 2018 Magic Quadrant for WAF. Akamai is chosen by companies looking for a WAF cloud service that supports web-scale applications and ensures them IT security. The WAF service offered by Akamai is Kona Site Defender which has a version with a lowest price: Web Application Protector (WAP).



Akamai is heavily committed to the development and improvement of web application security solutions. Akamai is chosen by organizations that manage different applications, in fact Kona Site Defender is well integrated with other applications.

Akamai has an excellent geographical presence, especially in North America. Akamai offers professional services that help improve the security offered by Kona Site Defender, provides a managed SOC that helps monitor incidents and automatically analyzes Internet traffic for threats. Customers who use Akamai’s services, report a reduction in false alerts regarding potential cyber threats.


Critical issues:

Kona Site Defender can only be chosen by customers who use cloud services, since it does not exist for traditional environments. This is one of the reasons that pushes many customers to not choose Akamai WAF services, another one is related to high prices, especially if they choose many options. For this reason, Akamai launched WAP, a solution that does not seem to have increased the customer base. Customers also complain about the system for managing policies, reports, notifications and monitoring. Finally, compared to its competitors, Akamai needed more time to implement a first version, which is still a beta, of APIs to configure Kona Site Defender security aspects.



In 2017 Gartner Magic Quadrant for WAF, F5 was a leader. In 2018 Magic Quadrant for WAF it is a challenger. F5 vendor is known for Big-Ip and Viprion (which are part of ADC series). IT security products are important for F5, which has dedicated a business area for their development. Information security services protect, for example, from bots, DoS and DDoS attacks and prevent fraud.



F5 focuses mainly on security aspects of its WAF applications and people who specifically are looking for IT security, know that they can count on this vendor. Customers choose F5 for its support for AWS, Azure, GCP, OpenStack, VMware Cloud and multi-cloud too. Furthermore, Gartner reports the excellent customer care support in a large user community.


Critical issues:

According to 2018 Gartner Magic Quadrant for WAF, F5 one issue is cost, which is not extremely competitive, and the lack of products in its offer. In fact, F5 does not consider that large organizations need in-house SOC compared to medium-sized organizations and that many companies prefer self-service WAF options. In fact, F5 does not offer a complete and easy-to-manage self-service WAF service.

Customers who have used WAF for years as an ADC module, currently are not satisfied with security features if they will not have a further security license update.

Silverline infrastructure, the protection service, is lagging behind  compared to that of its competitors due to the lack of physical presence in some countries.



Another challenger of 2018 Gartner Magic Quadrant for WAF is Fortinet. Its market share in the WAF appliances segment continues to grow thanks to the improvement of security features. Fortinet is taking steps in the WAF cloud segment too, thanks to a first release in 2017. In its product portfolio, Fortinet includes a firewall (FortiGate) which is the main source of revenue for the WAF vendor, a WAF appliance (FortiWeb), a threat intelligence service (Fortinet TIS), a SIEM (FortiSIEM) and a sandbox (FortiSandbox). FortiWeb WAF appliance is available both physically and virtually (FortiWeb-VM). FortiWeb includes IP reputation, antivirus, security updates, credential stuffing protection and the cloud sandbox (FortiSandbox).

Towards the end of 2017, Fortinet added a WAF cloud service (FortiWeb Cloud) to its product portfolio. FortiWeb is the perfect WAF appliance for those who develop in hybrid scenarios and for those who share many files because it offers many complete and integrated malware detection options.



Fortinet products are able to detect cyberattacks promptly, also thanks to the use of machine learning algorithms. For FortiWeb, Fortinet is using the same strategy that led to the success its other products: Fortinet offers 8 hardware appliances with a good quality/price ratio. Furthermore, Fortinet is investing a lot in improving FortiWeb and FortiWeb Cloud functionalities.


Critical issues:

Fortinet’s delay in releasing WAF cloud services was not the right move because FortiWeb Cloud has less functionalities than other competitors’ products and fewer functionalities than FortiWeb’s. Gartner emphasizes that, despite improvements in its products, Fortinet continues to underinvest, compared to its competitors, in research and development for its WAF solutions. Fortinet is not used by organizations that use web-scale techniques or by those with cloud-native web applications where continuous integration is essential. In 2018 Magic Quadrant for WAF, Gartner reports some customers’ criticisms who would like centralized management for WAFs and firewalls, while they are forced to separate these aspects using FortiWeb and FortiGate. Furthermore, they report how a better documentation would make the products simpler to use. Finally, compared to its competitors, FortiWeb does not offer a good service for mitigating bots or for protection against DDoS attacks.



Oracle is in the visionaries quadrant. Its WAF solution is Oracle WAF as a result of the acquisition of Zenedge in February 2018. Oracle WAF is the perfect WAF appliance for organizations that need to manage WAF cloud services and especially if they are looking for new ways to detect possible anomalies.



Oracle has focused on improving its product to respond to its customers’ requests. In 2018 Magic Quadrant for WAF, Gartner finds this reactivity to the market as a strength of Oracle that allowed it to quickly acquire a considerable customer base.


Critical issues:

Oracle WAF infrastructure cannot count on a presence in all countries, an aspect on which Oracle will have to work. Oracle WAF does not yet integrate with SIEM vendors and customers expect improvements in reports. Furthermore, the events overview does not provide a complete picture of all the attacks that are occurring, but only a series of alerts. Moreover, before being acquired, Zenedge was still working on various features of its service, for this reason, after the acquisition, Oracle created a team for the development and improvement of functionalities, but the group is small compared to that of its competitors.


If you are interested in Gartner Magic Quadrant and in cloud, do not miss the 2018 Magic Quadrant for the best cloud platforms!

Elaborated by Lucia D’Adamo in collaboration with Giovanni Liber