Source: Gartner Reprint
The cloud web application and API protection market is growing rapidly. This Magic Quadrant will help you identify cloud WAAP providers that offer easy-to-use controls and specialized protections against advanced bots and evolving API attacks.
By 2024, 70% of organizations implementing multicloud strategies for web applications in production environments will favor cloud web application and API protection platform (WAAP) services over WAAP appliances and IaaS-native WAAP.
By 2026, 40% of organizations will select a WAAP provider on the basis of its advanced API protections and web application security features — up from less than 15% in 2022.
By 2026, more than 40% of organizations with consumer-facing applications that initially relied only on a WAAP for bot mitigation will seek additional anomaly detection technology from specialized providers — up from less than 10% in 2022.
Cloud web application and API protection platforms (WAAPs) mitigate a broad range of runtime attacks, notably the Open Web Application Security Project (OWASP) top 10 for web application threats, automated threats and specialized attacks on APIs. Cloud WAAPs are cloud-delivered services that primarily protect public-facing web applications and APIs.
Core capabilities of cloud WAAPs include:
Optional capabilities of cloud WAAPs include:
Cloud WAAPs may integrate with infrastructure providers, security operation tools, and continuous integration/continuous delivery (CI/CD) pipelines.
The Context section of this Magic Quadrant explains the change in the scope of this edition and the impact of this change, especially on vendors that offer WAAP appliances in addition to cloud WAAP services.
The Market Overview section later in this document highlights some of the recent trends in the WAAP market.
Figure 1: Magic Quadrant for Web Application and API Protection
Source: Gartner (August 2022)
Akamai is a Leader in this Magic Quadrant. It is well-suited to appear on the cloud WAAP service shortlists of organizations that want to protect business-critical, web-scale applications. This is especially the case for organizations that have a broad and diverse portfolio of web applications and APIs.
Akamai is a global cloud and security provider with almost 10,000 employees. It is headquartered in Cambridge, Massachusetts, U.S. Akamai’s primary offerings include a CDN and application and application security services. It has continued to expand its security portfolio, notably with the acquisition of the microsegmentation vendor Guardicore in October 2021.
In November 2021, Akamai updated its offering by merging Web Application Protector (WAP), its simplified offering for midsize enterprises, with Kona Site Defender. The new product, App & API Protector, includes some basic bot mitigation. Multiple add-ons are available, including an advanced security management subscription.
Since the 2021 edition of this Magic Quadrant, the most significant change in Akamai’s WAAP has been this repackaging of capabilities. Akamai also released Account Protector to protect against account takeover, an updated version of its Adaptive Security Engine (ASE), and support for Terraform deployments.
Strengths
Cautions
Amazon Web Services (AWS) is a Challenger in this Magic Quadrant. AWS WAAP is suitable for clients looking for native controls, a platform approach and vendor consolidation. Premium professional services for developers and integration with DevOps tools make it a popular shortlist candidate for application teams.
AWS is a cloud service provider (CSP) subsidiary of Amazon. It is headquartered in Seattle, Washington, U.S. It offers several application and API security products, including a network firewall (AWS Network Firewall), managed DDoS and WAF (AWS Shield Advanced). AWS’s WAF is primarily available on the top of Application Load Balancer (ALB) or Amazon CloudFront (AWS CDN).
Since the 2021 edition of this Magic Quadrant, AWS has made feature enhancements to its WAAP offering and expanded its CDN and WAAP infrastructure in Asia/Pacific. The feature updates related to WAAP include enhancements to application layer DDoS mitigation and bot mitigation, the addition of versioning and roll-back capability for managed rules.
Strengths
Cautions
Barracuda is a Niche Player in this Magic Quadrant. It has headquarters in Campbell, California, U.S. It performs well for existing Barracuda customers and relatively small enterprises, but faces strong competition for larger enterprise pure-play cloud WAAP deals.
Barracuda Cloud Application Protection includes web application security products and services, the most important being Barracuda’s cloud WAAP (Barracuda WAF-as-a-Service) and WAAP appliances (Barracuda Web Application Firewall). The vendor also offers bot management (Barracuda Advanced Bot Protection), DDoS and threat intelligence services. In recent months, Barracuda has added an initial version of automated discovery of APIs and support for GraphQL.
In April 2022, investment firm KKR announced its intention to acquire Barracuda. In the past, Barracuda has changed hands several times, without noticeable adverse impacts on its WAAP product portfolio or roadmap.
Strengths
Cautions
Cloudflare is a Leader in this Magic Quadrant. It is based in San Francisco, California, U.S. It has quickly become very visible on cloud WAAP shortlists seen by Gartner, and has developed a set of security features to compete with other Leaders.
Cloudflare has more than 3,000 employees, who are building its portfolio of cloud-delivered application and security services. Its application security portfolio includes a cloud WAAP offering (Cloudflare WAF), and DDoS and client-side protection (Cloudflare Page Shield).
In recent months, Cloudflare has continued to expand beyond application protection and delivery. Recent WAAP features include API discovery, scheme ingestion and semiautomated rate limiting. The vendor also improved its bot mitigation module.
Strengths
Cautions
F5 is a Niche Player in this Magic Quadrant. Headquartered in Seattle, Washington, U.S., F5 is a large vendor, with roots in the application delivery controller market, that now provides a portfolio of application delivery and security products. It employs more than 6,500 staff, including a large web application security team. F5’s WAAP portfolio includes multiple solutions. Its main cloud-based WAAP offering is Distributed Cloud WAAP, built by combining its BIG-IP Advanced WAF, Volterra and Shape Security acquisitions. It also offers managed services (Silverline Web Application Firewall), Silverline DDoS Protection, Silverline Shape Defense, and a new cloud-managed Distributed Cloud Account Protection service for fraud prevention. F5 also offers an appliance-based WAF (BIG-IP Advanced WAF) and a lightweight module for NGINX called App Protect.
F5 launched its Distributed Cloud WAAP product in February 2022, combining Shape, Volterra and F5 WAAP technology into a single cloud-based WAAP platform. This is an important milestone in F5’s strategic transition to a cloud-native platform. F5 has also acquired Threat Stack to improve its ability to provide cloud security and compliance for infrastructure and applications.
Strengths
Cautions
Fastly is a Challenger in this Magic Quadrant. Headquartered in San Francisco, California, U.S., Fastly is a CDN and DDoS provider that offers a cloud-based WAAP through integration of its Signal Sciences acquisition. The Fastly Next-Gen WAF solution can be deployed as a runtime agent on top of an NGINX proxy and as a WAAP service. The foundation of Fastly’s technology places minimal focus on traditional signatures. It relies on its proprietary SmartParse engine, which uses a proprietary mix of rules to parse requests: vendor rules; templated rules, with some customization; and custom rules (“power rules”).
Since the 2021 edition of this Magic Quadrant, Fastly has introduced edge rate limiting and a managed service called Response Security Service (RSS). It has also added support for GraphQL inspection and HTTP/3.
Strengths
Cautions
Fortinet is a Niche Player in this Magic Quadrant. Fortinet sells a WAAP service called FortiWeb Cloud. It also offers a WAAP appliance product line called FortiWeb, which is shortlisted mainly by existing network firewall customers who want to consolidate on a single vendor.
Headquartered in Sunnyvale, California, U.S., Fortinet is an established infrastructure and security vendor with over 10,000 employees. Its primary product line remains its range of FortiGate firewall appliances, but it has developed a large portfolio of security products and is slowly expanding into cloud services.
During the evaluation period for this Magic Quadrant, Fortinet acquired Sken.ai, a DevSecOps application security vendor, which could enhance the ability of Fortinet’s WAAP to integrate with dynamic DevSecOps teams or pipelines and processes. Feature updates to Fortinet’s WAAP service include a new threat analytics service, ML for anomaly detection updates, and ML-based API discovery and protection.
Strengths
Cautions
Imperva is a Leader in this Magic Quadrant. It is headquartered in San Mateo, California, U.S. Imperva has a long history in application security, and is well known for making advanced features available in a cloud WAAP form factor. Imperva is a privately held application and data security vendor, part of Thoma Bravo’s portfolio of security vendor equity investments.
Imperva Cloud WAF is the vendor’s cloud WAAP service offering. It is part of the “Imperva Anywhere” portfolio, which also includes a WAAP gateway (the Imperva Web Application Firewall Gateway), database security (Imperva Data Security) and other security services, including DNS security and runtime application self-protection (RASP).
In the past year, noticeable changes have included improved Imperva’s CDN and caching features, support for external HSMs, and numerous improvements to the advanced bot protection service, including a new tarpit action.
Strengths
Cautions
Microsoft is a Niche Player in this Magic Quadrant. Its Azure Web Application Firewall (WAF) remains basic, compared with the majority of competing offerings, but the desire to consolidate on fewer vendors remains a key reason why organizations choose it.
Microsoft is a large IT and digital workplace vendor, based in Redmond, Washington, U.S. It has a large product portfolio. Its infrastructure as a service (IaaS) and PaaS offering, Microsoft Azure, includes a WAF (Azure WAF) built on top of its CDN (Azure Front Door), which is also available with its application delivery solution (Azure WAF on Azure Application Gateway). Microsoft also offers other security products, notably DDoS protection, API security and a security information and event management (SIEM) tool (Microsoft Sentinel).
In the past 12 months, Microsoft has added multiple features. These include a new proprietary WAF engine, updated bot classification and Default Rule Set 2.0, based on Microsoft threat intelligence, which adds anomaly-based scoring and support for JSON and XML through Azure Front Door.
Strengths
Cautions
Radware is a Visionary in this Magic Quadrant. It is trying to apply its differentiated approach to application security, which combines ML techniques and rules, to the cloud WAAP segment. Radware is also heavily invested in providing innovative WAAP form factors for DevOps environments.
Radware is based in Tel Aviv, Israel and Mahwah, New Jersey, U.S. It is primarily known for its DDoS protection (DefensePro and Cloud DDoS Protection Service). Radware offers WAAP in various form factors, including appliances, in a containerized envelope (Kubernetes Web Application Firewall [KWAF]) and as a cloud WAAP service (Cloud WAF Service).
Since the 2021 edition of this Magic Quadrant, Radware has added API threat protection features to its cloud WAAP, including API discovery and automated detection of API changes. It has also introduced a feature that automatically detects potential false positives and notifies customers of potential signature changes to minimize false positives.
Strengths
Cautions
ThreatX is a Niche Player in this Magic Quadrant. This cloud-native security startup vendor, which was launched in 2015 and has its main headquarters in Boston, Massachusetts, U.S., is expanding its operations around the world. It relies on its automated, risk-based classification of events to differentiate itself from other WAAP providers.
The ThreatX WAAP Platform comprises containerized processing units, which can be deployed in various environments, and a cloud-hosted analysis engine. ThreatX offers managed security services, including a 24/7 managed SOC supported by a small team and automated procedures.
Since the 2021 edition of this Magic Quadrant, ThreatX has introduced API discovery, schema ingestion and support for GraphQL, which complement its API protection features by showing discovered API endpoints. It has also made available a modernized Attack Dashboard.
Strengths
Cautions
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
Each vendor of a cloud WAAP corresponding to the description in the Market Definition/Description section of this Magic Quadrant was considered for inclusion if:
WAAP and WAF vendors not included in this Magic Quadrant may have been excluded for one or more of the following reasons:
In addition to the vendors included in this Magic Quadrant, Gartner tracks vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or shortcomings in terms of WAAP revenue and/or competitive visibility in WAAP projects. The following merit mention here:
Product or Service: This criterion includes the core cloud WAAP technology offered by the technology provider that competes in and serves the defined market. It also includes current product or service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements and partnerships, as defined in the Market Definition/Description section. Strong execution means that a vendor has demonstrated to Gartner that its products or services are successfully and continually deployed in enterprises. Execution is not primarily about company size or market share, although these factors can considerably affect a company’s Ability to Execute. Some key features, such as the ability to support complex deployments (including on-premises and cloud options) with real-time transaction demands, are weighted heavily. Product evaluation also considers other cloud WAAP core security functions. These include DDoS protection services, bot management (such as bad-bot mitigation and good-bot management) and API threat protection, which might be bundled or integrated with WAF features.
This year’s evaluation increases the importance of delivering specialized controls when protecting APIs. Integration with other markets, such as those for cloud access service brokers (CASBs) and application security testing (AST), is evaluated as well, but more lightly.
This year’s evaluation increases the importance of delivering specialized controls when protecting APIs.
Overall Viability: This criterion assesses the organization’s overall financial health, and the financial and practical success of the business unit. Also assessed are the likelihood that individual business units will continue to invest in a cloud WAAP, offer cloud WAAP products and advance the state of the art within the organization’s portfolio of products.
Sales Execution/Pricing: This criterion encompasses the technology provider’s capabilities in all presales activities and the structure that supports them. It includes deal management, pricing and negotiation; presales support; and the overall effectiveness of the sales channel. It also includes deal size, and the use of the product or service in large enterprises with critical public web applications, such as banking and e-commerce applications. Low pricing will not guarantee strong execution or client interest. Buyers want good results even more than they want bargains. Buyers balance cloud WAAP security requirements and pricing; they do not consider best pricing only.
For cloud WAAP providers with multiple security products, or a WAAP appliance offering, this criterion also evaluates the ability to craft a pricing model adapted to a cloud WAAP. This model should not inherit characteristics from pricing models used for other product offerings that are unsuitable for a cloud WAAP.
Market Responsiveness/Record: This criterion assesses the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, and security trends and customer needs evolve. It includes a vendor’s responsiveness to new or updated web application frameworks and standards, as well as its ability to adapt to market dynamics (such as the relative importance of PCI compliance) and changes. This criterion also considers the provider’s history of releases, but gives greater weight to its responsiveness during the most recent product life cycle.
Marketing Execution: This criterion assesses the clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message. It is aimed at influencing the market, promoting the brand and business, increasing product awareness, and establishing positive identification with the product, brand and organization among buyers. This mind share can be driven by a combination of publicity, promotional activities, thought leadership, word of mouth and sales activities.
Customer Experience: This criterion assesses the relationships, products, services and programs that enable clients to be successful with the products that are being evaluated. Specifically, it includes the ways in which customers receive technical support or account support. It can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups, and SLAs that enable the organization to operate effectively and efficiently on an ongoing basis.
Operations: This criterion evaluates the organization’s ability to meet its goals and commitments. Factors include the quality of the organizational structure. For vendors with multiple WAAP form factors (such as appliances), this criterion evaluates the organization’s alignment with the offer of a cloud-delivered WAAP. For vendors with a broad security portfolio, it also evaluates the ability to maintain focus on the cloud WAAP service offering.
Evaluation Criteria | Weighting |
---|---|
Product or Service | High |
Overall Viability | Medium |
Sales Execution/Pricing | High |
Market Responsiveness/Record | High |
Marketing Execution | Medium |
Customer Experience | High |
Operations | Medium |
Market Understanding: This criterion assesses the vendor’s ability to understand buyers’ wants and needs, and to translate that understanding into products and services. Vendors with the most vision listen to and understand buyers’ requirements, and can shape or enhance them. They also determine when emerging use cases will greatly influence how the technology has to work. Vendors that better understand how changes in web applications affect security receive higher scores. Trends include cloud, IaaS, agile methodologies, web services and microservices, continuous integration, and the growing importance of APIs.
Marketing Strategy: This criterion looks for a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Assessment includes the vendor’s ability to communicate effectively about how its solution is a good fit for emerging use cases.
Sales Strategy: This criterion looks for a strategy that uses an appropriate network of direct and indirect sales, marketing, service and communication affiliates to extend the scope and depth of a vendor’s market reach, skills, expertise, technologies, services and customer base. The ability to attract new customers who need web application security only is weighted heavily.
Compared with the 2021 edition of this Magic Quadrant, this criterion has been revised to reflect strategies adapted to cloud-delivered WAAP and “as a service” offerings.
Offering (Product) Strategy: This criterion assesses a vendor’s approach to product development and delivery, with an emphasis on differentiation, functionality, methodology and feature sets, in relation to current and future requirements. As attacks change and become more targeted and complex, we give heavy weightings to vendors’ efforts to move their WAAPs beyond rule-based web protections that are limited to known attacks by, for example:
In this year’s Magic Quadrant, we have increased the weighting for delivery of differentiated security controls when protecting APIs, including automated discovery and anomaly detection.
This criterion also evaluates the depth of features provided, especially features that ease management of the solution, and its integration with other solutions, such as SIEM tools, API gateways and other technologies (CASBs, for example).
Vertical/Industry Strategy: This criterion assesses the vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical industries. Vendors focusing on a single vertical receive lower scores. Vendors with differentiated vertical strategies and the ability to reproduce success across several verticals receive higher scores.
Innovation: This criterion examines the direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or preemptive purposes. It includes product innovation and quality differentiators, such as:
Geographic Strategy: This criterion assesses a vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside its “home” country or region. This can happen directly or through partners, channels and subsidiaries, as appropriate for the geography and market. This criterion considers a vendor’s infrastructure (POPs), but is not limited to technical components. It also considers how the vendor adapts its strategy to local cloud demands and privacy requirements.
Evaluation Criteria | Weighting |
---|---|
Market Understanding | High |
Marketing Strategy | Medium |
Sales Strategy | Low |
Offering (Product) Strategy | High |
Business Model | NotRated |
Vertical/Industry Strategy | Low |
Innovation | High |
Geographic Strategy | Medium |
Leaders can shape the market by introducing additional capabilities to their offerings, raising awareness of the importance of those features and being the first to do so. Leaders also meet enterprises’ requirements for different uses of web application security.
Leaders have strong market shares and steady growth, but these alone are not sufficient to qualify as a Leader. Leaders in the cloud WAAP market require strong distributed infrastructure and must ensure high-level security and smooth integration into a web application environment. They also require advanced web application behavior learning; superior ability to block common threats (such as SQL injection [SQLi], cross-site scripting [XSS] attacks and cross-site request forgery [CSRF]), protect custom web applications and avoid evasion techniques; strong deployment, management and real-time monitoring; and extensive reporting. Leaders should also provide, and regularly improve, DDoS protection, and be ahead of the market in terms of bot mitigation and API security capabilities.
In addition to providing technology that is a good match for customers’ requirements, Leaders exhibit superior vision and execution for anticipated requirements, and drive evolution in web applications that requires changes to the security paradigm.
Challengers have a sound customer base, but do not lead in terms of security features. Challengers draw on existing clients from other markets (such as the IaaS and CDN markets) to sell their cloud WAAP technology, rather than competing to win deals through product differentiation. Challengers may be well-positioned and have good market shares in a specific segment of the WAAP market (such as a specific cloud infrastructure segment), but do not address the entire market (and may not be interested in doing so).
Visionaries provide key innovations to address web application security concerns. They devote many resources to security features that help protect critical business applications against targeted attacks. However, they lack the ability to influence a large portion of the market. They either have not expanded their sales and support capabilities on a global basis, or they lack the funding to execute with the same capabilities as Leaders or Challengers. They also have a smaller presence in the cloud WAAP market, as measured by installed base, revenue size or growth, or in terms of overall company size or Gartner’s assessment of long-term viability.
The Niche Players quadrant primarily includes vendors of cloud WAAPs that are a good match for specific use cases (such as PCI compliance) or vendors with a limited reach in relation to cloud WAAP deployments. The cloud WAAP market includes several European and Asian vendors that serve clients in their regions well with local support, and that can quickly adapt their roadmaps to specific needs, but that do not sell outside their home countries or regions.
Even when selling large-scale products, some Niche Players offer features that only suit the needs of SMBs.
Niche Players may also have a small installed base because their cloud WAAP products are recent, in transition, or limited, according to Gartner’s criteria, by various factors. These factors may include limited investment or capabilities, and other inhibitors to providing a broader set of capabilities to enterprises both now and during the next 12 months.
Niche Players may be in the early stages of building a broader product. Inclusion in the Niche Players quadrant does not reflect negatively on a vendor’s value within its more narrowly focused service spectrum.
This Magic Quadrant evaluates vendors of WAAP offerings that are delivered as cloud services (WAAP services), in contrast to previous editions that covered vendors of both appliances and cloud WAAP technologies. This change alters the customer expectations we have considered and the relative positions of evaluated vendors.
WAAP vendors with an existing appliance portfolio are now evaluated primarily for their cloud WAAPs. Vendors are now evaluated against other cloud WAAP vendors only. This changes their positioning, as WAAP appliances are not weighted as in the previous Magic Quadrant.
Gartner’s inclusion and exclusion criteria include a requirement to derive meaningful revenue from outside a vendor’s home region, as well as a requirement for a minimum number of customers for the WAAP service. This has led to the exclusion of some smaller or more regional vendors (see the Honorable Mentions section).
The adjacent WAAP appliance market is closer than the cloud WAAP market to its WAF roots and many of the vendors evaluated in this Magic Quadrant have their appliance technology at the core of their cloud WAAPs. Some organizations continue to select WAAP appliances, instead of cloud WAAPs, to ensure a unified management and reporting console across on-premises and cloud data centers. Additional reasons to use WAAP appliances include insufficient, or a complete lack of, cloud WAAP POPs in a particular country, other local data residency regulations, and discomfort with the consumption-based licensing of cloud WAAPs.
The cloud WAAP market includes historical WAAP appliance providers that are building a cloud presence by using infrastructure as a service (IaaS) and offerings from CDN and IaaS providers. Because many local or platform providers might wrap a WAF around a ModSecurity engine, and use one of the available rule sets, many legacy WAF solutions are available and compete with WAAP offerings. These products are not evaluated in this Magic Quadrant.
Gartner generally recommends that clients consider products from vendors in every part of a Magic Quadrant, based on their specific functional and operational requirements. This is especially true for the cloud WAAP market, which includes many relatively small vendors, as well as larger vendors that derive only a small share of their revenue from cloud WAAP offerings. Product selection decisions should be driven by organization-specific requirements. These relate to factors such as deployment constraints and scale, the relative importance of compliance, the characteristics and risk exposure of business-critical and custom web applications, and vendors’ local support and market understanding.
Security managers considering cloud WAAP deployments should first define their deployment constraints, especially their:
The overall cloud WAAP market is mature, though some segments are quite dynamic, such as bot management and API threat protection. Unlike the WAAP appliance market, which is dominated by replacement purchases, the cloud WAAP market continues to experience double-digit growth, thanks to new customers, new applications to protect, and shifts from appliances to cloud-delivered security.
In the past 12 months, cloud WAAP has been the dominant form factor for new deployments in the Americas and EMEA. The remaining WAAP appliance deployments continue to fuel many renewal purchases, especially in the form of virtual appliances. The WAAP appliance form factor is also a serious contender for hybrid deployments.
API security is becoming a key part of WAAP evaluations in situations where WAAP providers compete against more specialized API threat protection vendors. Gartner has observed noticeable improvements in some API protection offerings from vendors evaluated this year. However, API protection features integrated into cloud WAAPs often look like initial versions and tend to lack depth, especially in terms of providing context relevant to API specialists in alerts and business context management for discovery modules. More vendors have introduced decent API discovery capabilities in the past year.
Providers of the more mature bot mitigation modules face reinvigorated competition from the remaining bot mitigation specialists, and have focused their efforts on a few differentiators:
Growth in the use of ML to detect and reduce false positives has leveled off in the past year, with no noticeable improvements and a slight de-emphasization from vendors that reflects general market fatigue about “ML hype.” ML could still be useful to overcome the more complex challenge of managing WAAP configurations at scale, while providing the right combination of change workflow management, reliable configuration auditing and change traceability, and a good mix of global, per-group and per-application settings. However, Gartner has not observed any noticeable improvement in this area.
A growing number of cloud WAAP vendors are adding deployment options for the more automated cloud applications: Kubernetes sidecars, containerized WAAPs and WAAP agents. The future of this segment remains unclear, however. But embedded WAAPs cannot replace cloud-delivered WAAPs for every use case and requirement such as DDoS protection or the ability to deploy quickly in front of hundreds of applications hosted on various environments.
Distributed WAAPs are intended to improve DevSecOps practices to secure newly developed applications through “shift left” techniques, but they do not address the “shift right” needs of legacy and third-party applications. In future, large enterprises with mature DevOps practices will demand a combination of cloud gateway WAAPs and distributed WAAPs to enable DevSecOps and better protect existing applications.
WAAP controls, deployed closer to the applications they protect, could provide benefits such as:
The most likely scenario for the coming months is that WAAP agents, containers and VMs will be components of an integrated network and distributed WAAP. Centralized but flexible management and monitoring remains one of the biggest challenges for distributed WAAPs to overcome if they are to become a reality at scale. Vendors must also identify which features are most suitable for distributed WAAPs, such as specific, targeted protections for certain workloads, and which should be enforced at the network level, such as API discovery and bot mitigation.
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor’s underlying business proposition.
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.