Magic Quadrant for Web Application Firewalls Published 17 September 2019 - ID G00373533 - 62 min read Driven by the adoption of cloud web application and API protection services, the web application firewall market is growing. Network and application security leaders need to evaluate how WAFs can provide improved security that’s easy to consume and manage, while respecting data privacy requirements. Strategic Planning Assumptions By 2022, web application firewall (WAF) hardware appliances will represent fewer than 10% of new WAF deployments, which is a decrease from today’s 30%. By 2023, more than 30% of public-facing web applications and APIs will be protected by cloud web application and API protection (WAAP) services, which combine distributed denial of service (DDoS) protection, bot mitigation, API protection and WAFs. This is an increase from fewer than 10% today. By 2024, most organizations implementing multicloud strategies for web applications in production will use only cloud WAAP services. By 2024, broader cloud web application security platforms combining API man agement gateways, WAF and bot management features will protect 20% of public-facing web APIs. This represents an increase from fewer than 5% today. Market Definition/Description The WAF market is being driven by customers’ need to protect public and intern al web applications. WAFs protect web applications and APIs against a variety of attacks, including automated attacks (bots), injection attacks and application-layer denial of service (DoS). They should provide signaturebased protections, and should also support positive security models (automated whitelisting) and/or anomaly detection. WAFs are deployed to protect web applications against external and internal attacks, monitor and verify access to web applications, and collect access logs for compliance/auditing and analytics. WAFs exist in the form of physical or virtual appliances, and, increasingly, are delivered from the cloud, as cloud web applications and API protection services (e.g., cloud WAAP service). WAFs are most often deployed in-line, as a reverse proxy. This is the easiest way to perform full inspection and policy enforcement. Other deployment options include WAF plug-ins on the top of reverse proxies and load balancers, or out-of-band deployment. The rise of cloud WAAP services performing as reverse proxies by design — as well as the adoption of more-recent transport layer security (TLS) suites that require in-line traffic interception (e.g., man in the middle) to decrypt — has reinforced the use of reverse proxy. Gartner defines cloud WAAP services as the evolution of the first cloud WAF services (see “Defining Cloud Web Application and API Protection Services”). Cloud WAAP services combine cloud1 delivered, as-a-service deployment with a subscription model. Cloud WAAP service providers may offer a managed service, and, for some, it is a mandatory component of such a product. Some vendors have chosen to leverage their existing WAF solutions, repackaging them as SaaS. This enables vendors to have a cloud WAF service available to their clients more quickly, and they can leverage the existing features to differentiate from cloud-native WAF service offerings with morelimited protection feature sets. One of the difficulties with this approach is simplifying the management and monitoring console, inherited from the comprehensive WAF appliance feature set to meet clients’ expectations for ease of use, without shrinking security coverage. Mandatory managed security service (MSS) is often an intermediary step in the cloud WAAP service development in which the product is built from a WAF appliance technology. In the long term, cloud WAAP services, which were built from the beginning to be multitenant and cloud-centric, avoid the costly maintenance of legacy code. They also provide a competitive advantage, with faster release cycles and the rapid implementation of innovative features. Some organizations selecting cloud WAAP services built from WAF appliances do it to acquire a unified management and reporting console, or advanced capabilities (e.g., a posit ive security model) that cloud-native WAAP services don’t yet offer. This Magic Quadrant includes WAFs that are deployed external to web applications and are not integrated directly on web servers:  Purpose-built physical, virtual or software appliances  WAF modules embedded in application delivery controllers (ADCs; see “M