Free MS Virtual Machine Images

Free MS Virtual Machine Images

  • slmgr /ato – will give you 90 day trial



The McKinsey Edge Success Principles from the World’s Most Powerful Consulting Firm – Chapter 9

The McKinsey Edge Success Principles from the World’s Most Powerful Consulting Firm – Chapter 9

Mackenzie structural people who work at the farm I referred to as consultants regardless of their actual title in The Firm since this was a book on leadership transition however I have used many terminal job titles to facilitate the discussion and give prospective on the success principles yet if you are new to this world the different titles can become confusing that I have created the simple hierarchical structure to answer the question what exactly is each level responsible for basic hierarchical structure business analyst be a good day today on a client project holding a single workstream associate ASC work day today and a client project holding multiple workstreams leadership transition engagement manager p.m. Ddd project teams interaction with multiple client Heads facilitates Mackenzie 80 principles and director involvement associate principal ep attends multiple existing project discussions develops new clients and works as executive apprentice to principles and directors owner transition principal controls over a new and existing client project collaborates with directors gives direction to teams all shares of the film director develops new function and specific industry platforms set from Direction and access covers of The Firm with other directors and organisation model that access the success villa For The Firm consulting sells complex services mckinsey sells the most premium services of a project to take a few months can cost of religion. Public services take more time to sell and require a highly sophisticated salespeople this is true especially for the business to business B2B franchise for it to be successful multiple forces must work together including hi brand value a high performing culture top notch Talent Proprietary knowledge resources a distinctive organisation structure and others entrepreneurs say there is always a reason why your business succeeds that shows in it’s business model how people are able to effectively carry out their given rules for Mackenzie another consulting companies that followed I believe this success has been the result of a beam structure along with it’s unique problem solving method which has been emulated by both other consulting firms and corporation registered for complex services the sales people at the very top instead of at the bottom it’s awkward at first when you realise this dynamic especially when you become the engagement manager to have all the people look to you for specific project ownership and leadership suddenly you must step up more than just a few steps as an engagement manager you are nearly forced into the state of you handle everything and handed the conductor’s baton as you learn more about the floor and the top management consulting industry you realise that this is quite a lean and effective business model it makes sense that highly sophisticated conversations are conducted by the most senior experience and trained communication specialists directors and senior principles are two million dollar hi potentially is a huge opportunity and must be directed by the best that’s consultants never really find out the sales function until the very end of their career and they do so only at it’s most complex for which is not the traditional push sales form but by giving clients a reason to say sounds interesting do you want to send a proposal about the framework or approach you just mention consultancy become Soviet giving the tip of the iceberg answers but not giving a wedding entire glacier or in the clients to ask for more it’s a definite skills necessary for complex services the front range has mental aware communication skills for many years and it is so important that even a person who was a high level senior executive at another company with 15 years of experience should hear she choose to join the phone will need to go through the entire mckinsey learning process from the associate level though it would be in an accelerated way in the mind of every consultant to less experienced training Alliance a deep understanding of how leadership development works first baby thing up your fundamental skills and capabilities in this case problem solving next by holding your listening in communication over many years and finally by profecting your mindset and character in the long run the hardest things to change only then will you have the necessary ability to stand in the circle of leaders although this book is about leadership transition it is important for you to understand how your organisation is structured and how it should work typically learning about what you sell is a great starting point I wish you were an entrepreneur which by definition as founder and CEO entitles you Liberal leadership position and an understanding of your own business model most people will need to claim their way up that you need to figure out what forces are at work and how you can be successful in the given position for example some Mackenzie people leave the front greeting associate principal because they can master or get accustomed to the newly charged sales role did rather look for a prominent mid to Back Office coo leader drone organisation structure to work the people working need to be efficiently utilised some organisations do a poor job and create massive management overhead problems because the structure does not fit the nature of their business for example if your organisation is based on a door to door sales model selling kitchen supplies you don’t need many manager to your people instead you need better training and tools to empower each salesperson and a system that weeds out sales people who are unfit for the job McKenzies organisation model is bound to work given the nature of what it sounds this model also explains why consultants work around the clock it consultant regardless of tenure is tasked with different roles that can be unbounded senior leaders need to keep pushing potential client engagement into the Pipeline suitable only time or harvesting. Engagement managers and below need to help clients justify their cost the only difference is that senior leaders can control their world time as long as they are pulling in their sales quota wait while consultants need to rely on client expectations that are outside their control this is John Haigh from mcgraw-hill prefer thank you for listening

Available Artefacts – Evidence of Execution

Available Artefacts – Evidence of Execution

This week I have been working a case where I was required to identify users on a Windows Server 2003 system who had knowledge of, or had run, a particular unauthorised executable. As such, I found myself wracking my brain for all the user attributable artifacts which evidence program execution (on an OS I hadn’t analysed for a short while).

Furthermore, David Cowen in his recent Sunday Funday Challenge over at HECFBlog had posed a similar question regarding evidence of execution. With that as my motivation, I set about to document different artifacts which can be used to evidence program execution (both user attributable and otherwise) as available in various different versions of Windows.

I should highlight up front that some really fantastic blog posts from Harlan CarveyAndrea FortunaCorey Harrell and Mary Singh gave me a significant leg up. This isn’t my first time reading any of those posts and I’m sure it wont be my last. A myriad of other posts assisted in confirming details of specific artifacts and I have referenced those below. The main focus of this post, and particularly the associated table of artifacts, is to serve as a reference and reminder of what evidence sources may be available on a particular system during analysis.

On to the main event. The table below details some of the artifacts which evidence program execution and whether they are available for different versions of the Windows Operating System.

Too Small?… It’s a hyperlink!

Cells in Green are where the artifact is available by default, note some artifacts may not be available despite a Green cell (e.g. instances where prefetch is disabled due to an SSD)

Cells in yellow indicate that the artifact is associated with a feature that is disabled by default but that may be enabled by an administrator (e.g. Prefetch on a Windows Server OS) or added through the application of a patch or update (e.g. The introduction of BAM to Windows 10 in 1709+ or back-porting of Amcache to Windows 7 in the optional update KB2952664+)

Cells in Red indicate that the artifact is not available in that version of the OS.

Cells in Grey (containing “TBC”) indicate that I’m not 100% sure at the time of writing whether the artifact is present in a particular OS version, that I have more work to do, and that it would be great if you could let me know if you already know the answer!

It is my hope that this table will be helpful to others. It will be updated and certainly at this stage it may be subject to errors as I am reliant upon research and memory of artifacts without having the opportunity to double check each entry through testing. Feedback, both in the form of suggested additions and any required corrections is very much appreciated and encouraged.

Summary of Artifacts

What follows below is brief details on the availability of these artifacts, some useful resources for additional information and tools for parsing them. It is not my intention to go into detail as to the functioning of the artifacts as this is generally already well covered within the references.


Prefetch has historically been the go to indication of process execution. If enabled, it can provide a wealth of useful data in an investigation or incident response. However, since Windows 7, systems with an SSD installed as the OS volume have had prefetch disabled by default during installation. With that said, I have seen plenty of systems with SSDs which have still had prefetch enabled (particularaly in businesses which push a standard image) so it is always worth checking for. Windows Server installations also have Prefetch disabled by default, but the same applies.

The following registry key can be used to determine if it is enabled:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher
0 = Disabled
1 = Only Application launch prefetching enabled
2 = Only Boot prefetching enabled
3 = Both Application launch and Boot prefetching enabled



It should be noted that the presence of an entry for an executable within the ShimCache doesn’t always mean it was executed as merely navigating to it can cause it to be listed. Additionally Windows XP ShimCache is limited to 96 entries all versions since then retain up to 1024 entries.

ShimCache has one further notable drawback. The information is retained in memory and is only written to the registry when the system is shutdown. Data can be retrieved from a memory image if available.



Programs executed via Explorer result in MUICache entries being created within the NTUSER.DAT of the user responsible.


Amcache / RecentFileCache.bcf

Amcache.hve within Windows 8+ and RecentFileCache.bcf within Windows 7 are two distinct artifacts which are used by the same mechanism in Windows to track application compatibility issues with different executables. As such it can be used to determine when executables were first run.


Microsoft-Windows-TaskScheduler (200/201)

The Microsoft-Windows-TaskScheduler log file (specifically events 200 and 201), can evidence the starting and stopping of and executable which is being run as a scheduled task.


LEGACY_* Registry Keys

Applicable to Windows XP/Server 2003 only, this artifact is located in the System Registry Hive, these keys can evidence the running of executables which are installed as a service.


Microsoft-Windows-Application-Experience Program-Inventory / Telemetry

Both of these system logs are related to the Application Experience and Compatibility features implemented in modern versions of Windows.

At the time of testing I find none of my desktop systems have the Inventory log populated, while the Telemetry log seems to contain useful information. I have however seen various discussion online indicating that the Inventory log is populated in Windows 10. It is likely that my disabling of all tracking and reporting functions on my personal systems and VMs may be the cause… more testing required.


Background Activity Monitor (BAM)

The Background Activity Monitor (BAM) and (DAM) registry keys within the SYSTEM registry hive, however as it records them under the SID of the associated user it is user attributable. The key details  the path of executable files that have been executed and last execution date/time

It was introduced to Windows 10 in 1709 (Fall Creators update).


System Resource Usage Monitor (SRUM)

Introduced in Windows 8, this Windows features maintains a record of all sorts of interesting information concerning applications and can be used to determine when applications were running.



In Windows 10 1803 (April 2018) Update, Microsoft introduced the Timeline feature, and all forensicators did rejoice. This artifact is a goldmine for user activity analysis and the associated data is stored within an ActivitiesCache.db located within each users profile.


Security Log (592/4688)

Event IDs 592 (Windows XP/2003) and 4688 (everything since) are recorded within the Security log on process creation, but only if Audit Process Creation is enabled.


System Log (7035)

Event ID 7035 within the System event log is recorded by the Service Control Manager when a Service starts or stops. As such it can be an indication of execution if the associated process is registered as a service.



Within each users NTUSER.DAT the UserAssist key tracks execution of GUI applications.



The RecentApps key is located in the NTUSER.DAT associated with each user and contains a record of their… Recent Applications. The presence of keys associated with a particular executable evidence the fact that this user ran the executable.



Implemented in Windows 7, Jumplists are a mechanism by which Windows records and presents recent documents and applications to users. Located within individual users profiles the presence of references to executable(s) within the ‘Recent\AutomaticDestinations’ can be used to evidence the fact that they were run by the user.



The RunMRU is a list of all commands typed into the Run box on the Start menu and is recorded within the NTUSER.DAT associated with each user. Commands referencing executables can be used to determine if, how and when the executable was run and which user account was associated with running it.


AppCompatFlags Registry Keys



Various Anti-Virus, Intrusion Detection and Endpoint Detection and Response (EDR) solutions may provide evidence of program execution. It is recommended to identify and analyse any associated logs and note that some logging may be centralised.
Repeating the appeal earlier in this post, feedback, suggested additions and corrections are very welcome!

Open Source Threat Intelligence feeds (draft)

Open Source Threat Intelligence feeds


  1. Spamhaus
  4. File Names
  5. Indicators of Compromise
    1. File Names
    2. IPs
    3. URLs
    4. Domains
    5. File Hash
    6. Yara Rules
Group name Reconnaissance Credential harvesting
Tick whoami, procdump, VBS WCE, Mimikatz, gsecdump
Waterbug systeminfo, net, tasklist, gpresult WCE, pwdump
Suckfly tcpscan, smbscan WCE, gsecdump, credentialdumper
Fritillary PowerShell, sdelete Mimikatz, PowerShell
Destroyer Disk usage, event log viewer kerberos manipulator
Chafer network scanner, SMB bruteforcer WCE, Mimikatz, gsecdump
Greenbug Broutlook WCE, gsecdump, browdump
Buckeye os info, user info, smb enumerator pwdump, Lazagne, chromedump
Billbug ver, net, gpresult, systeminfo, ipconfig
Appleworm net, netsh, query, telnet, find dumping SAM

EDR — Benefits, Concerns and Issues

EDR — Benefits, Concerns and Issues

Published 17 July 2018 – ID G00319345 – 23 min read

Security and risk management leaders increasingly look for detailed visibility, actionable insight and tailored remediation endpoint capabilities. But misunderstanding and overestimating the capabilities of EDR offerings and the effort needed to leverage them can cause more issues than they solve.


Key Findings

  • Endpoint detection and response (EDR) solutions remain very complex to operate.
  • For all the vendor and industry talk of AI and machine learning, EDR solutions continue to rely primarily on the oversight of highly skilled humans to identify and resolve issues.
  • Typical organizations that face normal budget and staffing challenges are ill prepared to leverage and maximize the benefits of EDR solutions by themselves.
  • Organizations with low maturity endpoint maintenance and management programs experience higher EDR workloads.
  • Detecting and responding to incidents or events caused by vulnerable applications or operating systems reduce the value of having an EDR solution vis-a-vis a vulnerability-scanning platform.
  • Managed EDR solution provider capabilities vary dramatically among vendors and regions.


SRM leaders who are weighing the deployment of an EDR solution must:
  • Establish well-defined security operations and incident response programs with mature vulnerability and patch management processes already in place.
  • Focus on post-event analysis and response capabilities rather than active hunting, detection and response; this is especially true for Type B and Type C organizations.
  • Deploy EDR as an active detection and response platform and plan to incorporate a managed EDR solution to complement their internal capabilities.
  • Shortlist providers that offer technical assistance in incident response to supplement staffing.


Organizations have long had the ability to look at detailed log and forensics data from their network and perimeter solutions. Operational data from firewalls, gateways, proxies, networks and other sources have been part of the routine post-event forensics analysis process for many years, with organizations often leveraging security information and event management (SIEM) solutions as their central repository and analysis platform.
Until the advent of EDR, the traditional approach of collecting forensic data from endpoints has been on a reactive basis, where a forensics tool would be deployed to target post-event endpoints and the data collected would depend on what the operating system logged. EDR provides organizations deep granular endpoint data that they have been accustomed to getting from network and perimeter solutions.

Table 1: EDR — An Overview of Principal Benefits, Concerns and Issues

Enlarge Table
Recording of context-rich endpoint event and state information.
Pricing of EDR solutions remains at a premium.
Incident data collection and analysis occur post-event with limited incident response automated capabilities.
Option to store collected data on endpoints themselves, centralized servers, the cloud or as a hybrid of these.
Requires the installation, management and updating of yet another agent.
EDR provides very limited to no contextual insight outside of the endpoint data it collects, requiring manual intervention to correlate data with such external sources as firewalls, CASB, etc.
Data retention periods can support the operational needs of different organizations.
Support of EDR capabilities varies by platforms and versions of operating systems.
Knowledgeable staffs with EDR experience are extremely difficult to find and come at a premium.
Ability to search collected data to identify issues on one or many endpoints at a time.
Requires staff with strong knowledge of endpoint operations to obtain benefits.
Vendors and managed service providers offer staff augmentation, but capabilities and costs vary dramatically.
Currently available solutions now appeal to a broad segment of organizations with differing technical abilities.
AI and machine learning remain mostly marketing terms rather than actual product capabilities.
Contrary to many clients’ understanding of the products, EDR does not resolve fundamental security and operational issues within organizations, nor does it eliminate the need for basic hygiene and patching.
Source: Gartner (July 2018)

EDR Benefits

EDR agents are akin, in their most basic form, to flight data recorders, or “black boxes,” on airplanes. Black boxes record all of the technical and operational data of aircraft including heading, speed, altitude; positioning of the landing gear, ailerons, flaps; weight, center of gravity; plus much other technical data including pilot conversations. Black boxes do not record passenger conversations.

EDR Solutions

EDR solutions record all of the technical and operational data of endpoints including IP, MAC, DNS data, connected USB device information, network connections and ports, running processes, device drivers, threads and their related metadata, windows services, loaded DLLs, CMD and PowerShell command history and memory contents and much more. EDR solutions do not record such application data as what is typed in a Word document or email, although they may scan files for malicious macros. EDR solutions can store all of this data or only the most critical elements either on on-premises-located servers, on endpoints themselves, in the cloud or as a hybrid of them depending of vendor solutions.
This data is typically stored for a period ranging from a few days to several months. EDR solutions provide organizations with the ability to analyze and search such detailed endpoint data by using filters and Indicators of Compromise (IOC) along with other data sources and search parameters.
Organizations can use EDR solutions to search for traces of malicious software and activity, patching data and other endpoint-related activities and can even help answer such day-to-day operational questions as how often a particular application has been used in the past month on a single endpoint or on all the endpoints in a department or across the organization. The questions that can be answered with an EDR solution are quite boundless, but most organizations use EDR specifically to address security-related questions, because that is where EDR solutions provide some of their unique visibility and insights — and ultimate value.
Most, but not all, EDR solutions provide capabilities that can manually or automatically remediate or trigger remediation processes, alert conditions on endpoints either from within or as parts of an integration with such third-party tools as system patching and updating solutions. Levels of capability vary dramatically between vendor offerings. One example of an automated remediation is one in which — on the detection of ransomware activity on an endpoint — the network drivers for that endpoint are disabled to prevent the spread of the ransomware.

EDR Appeal Crossing Organizational Types

EDR solutions have become more broadly available from both next-generation vendors and traditional endpoint protection platform (EPP) providers. As a result, EDR solutions have transitioned their appeal from being the sole purview of Type A or lean forward or leading-edge organizations to Type B and even Type C organizations.
Type A organizations represent the smallest group of organizations. They adopt new technologies very early in the adoption cycle and have the budgeting and staffing resources to configure and implement new technologies and solutions rapidly within their environment. These organizations tend to focus on best-of-breed solutions that best address their business, technology and security needs and have the capacity to integrate, develop and build custom-made components as required. They see the use of technology as a competitive differentiator. Their tolerance for operational risk is high and their approach to technology change is to run projects in parallel by tasking multiple teams to work on technology and business changes simultaneously.
Type B organizations represent the largest group of organizations. They typically experience budgeting and staffing resource constraints and, as a result, focus on overall value by weighing the risks of the early use of new technology against the benefits. Their goal is to stay relatively current on technology without getting too far ahead of or behind their competition and focus on technology deployments that improve their organization’s productivity, product quality, customer service and security. Type B organizations typically wait for a technology to become mainstream before considering implementation. They tend to be moderate in their approach, frequently using benchmarks within their industry to justify their investments in technology. Type B organizations balance innovation with reasonable caution when selecting new solutions. This is the highest growth market for EDR at this time.
Type C organizations represent the second-largest group. They typically view technology as an expense or operational necessity and use it as a means to reduce costs. These organizations experience severe budgeting and staffing resource constraints and, as a result, prefer simple-to-deploy and -use integrated solutions with managed service add-ons that can best complement their minimal staff. These organizations wait for technologies to become absolutely stable and for costs to acquire and operate to reach the lowest quartile before committing to purchase. They focus on prevention rather than on detection and response capabilities and on solutions that are integrated and offer a complement of managed services. EDR is typically deployed in Type C organizations when available in conjunction with an EPP solution. This market is one that demonstrates very slow growth for EDR.

EDR Concerns

EDR solutions provide enhanced capabilities over traditional endpoint security solutions and can create a force multiplier of staff, but these capabilities have their drawbacks.

EDR Capabilities Come at a Significant Cost

While product costs have on average dropped by roughly 35% per year over the past four years, products remain priced at a premium versus other endpoint solutions even today. They typically range from one to three times the cost of a traditional full EPP suite.
Many of the renewal quotes that Gartner has reviewed over the past 18 months do not always show pricing reductions that are in step with the market. This means that organizations that are renewing an EDR solution originally acquired three years earlier often have to put in significant effort to push pricing down to today’s market price averages (typically seen in new deployment quotes). The initial quote offered for a renewal is often only slightly reduced or perhaps offered at exactly the same or even slightly higher pricing than what was negotiated in the initial purchase several years earlier.

EDR Agent

An additional cost to consider is the distribution of other agent endpoint software. While most EDR agents are relatively small and represent minimal impact on system memory and CPU resources, they do represent yet another component that needs to be distributed and managed on the endpoint. While there have been minimal reports of agent issues due to updates of endpoint software components or the operating system itself, from time to time clients have reported issues that have temporarily locked systems until refreshed.
Significant capability differences also exist between EDR agents available by vendors for Windows 10, 8, 7, XP (if available); Windows Server version; Mac and Linux. Mobile device agents are currently not available or offer very elementary capabilities. Some EDR agents can record only some of the endpoint activities on some operating systems and not on others. Other agents have limited or no prevention or remediation capabilities on some platforms. This can result in a patchwork of security solutions that are inconsistent across organizational assets.
Finally, EDR solutions can only monitor systems that have the EDR agent installed. That can limit visibility in an environment containing populations of BYOD where the EDR agent has not been deployed. Plus EDRs for cloud workloads like containers and Internet of Things (IoT) devices are currently not available, which limits visibility into critical operational components.

Perceived Versus Actual Implementation

A simple way to explain the perceived versus the actual implementation of an EDR solution is by way of an analogy. I enjoy fishing. My young son also enjoys fishing. Our idea of father-and-son fishing is quite simple: My son gets his movie-character-themed fishing rod, we buy a small container of worms and we visit my friend at his lakefront cottage. We fish right off the dock. Within 10 minutes, my son usually has caught nearly a dozen fish — admittedly very small fish — but the excitement and energy are at a high peak. After that engaging means of activity, he is pretty much done fishing for the day. As far as fishing is concerned, we accomplished our goal with minimal effort and maximized our fun in the process. Success!
Most organizations expect their EDR solutions to operate in a very similar way to my son’s experience of fishing. Open up the console, have just about anyone enter “ransomware” or some other generic search term and all of the key events will be triaged and organized from severe to benign with a pull-down list of automated and contextualized remediation conveniently available right beneath their fingertips. All that is left to do is to click away and all the organization’s security problems will be solved. Unfortunately, the reality is quite different.
While it is true that many EDR solutions now provide simple guided search operations, most organizations still do not know what they really need to search for. Also, the work of reviewing or even obtaining some form of a basic understanding of what a particular event means entails that triaging and assigning a severity and then determining the best course of action remain the responsibilities of the console operator.
Continuing with the fishing analogy, operating an EDR solution is in fact much more like my experience of fishing with my friend. He is by all accounts a truly expert fisherman. He could easily have his own TV show if only he had better jokes. When I go fishing with him, it is a lot of work for me. It turns out that fishing is serious business after all — and it requires a lot of planning.
The first question he always asks me is, “Which fish do you want to catch today?” My answering “the one that lives in the water” is never a good reply and puts a serious damper on the start of our day. So I have learned over the years to turn the tables around and use his expert knowledge to start things off in a better way to help me determine what fish we should be fishing for that day. I start by asking him questions like: “Which fish can we find in this lake?” “Which of these fish would be most active based on the time of the day we will be going out?” “Which fish would be most active based on the temperature, position of the sun, the wind, etc.?”
In fact, I am using my friend to guide me down the assessment process to identify our target fish. Once we have determined the fish we are looking to catch, I then use my friend to guide me down the next set of decisions, such as where we will go to catch this fish, which rod, line, lure, etc. we will use, at what depth we will cast our lines and so on. He is my expert coach and without his help I would never have any hope of actually catching the fish we had decided was our target for that day.
While EDR solutions are being sold and deployed in more typical Type B and some Type C organizations, the unfortunate truth is that, even with all the marketing emphasis and industry talk of AI and machine learning being applied within EDR solutions, AI and ML are still at a very early stage of maturity, and EDR vendors still expect your organization to have talented experts operating the console.

AI and ML Gone Missing

Today, EDR solutions do not come with an EDR version of my friend bundled in like an “analyst in the box.” They do not come with a coach to guide you through various analysis or decision trees within their products directly unless they are directly bundled with a managed detection and response offering, which is a fancy way of saying that they will provide talented staff to help you with your EDR deployment.
AI and ML are overhyped and overused marketing terms that unfortunately do not have any standardized connotations regarding actual capabilities within EDR solutions. As a result, each vendor claim must be thoroughly vetted to ensure that the organization’s understanding of the capabilities provided by the solution is in fact realized in the product.
The unfortunate reality is that operating EDR for most organizations is more like my going fishing without my friend and expecting to catch the target fish with zero experience, knowledge or the proper tools: essentially relying on just plain luck. EDR provides very rich and very complex data that requires advanced knowledge, understanding and experience to analyze and understand.
This is why most Type B and Type C organizations — often after several months of frustration — tend to eventually reconsider their EDR deployment as an incident-response-focused solution rather than as a platform by which they are guided in their efforts to conduct active threat hunting, detection and response, because they lack those capabilities.
Using an EDR solution as a post-event endpoint data analysis tool is the way the majority of organizations end up using their EDR deployment. However, this is not usually what organizations had in mind when they originally purchased their EDR solutions.

Cloud or On-Premises

As noted previously, EDR solutions can store all or only the most critical data elements it collects either on an on-premises server, on the endpoint itself, in the cloud or as a hybrid of them depending on the vendor solution. The typical concern over storing data in the cloud relates to the disclosure of sensitive data about the day-to-day operations of endpoint software to a third-party outside the organization. While most organizations have embraced cloud-based solutions for many of their IT and security workload needs, some types of clients in specific verticals still prefer to maintain their data on-premises or within specific geographies when using the cloud.
Most vendors cannot accommodate such specific geographic requirements as hosting both data collection and analysis outside the U.S. This can impact data compliance requirement within regions. But the main benefits of cloud storage include lowered complexity in deploying solutions, elimination of on-premises server hardware/software and maintenance, ease of scaling to larger or smaller workloads and access to data even when an endpoint is off or is compromised. This comes at a cost.
Cloud storage requires that organizations decide on their retention periods upfront. Retention periods can be from a few days all the way up to six months. The longer the retention period, the more visibility into past events and also typically the higher the cost for storing data. The upload of the endpoint data to the cloud can have an impact on outbound data throughput. While some solutions offer compressed data streams or a form of load balancing of data upload over longer periods of time, large environments with restricted networks or chokepoints can experience bursting issues.
Cloud-based solutions can also pose challenges in the integration of security and operational data from such other existing solutions as directory and inventory services, network devices, perimeter solutions and SIEMs as well as in creating workflows with ticketing services, update and patching. They may require opening additional connections and ports on the perimeter to support uni- or bidirectional communications.

EDR Issues

EDR solutions provide visibility into how an event occurred and, as a result, can tell an endpoint’s overall story. These findings can be used to help determine the overall condition of the endpoint, the potential root cause and also if other endpoints within the environment exhibit similar symptoms. A remediation can be put into action using EDR and other solutions. This part is a good side of EDR.

Getting to the Root of Problems

In a typical incident-response-focused deployment, this analysis, or creating the narrative of the story line, is conducted at some period of time after a situation has taken place and may have already spread. The trigger of the investigation is often when a user reports experiencing an issue with the system or perhaps the operations team notices a degradation of service. In this manner, EDR is used to review the events leading up to the issue and assisting in determining the root cause.
EDR does speed up this investigative process, but there is still a high level of skill involved in performing the investigation. Given enough time, even a poorly staffed EDR solution can successfully search the collected endpoint data and resolve some issues because it is limited to the investigation of a clearly identified target. While this approach resolves issues and does provide value, it rarely elevates an organization’s overall security posture, as it is a very reactive and inconsistent approach to security. It also does not provide for the proactive detection and containment of threats in real time, which means an organization will remain vulnerable to evolving threats.
Most EDR solutions provide very limited note taking within events, workflow tracking, ticketing (internal or external) or even basic role-based access control (RBAC) to assign specific administrative and oversight entitlements to EDR operations staff or a managed service provider. This lack of capabilities results in a poor experience when investigating events that require multiple analysts to resolve, such as after-hours investigations, leveraging a managed service or third-party incident response provider or when there is a need to create an action that is outside the EDR solution itself, such as when an update or patch is required on an endpoint.
Third-party integration, when available, is conducted through APIs and typically requires knowledgeable staff to code the integration or a consulting engagement with a third party to build the component. Report generation is usually focused on the technical aspects of incidents that are difficult to communicate to other stakeholders within the organization, such as line of business leaders and senior management.
EDR solutions rarely incorporate such asset critical data as “this system belongs to the CEO or has PCI data” or activity data sourced from other solutions in the organization, such as active directory information, network and firewall logs and other data sources to help prioritize events. EDR operators often have to connect to multiple consoles to pull this asset and any operational and risk-related data and have to use external systems to keep track of their investigations. And although user and entity behavior analytics (UEBA) have become integrated with many security solutions, EDR has yet to leverage this innovative and potentially valuable source of data analysis.

Do You Patch?

Type B and Type C organizations often struggle with system management, patching and updating. This results in environments that have limited protections even against well-known vulnerabilities and threats.
Organizations deploying EDR solutions in such environments can expect to experience significantly increased strains on their operations staff and systems responsible for endpoint management because many of the resolutions to issues identified by EDR are to remove malicious software, patch or update an application or service, or perhaps even reimage an entire systems in situations where no other option is possible, which can result in data loss if the system was not backed up.
Using EDR to catch basic threats that should be blocked by baseline security hygiene measures is the wrong use of EDR. Doing so will ultimately not result in a better security posture for the organization.

Can You Staff?

Many Type B organizations struggle with finding operational budgets to adequately staff an EDR deployment and have difficulty in finding qualified individuals with the depth of knowledge and experience required to operate an EDR solution even on a basic level. While organizations are typically capable of finding perimeter security or network security staff at reasonable market rates, the skills required to do perimeter or network analysis tasks are not easily transferable to endpoints.
Perimeter and network event data differ greatly from endpoint software operations collected by an EDR solution and, as a result, perimeter or network staff require significant training to become proficient in understanding, analyzing and remediating endpoint issues. Endpoint experts with experience with EDR deployments remain rare commodities.

Augmenting Your Staff

Managed security services (MSS) have been part of the security outsourcing landscape for many years, taking care of the day-to-day operations of IT and IT security solutions within their client organizations. A new breed of MSS that offer managed EDR has evolved over the past few years to address skills and staffing shortages in this market. These solution providers often offer one or more tiers of services with different SLAs and capabilities.
One example is that of a very high-level and low-touch model, where the role of the service provider is to act more like a backup or supplement to an already-staffed EDR operations team. In this capacity, they do not perform day-to-day activities but rather offer additional oversight and reporting and can complement the existing client’s team during incidents. This form of managed EDR is typically inexpensive and includes retainer fees when additional assistance is required by the client, such as during the response to an incident.
Another example, at the other extreme, is that of a low-level very high-touch model where the solution provider, from a remote office, actively investigates security threats using data collected by the EDR and other security solutions and programmatically contains or mitigates threats using the elements that make up the security technology stack in the client’s environment. In this capacity, the solution provider is an integrated extension of a client organization’s existing capabilities. This form of managed EDR is typically significantly more costly and can run many times the cost of the EDR solution itself, depending on the capabilities required.
Managed EDR solutions have become more widely available over the past 18 months, with some EDR vendors providing their own capabilities themselves or via their reseller or system integrator network. However, the quality and availability of the detective, investigative and remediative services vary dramatically between vendors and regions.

Vendor Lock-In and Vendor Risk

Over time, EDR solutions become intertwined with security and operations teams and it becomes difficult to switch out to another vendor, especially when a lot of customized scripts for responses and workflow have been created due to the amount of work required to re-create them. While this isn’t necessarily bad, there are currently too many vendors in this market and many will not survive long term. Also, there are limited paths to exit for small vendors because all of the existing incumbent EPP vendors have created their own EDR solutions, which is traditionally an exit path for small vendors.
This means that vendors who have traction currently either have IPO ambitions or are opting to go for additional series of venture-capital-backed funding to fuel growth. Vendors who have not secured market share or a niche of client deployments are at risk. Clients using these vendors should consider establishing plans in the event that their vendor disappears.

EDR Does Not Mean Protection Is Improved

Organizations need to consider all of the factors highlighted in this research when contemplating an EDR solution to ensure that their EDR deployments meet their operational and security ambitions. Deploying an EDR solution in and of itself does not eliminate the need to deploy other security solutions, nor does it imply that security will improve without significant effort or cost.


Over 700 inquiry calls on the topic of EDR.
Analysis as part of the EPP Magic Quadrant and EPP Critical Capabilities

Gartner – Magic Quadrant for Web Application Firewalls

Gartner – Magic Quadrant for Web Application Firewalls



The WAF market is growing, driven by the adoption of cloud WAF services. Enterprise security teams should use this research as part of their evaluations of how WAFs can provide improved security that’s easy to consume and manage, while respecting data privacy requirements.

Strategic Planning Assumptions

By 2020, stand-alone web application firewall (WAF) hardware appliances will represent fewer than 20% of new WAF deployments, which is a decrease from today’s 35%.
By 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection and WAFs. This is an increase from fewer than 10% today.

Market Definition/Description

This document was revised on 3 September 2018. For more information, see the  Corrections page.
The web application firewall (WAF) market is being driven by customers’ needs to protect public and internal web applications. WAFs protect web applications and APIs against a variety of attacks, including automated attacks (bots), injection attacks and application-layer denial of service (DoS). They should provide signature-based protection, and should also support positive security models (automated whitelisting) and/or anomaly detection.
WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs exist in the form of physical or virtual appliances, and, increasingly, are delivered from the cloud, as a service (cloud WAF service). WAFs are most often deployed in-line, as a reverse proxy, because, historically, that was the only way to perform some in-depth inspections. There are other deployment options. The rise of cloud WAF services, performing as reverse proxies by design, and the adoption of more-recent transport layer security (TLS) suites that require in-line traffic interception (man in the middle) to decrypt, have reinforced the use of reverse proxy.
Cloud WAF service combines a cloud-delivered as-a-service deployment with a subscription model. Cloud WAF service providers may offer a managed service, and, for some, it is a mandatory component of using the WAF. Some vendors have chosen to leverage their existing WAF solutions, repackaging them as SaaS. This enables vendors to have a cloud WAF service available to their clients more quickly, and they can leverage the existing features to differentiate from cloud-native WAF service offerings with a more limited feature set. One of the difficulties with this approach is simplifying the management and monitoring console, inherited from the comprehensive WAF appliance feature set to meet clients’ expectations for ease of use, without shrinking security coverage. Gartner defines cloud web application and API protection (cloud WAAP) services as the evolution of existing cloud WAF services (see “Defining Cloud Web Application and API Protection Services”). In the long term, cloud WAF services, which were built from the beginning to be multitenant and cloud-centric, avoid costly maintenance of legacy code. They also provide a competitive advantage, with faster release cycles and rapid implementation of innovative features. Some organizations consuming cloud WAF services built from WAF appliances do it to acquire a unified management and reporting console.
This Magic Quadrant includes WAFs that are deployed external to web applications and not integrated directly on web servers:
  • Purpose-built physical, virtual or software appliances
  • WAF modules embedded in application delivery controllers (ADCs; see “Magic Quadrant for Application Delivery Controllers”)
  • Cloud WAF service, including WAF modules embedded in larger cloud platforms, such as content delivery networks (CDNs), and cloud WAF services delivered directly from infrastructure as a service (IaaS) platform providers
  • Virtual appliances available on IaaS platforms, as well as WAF solutions from IaaS providers
API gateway, and runtime application self-protection (RASP) are adjacent to the WAF market, and might compete for the same application security budgets. This motivates WAF vendors to add relevant features from these markets, when appropriate. For example, cloud WAF services often bundle web application security with DDoS protection and CDN. The ability of WAFs to integrate with other enterprise security technologies — such as application security testing (AST), web access management (WAM), or security information and event management (SIEM) — is a capability that supports its strong presence in the enterprise market. Consolidation of WAFs with other technologies, such as ADCs, CDNs or DDoS mitigation cloud services, brings its own benefits and challenges. However, this market evaluation focuses more heavily on the buyer’s security needs when it comes to web application security. This includes how WAF technology:
  • Maximizes the detection and catch rate for known and unknown threats
  • Minimizes false alerts (false positives) and adapts to continually evolving web applications
  • Differentiates automated traffic from human users, and applies appropriate controls for both categories of traffic
  • Ensures broader adoption through ease of use and minimal performance impact
  • Automates incident response workflow to assist web application security analysts
  • Protects public-facing, as well as internally used, web applications and APIs
Gartner scrutinizes these features and innovations for their ability to improve web application security beyond what a network firewall, intrusion prevention system (IPS) and open-source/free WAF (e.g., ModSecurity) would do, by leveraging a rule set of generic signatures.
Gartner has strengthened this year’s inclusion criteria for the web application Magic Quadrant, to reflect enterprises’ changing expectations when selecting WAF providers (see Inclusion Criteria). Updated criteria include a requirement to get minimal revenue outside of a vendor’s home region, which led to the exclusion of some of the more local vendors.

Magic Quadrant

Figure 1. Magic Quadrant for Web Application Firewalls

Source: Gartner (August 2018)

Magic Quadrant for Web Application Firewalls

Vendor Strengths and Cautions


Akamai is in the Leaders quadrant. Clients looking for a cloud WAF service that can support web-scale applications and combine multiple web application security features often add Akamai to their shortlists when price sensitivity is low, especially when they already use Akamai as a CDN.
Akamai is a global CDN provider with headquarters in Cambridge, Massachusetts. It has more than 7,500 employees, with a growing team dedicated to web application security. In addition to its WAF (Kona Site Defender), Akamai offers additional security services, including application access control (Enterprise Application Access), managed DDoS scrubbing service (Prolexic), API gateway (Akamai API Gateway), and DNS services (Fast DNS). The WAF can be augmented with optional add-ons, including IP reputation, volumetric DDoS protection options, and two bot mitigation subscriptions (Bot Manager and Bot Manager Premier). Akamai also offers a trimmed-down, and lower-cost, version of Kona Site Defender, called Web Application Protector (WAP).
Recent news includes the release of Bot Manager Premier as a separate option, providing mouse and keyboard activity analysis, along with a mobile software development kit (SDK). Kona Site Defender has improved its management options for multiple applications, and has updated reporting and real-time analytic dashboards.
Kona Site Defender is a good shortlist candidate for all use cases in which WAF delivered from the cloud is acceptable, and low price is not the highest priority, especially for existing Akamai CDN customers.

  • Product Strategy: Akamai demonstrates a sustained commitment to develop and improve its web application security solutions. The vendor also grows its threat research and security operations center (SOC) team at a good pace.
  • Product Offering: the broad portfolio of Akamai’s cloud services, appeals to organizations looking for an easy way to deploy controls in front of a diverse set of applications. Many customers using Kona Site Defender are using other services, especially the CDN.
  • Geographic Strategy: Akamai is a global infrastructure provider with especially strong presence in North America, and good visibility in European shortlists too.
  • Managed Services: Akamai offers professional services to help harden the security configuration of Kona Site Defender. It also provides a managed SOC, which can monitor incidents.
  • Capabilities: Akamai applies automated analytics and triage on the entire traffic it processes for clients to tune their signatures and gather threat intelligence to create new protections. It has released a first version of API security features that customers find promising.
  • Customer Experience: Customers using Akamai managed security services and customers using the WAP product cite a lower-than-expected rate of false alerts.

  • Market Segmentation: Akamai’s WAF is available as a cloud service only. For organizations that are simply not comfortable with cloud security solutions, or where prospective clients’ assessments determine that compliance and regulatory restrictions limit its use, Akamai does not appear on client shortlists.
  • Pricing and Contracting: Akamai Kona is an expensive product, especially when bundling multiple options, such as Bot Manager subscriptions. Clients continue to cite pricing as a barrier. Gartner analysts have observed an increase in complaints from prospects, and from existing clients. Organizations frequently consider using a second WAF brand, because it would be too expensive for them to deploy Akamai’s solution. The less-expensive WAP solution has not yet fixed this issue.
  • Customer Experience: The most-vocal complaints from clients target the poor policy management system, which is leaving clients frustrated by a dated policy and no useful way to test the updated rules. They also would like to see more improvements in the monitoring and reporting, as well as improved notification options.
  • Technical Architecture: Akamai has historically lagged behind some of its competitors in security automation. It has published a first version of an API to manage Kona’s security configuration, which is still in beta.
  • Capabilities: Akamai lacks a positive security model, with the exception of its API protection module. Customers using WAP cannot use Bot Manager.

Amazon Web Services

Amazon Web Services (AWS) is in the Niche Players quadrant. It serves almost exclusively AWS clients, and invests significantly in continuous improvements to its WAF solution.
AWS is a subsidiary of Amazon, based in Seattle, Washington. It is a cloud-focused service provider. It offers a large portfolio of cloud workloads (EC2), online storage (S3, EBS and EFS), database, and artificial intelligence (AI) frameworks. Its security portfolio is not as well-known, but includes identity and access management (IAM; Cognito), managed threat detection (GuardDuty) and HSM (AWS Cloud HSM). AWS Shield provides managed DDoS protection, and its WAF product is simply called AWS WAF.
AWS WAF can be delivered through AWS Application Load Balancer or through Amazon CloudFront as part of the CDN solution. AWS WAF is not limited to protecting origin servers hosted on Amazon infrastructure. AWS also partners with WAF vendors and offers their solutions in the AWS marketplace.
In recent months, AWS has released managed rules, a feature that allows clients to deploy sets of rules managed by third-party WAF vendors. The vendor has also recently released AWS Firewall Manager, which allows it to centralize the deployment of WAF policies and managed rules set. Also, AWS Config, the vendor’s configuration monitoring service, can monitor AWS WAF rule sets (RuleGroup).
AWS customers looking for an easy way to add runtime protection in front of their applications hosted on AWS should consider deploying AWS WAF, especially when combined with AWS Shield, and with one, or multiple, set of managed rules.

  • Capabilities: With managed rulesets, AWS customers have access to more than a dozen sets of rules from established WAF or managed security service (MSS) vendors that are automatically updated. Because they can deploy multiple rulesets simultaneously, it is easy, even if it comes at a cost, to provide multiple layers of defense, or to test multiple providers.
  • Customer Experience: Existing AWS customers appreciate being able to quickly deploy and enable AWS WAF. Customers give good scores to the autoscaling and built-in integration with Cloudfront.
  • Capabilities: AWS WAF helps organizations in a DevOps mode of operation with the full-featured APIs and CloudFormation automation. AWS customers can provision a set of WAF rules for each stack, or provision a set of WAF rules, and automate the association of those rules with a new stack.
  • Roadmap Execution: AWS continues to regularly improve its WAF, releasing relevant features to close existing gaps, such as the recent firewall manager, at the time they are announced.
  • Sales Execution: AWS WAF is integrated in AWS Shield Advanced. For customers not using AWS Shield Advanced, AWS charges per use for AWS WAF are based on how many rules customers deploy and how many web requests are inspected.

  • Marketing Strategy: AWS WAF’s reach is mainly limited to AWS workload protection, where it competes with cloud WAF services and virtual appliances. As more clients consider a multicloud strategy, AWS WAF is less likely to be on WAF shortlists.
  • Capabilities: AWS WAF lacks bot detection techniques, relying on reputation-based controls. Customers need to deploy AWS API Gateway to get dedicated API security features, because AWS does not parse JavaScript Object Notation (JSON) or XML. The vendor does not offer managed SOC for AWS WAF as part of its SiteShield managed services offering. Its DDoS Response Team (DRT) focuses on DDoS response only.
  • Product Strategy: Despite numerous corporate security initiatives, the WAF product remains mostly a siloed product. The vendor does not yet have a dedicated threat research team to add new protections to the WAF. AWS WAF does not leverage AWS AI capabilities, the use of machine learning for web app security is built-in only for DDoS protection.
  • Customer Experience: Customers would like to be able to whitelist a specific rule from the managed ruleset. Currently, they can only disable the entire ruleset, and have trouble identifying why a rule was triggered.
  • Customer Experience: Clients cite logging and reporting as a weakness. They cannot get detailed logging, aggregated events and mention occasional delays in getting the logs. Some clients also request integration with SIEM.

Barracuda Networks

Barracuda Networks is in the Challengers quadrant. Barracuda has good visibility for its WAF deployment over IaaS, and for existing Barracuda customers, but focuses on catching up with market leaders.
Barracuda Networks (CUDA) is based in Campbell, California. Barracuda is a known brand in security and backup markets, especially for midsize enterprises. In addition to network firewalls, its product portfolio includes email security and a user awareness training tool (acquired from Phishline in January 2018). The vendor also offers DDoS protection. The vendor delivers its WAF line in physical or virtual appliances. It is also available on the Microsoft Azure, AWS and Google Cloud Platform (GCP) platforms.
In November 2017, Barracuda agreed to be acquired by private equity firm Thomas Bravo. The acquisition was completed in February 2018. Barracuda has recently released Barracuda WAF-as-a-Service, its self-service cloud WAF. This release follows its DDoS protection service (Barracuda Active DDoS Prevention Service). The vendor has improved its integration on Microsoft Azure for better scalability, and made its virtual appliances available on Google Cloud Platform. It has also worked on its ability to work with continuous integration tools, and has made significant updates of its management API, improving the ability for Barracuda WAF to be deployed programmatically.
Barracuda is a good shortlist contender for midsize enterprises and existing Barracuda customers. It offers interesting solutions for organizations in North America and Europe, developing a multicloud strategy.

  • Offering Strategy: Barracuda remains one of the most visible WAFs on Microsoft Azure. Customers are then more likely to select Barracuda in multicloud strategy for unified management.
  • Pricing Strategy: Barracuda Cloud WAF as a Service includes DDoS protection at no additional charge.
  • Product Offering: With the release of the WAF appliance 1060, Barracuda now supports throughput as high as 10 Gbps.
  • Technical Support: Gartner clients across multiple regions give excellent scores to Barracuda’s customer support. Barracuda partners cite the vendor’s focus on customer satisfaction as the reason they choose to sell Barracuda WAF.
  • Capabilities: Barracuda’s offer of the free WAF add-on Vulnerability Remediation Service is attractive to Barracuda’s targeted small or midsize business (SMB) customers, which often lack the time, money and expertise to support an in-house application scanning program.

  • Sales and Marketing Execution: Barracuda struggles to adapt to the multiplication of meaningful competitors. Its visibility in shortlists is shrinking, and the vendor has lost market share during the past 12 months.
  • Customer Experience: Many customers have complained about Barracuda’s WAF appliance user interface (UI). They cite a long learning curve, difficulties locating features buried in submenus and longer-than-necessary amounts of time spent updating the configuration.
  • Market Responsiveness: Barracuda has been late to the market in providing cloud WAF as a service. Prospects should scrutinize the vendor’s infrastructure and point-of-presence availability across regions, as well as investigate the vendor’s ability to meet enterprise-class SLAs for availability, because the solution remains a recent addition.
  • Capabilities: Despite recent improvements, Barracuda WAF lags behind the leaders in bot mitigation and advanced analytics for anomaly detection. Its predefined list of good bots is limited to a few search engines.
  • Capabilities: Barracuda WAF lacks access management features and support for Oauth.
  • Capabilities: Barracuda WAF lags behind the leaders in security monitoring. It lacks automated alert aggregation in the real-time log view, and users report that they would like to see more improvements.


Citrix is in the Challengers quadrant. Most of Citrix sales for WAF are an add-on to an existing ADC deployment, but Citrix’s attach rate for the WAF option is lower than 50%. Gartner rarely sees Citrix participating in a pure-WAF competition with other vendors.
With more than 9,600 employees, Citrix (CTXS) is a global provider with a broad portfolio of virtualization, cloud infrastructure and ADC solutions. The vendor is co-headquartered in Santa Clara, California, and Fort Lauderdale, Florida. The NetScaler ADC portfolio includes hardware (MPX), software (VPX), containerized (CPX) and multi-instance (SDX). All of those ADC options offer WAF (NetScaler AppFirewall) and Secure Sockets Layer (SSL) virtual private network (VPN) as modules. WAF is also available as a stand-alone product.
In 2017, Citrix introduced the Web App Firewall (initially called NetScaler Web App Security service) as its cloud WAF service, and refreshed its hardware product line.
NetScaler AppFirewall is a good choice for Citrix clients that value high-performance WAF appliances.

  • Sales Execution: Citrix licenses its products and service through multichannel globally, which makes Citrix the No. 2 ranked ADC vendor (by revenue). This creates opportunities for selling a WAF module on top of its ADC appliances. Existing ADC and Citrix-based application customers like the tight integration of the AppFirewall module.
  • Capabilities: NetScaler’s ability to scale appeals to large organizations. NetScaler TLS’s decryption capabilities and integration with Thales and SafeNet hardware security modules (HSMs) are often key differentiators in prospect comparative testing.
  • Customer Experience: Customers score highly the support they receive from system integrators and service providers. They also praise improvements in API-driven manageability.
  • Customer Experience: Surveyed customers welcomed NetScaler management and analytics service (MAS), and give good scores to the Security Insight dashboards.

  • Product Strategy: Citrix faces intense competition from many large and small vendors on its leading products. Acquisitions have been a significant part of its growth strategy. However, most of the recent acquisitions (CedexisInx, Norskale, Contrade and Unisdesk) have little to do with security and will take attention from innovating on the WAF technology.
  • Sales Execution: Citrix rarely competes in dedicated WAF deals, and its overall visibility has continued to decrease. The vendor mostly sells AppFirewall as an add-on to customers primarily interested in its ADC features, or in high-performance environments.
  • Technical Architecture: Most Citrix clients use NetScaler AppFirewall as a software option on top of an ADC physical appliance. Gartner rarely sees Citrix being deployed on IaaS, such as Amazon and Microsoft. Google Cloud is not supported.
  • Capabilities: AppFirewall does not include advanced bot mitigation and anomaly detection options.
  • Market Responsiveness: The pace of WAF features release on Netscaler has been slow for a few years now, except for TLS decryption-related capabilities. Although Citrix is only now catching up to its competitors in cloud WAF delivery, it has not gained visibility in shortlists against other cloud WAF vendors. Citrix cannot match competitors’ offerings, because it does not bundle CDN with its cloud WAF.
  • Customer Experience: Many customers would like better ways to handle false alerts (false positive rate). Citrix ability to block bots gets a low score. Clients would also like to see better documentation for the WAF advanced features.


Cloudflare is in the Challengers quadrant. As more applications move to the cloud, and a growing number of organizations consider multicloud options, the appeal of Cloudflare’s bundled service continues to grow.
Headquartered in San Francisco, California, Cloudflare is growing quickly, with more than 700 employees. The vendor’s primary offering is a combination of DDoS protection and a CDN offering. Other products offered as a service include DNSSEC, Bot Mitigation, SSL, Rate Limiting and Orbit for securing Internet of Things (IoT) devices. Cloudflare stands out for its service delivery, which usually uses the self-service model, allowing its clients to make quick and easy configurations through wizards. Although Cloudflare’s brand is associated with its inexpensive service plans for consumers, the vendors have a sizable enterprise customer base, through a higher-priced custom Enterprise plan.
In recent months, Cloudflare announced changes promoting unlimited and unmetered DDoS protection for all of its customers. This can benefit clients by not punishing the customer for the amount, time and size of the DDoS attack. It also released a tunnel mode (Argo Tunnel), multiprotocol support (Spectrum) and some authentication brokering features, integrating with a number of identity providers (Cloudflare Access).
Cloudflare is a good shortlist candidate for internet-exposed applications in global organizations with customers in multiple regions that are concerned with the risk of DDoS attacks.

  • Technical Architecture: Cloudflare is a provider with 15 Tbps capacity and 152 data centers worldwide. This infrastructure not only supports the high performance of the applications, it promotes a close-to-the-edge security protection capability.
  • Customer Experience: Customers typically score the ease of use and implementation of the WAF and DDoS solution highly. Customers also praise the vendor’s DDoS mitigation capabilities. Cloudflare has a large base of technically savvy individuals who use its solution for personal web applications, and then become internal sponsors when their organizations consider a cloud WAF.
  • Market Responsiveness: Cloudflare continually develops new capabilities related to better user experience in ease of use and implementation. Cloudflare has announced Spectrum, which is expanding DDoS protection beyond web servers to include other TCP-based services. The vendor also occasionally acquires technologies to more quickly serve new features, as they did when they acquired Neumob’s mobile SDK.
  • Capabilities: The recent addition of Cloudflare Workers enables customer to host web applications on Cloudflare’s infrastructure, which should appeal to smaller organizations. The vendor also provides an easy-to-reach, “I’m under attack” button. This automatically enables a set of protections, and is convenient for emergency reaction.
  • Capabilities: Cloudflare has recently released the ability to assign rules per uniform resource identifier (URI), improving its ability to provide more-granular control without damaging the security posture for the entire application. Its keyless SSL technology offers interesting support for customers that want to store their private keys on their preferred HSM solutions.
  • Geographic Strategy: Cloudflare is one of the few global providers with local points of presence in China.

  • Market Segmentation: Cloudflare offers WAF as a cloud service only. For organizations with restrictions on cloud services, or in locations where the appetite for cloud services isn’t high (e.g., the Middle East and Asia regions), Cloudflare can’t address use cases that require on-premises physical or virtual appliances. The lack of WAF appliance might penalize them for the nascent hybrid web application deployment use cases (partly on-premises and partly cloud-hosted), where more-conservative organizations highly rank the ability to get unified management and reporting for the WAF solution.
  • Customer Experience: Many customers, especially the larger organizations, rated Cloudflare alert and reporting low. The vendor lacks an automated aggregation of alerts for faster incident triage. Some customers complain of occasional API instability, as well as a higher-than-expected frequency of local performance degradation.
  • Capabilities: Cloudflare’s management console presents restrictions on offering more-granular configuration capabilities, such as building custom-made rules. In addition, the management console’s role-based access shows its limits when users want to define the per-app role, or when auditing management actions.
  • Capabilities: Cloudflare still lags behind some of its competitors for bot management. It lacks an easy way to manage good bots. Despite a recent initiative to learn from the large amount of data the vendor processes, Captcha remains the most frequent technique Cloudflare uses to block bots. This hurts the user experience. The WAF also lacks an automated positive security model, which could prove useful, especially for high-risk pages or API-driven applications.
  • Product Strategy: Gartner observes thatCloudflare’s security roadmap appears to aim at good-enough security, with a focus on pervasive, commercial off-the-shelf (COTS) web applications (e.g., WordPress and Magento). Its web application security threat research team efforts are targeted at quick reaction in case of a new attack campaign. However, when it comes to using new protection techniques based on in-house threat research, the vendor is less proactive than its leading competitors.

Ergon Informatik

Ergon Informatik is a Niche Player. The vendor is mostly visible in Switzerland and Germany, with slow international developments in financial institutions from other countries. Ergon provides WAF appliance only. Its roadmap execution is primarily driven by incremental improvements.
Ergon Informatik is a software engineering and consulting company, headquartered in Zurich, Switerland, and it has 280 employees. The vendor has developed a full suite of products to serve existing clients. The product portfolio is centered around the Airlock Suite, which includes the Airlock WAF, a WAM solution (Airlock Login) and a more-comprehensive IAM solution (Airlock IAM).
Latest news includes the release of Airlock WAF 7.0, at the end of 2017, with the addition of Geo-IP, and automatic whitelisting learning. It has integrated Kibana for the reporting and real-time dashboards, and added support for more log formats, including JSON and Common Event Format (CEF).
Ergon Informatik is a contender worth considering for large banking and financial enterprises in need of a WAF appliance.

  • Customer Experience: The vendor continues to get good feedback from faithful customers and resellers, who trust the company and praise its ability to be close to its clients. They almost always use the vendor’s IAM features and mention them as a differentiator.
  • Vertical Strategy: Ergon Informatik’s strongest presence is with banking and other financial institutions, where it can provide a large number of satisfied references.
  • Market Execution: Despite its smaller size, Ergon is a profitable company that enjoys growth at a rate that exceeds the WAF appliance market as a whole.
  • Customer Experience: Customers give good scores to Airlock WAF for its API security capabilities, and to the combination of access management features and content inspection on JSON and REST payloads.
  • Capabilities: The recent addition of geo-IP goes beyond blocking, and allows traffic to be redirected, based on the source’s region or country. Clients liked the real-time monitoring and logging upgrade, which provides the flexibility to build their own dashboards and advanced searches in log. Support for the CEF format improves the ability to integrate with SIEM vendors.
  • Capabilities: With the addition of automating whitelisting learning, Ergon Informatik now offers a comprehensive set of controls for positive security models, in addition to the already-available URL and cookie encryption features. It also provides predefined templates for known commercial applications, such as Microsoft Exchange.

  • Product Strategy: Ergon is not a good choice for hybrid or cloud-native web applications. It does not offer cloud WAF or DDoS protection services, and has not shown any intention to pursue a cloud WAF service strategy. The vendor lacks centralized management for its WAF appliances, and its WAF virtual appliances are unavailable in the IaaS marketplace.
  • Market Segmentation: Ergon is not the best fit for smaller organizations. It offers only two hardware appliances (Medium and Large). Most customers mention that the deployment is not the easiest possible, and the management interface can be complex, especially for novice users.
  • Geographic Strategy: Ergon is predominantly visible in Swiss and German shortlists, with the exception of some rare appearances in Asian financial institution shortlists. The vendor has limited direct presence outside Western Europe. Prospects from other regions should first assess the ability of the vendor to provide support in their time zones and, if necessary, in local languages.
  • Capabilities: Airlock offers limited, role-based management with four predefined roles, and experimental command line interface (CLI)-based possibility to add custom roles. Its management API feature is not yet complete.
  • Capabilities: Airlock still lacks third-party or in-house threat intelligence feeds. Its generic rule set is updated only during firmware updates. This limits the ability of customers to benefit from ad hoc, emergency-released protections in case of a new attack campaign. The vendor also relies on integration with IBM Trusteer to provide bot mitigation.
  • Market Responsiveness: Ergon Informatik’s roadmap delivery contains a higher mix of continuous improvements of existing features.


F5 has moved from the Leaders quadrant to the Challengers quadrant. It continues to participate frequently in client shortlists for WAF appliances beyond its ADC customer base. The company is in the middle of reinventing itself for a cloud-first world, but has yet to reproduce the success it built in past years as a strong WAF appliance provider in the cloud WAF segment.
Based in Seattle, Washington, F5 is known for its ADC product lines (Big-IP and Viprion). The vendor employs more than 4,300 employees, which includes a small business unit dedicated to security products.
F5’s WAF is primarily consumed as a software option, Application Security Manager (ASM), which is integrated in the F5 Big-IP platform. The F5 hardware Big-IP appliance product line can also run a license-restricted (yet upgradable) version of the full software to act as a stand-alone security solution (such as a stand-alone WAF). F5’s security portfolio includes a WAM solution, Access Policy Manager (APM), web fraud protection (WebSafe), and a DDoS mitigation solution, DDoS Hybrid Defender (DHD).
Under the Silverline brand, F5 delivers cloud WAF and DDoS protection. Two flavors of the service are available: Silverline Managed WAF and self-service WAF Express, with a threat intelligence add-on (Silverline Threat Intelligence). All Silverline services rely under-the-hood on Big-IP technology.
In recent news, F5 launched a dedicated solution to handle TLS traffic decryption for inbound and outbound traffic (the F5 SSL Orchestrator). The vendor has launched a WAF product called “Advanced WAF.” It includes, in addition to what is also available in ASM, a mobile SDK, specialized features for fraud prevention through form fields obfuscation, bot mitigation, application-layer DoS and API security features.
F5 is a good shortlist contender for large-scale WAF appliances, and for scenarios requiring unified management.

  • Marketing Strategy: As its legacy ADC appliance market declines, F5 has identified security as one of the core markets for its new messaging. The vendor has publicly committed to reinforce its investment in security.
  • Technical Architecture: F5 supports AWS, Azure, Google Cloud, OpenStack and VMware Cloud. The support for multicloud with unified management appeals to the organizations building a hybrid architecture.
  • Capabilities: Clients continue to mention iRules as a reason to select, and to stick with ASM WAF. They also mention the depth and breadth of features available on the platform.
  • Customer Experience: Customers of the managed WAF services give good scores to their interactions with the professional services, and managed SOC teams. Surveyed customers like the multiple managed rulesets from F5, which can be deployed quickly on the top of AWS WAF.
  • Customer Experience: Several customers mention the user community and vendor support as strong assets.

  • Product Strategy: With the existingSilverline product segmentation, F5 links its self-managed Silverline Express with the lower tier of the market, but positions it at a price point that’s much higher than its direct competitors. Gartner analysts see that as a missed opportunity for F5’s product strategy and its current portfolio gap. Larger enterprises are more likely to get in-house SOCs than midsize organizations, and most enterprises prefer self-service WAF options. F5 does not yet provide a fully-featured, and easy-to-manage self-service WAF.
  • Sales Execution: Gartner analysts observe limited adoption of Silverline products, and low visibility in cloud WAF shortlists.
  • Product Strategy: With Advanced WAF, F5 risks frustrating its core customer base, which has used WAF as a module of their ADC for years. They now fail to get the best security features, even when purchasing the “best” bundle, and need to get an additional security license upgrade.
  • Cloud WAF Service: Silverline’s infrastructure significantly lags behind its direct competitors. It lack a presence in South America, Middle East, Africa and China. It serves the entire Asia/Pacific (APAC) region from a single data center, hosted in Singapore.
  • Customer Experience: Many customers mention the need of the UI refresh, because it can be complex. They noted some improvement with the recently released hierarchy of policies.
  • Operations: F5 continues to experience big changes in its leadership, including a new lead for security business unit. Prospective clients should monitor early signs of strategic shift that could affect the investment on the appliance product line.


Fortinet is in the Challengers quadrant. The vendor continues to grow its market share in the WAF appliance segment, with improved security capabilities. It is slowly catching up on the cloud WAF segment, with an initial release in 2017.
Based in Sunnyvale, California, Fortinet is a large firewall vendor that offers a broad portfolio of security and network solutions. The vendor’s almost 5,000 employees include approximately 1,000 in R&D. Fortinet’s portfolio includes a firewall (FortiGate) that constitutes most of the vendor’s revenue, a WAF (FortiWeb), a threat intelligence service (Fortinet TIS), a SIEM (FortiSIEM), and a sandbox (FortiSandbox). FortiWeb is available as a physical or virtual (FortiWeb-VM) appliance, and on AWS and Azure IaaS platforms. FortiWeb subscriptions include IP reputation, antivirus, security updates (signatures and machine learning models), credential stuffing defense and cloud sandboxing (FortiSandbox).
Recent Fortinet’s corporate strategy shift articulates the concept they named “Security Fabric.” It consists of integrating many solutions from Fortinet’s portfolio with, for example, unified visibility gained collecting telemetry from every deployed product.
In late 2017, Fortinet launched a first version of a cloud WAF service (FortiWeb Cloud). FortiWeb 6.0, released in May 2018, integrates closely with the FortiGate FortiOS 6.0. This release adds machine learning algorithms to improve anomaly detection, which deprecates the automatic application learning. FortiWeb now support Google Cloud and VirtualBox hypervisor.
FortiWeb is a good shortlist candidate for organizations looking for a WAF appliance, especially when deployed in hybrid scenarios, and for Fortinet’s existing customers.

  • Sales Execution: FortiWeb’s visibility in shortlists has improved, especially in Fortinet’s customer base.
  • Capabilities: Fortinet delivers strong threat intelligence, supported by the large team of its Fortiguard Labs, a shared resource for all Fortinet’s products. The vendor has strong ability to quickly deliver, and automatically deploy new targeted signatures, even before the attacks have gained enough scale to be visible globally. With FortiWeb 6.0, security analysts can search for attacks usingcommon vulnerabilities and exposures (CVE) IDs.
  • Marketing Strategy: Fortinet applies the same strategy to FortiWeb that drove FortiGate’s success. It offers a comprehensive portfolio of hardware appliances (eight models, ranging from 25 Mbps to 20 Gbps), and it wins on good price/performance ratio. The vendor also improves its WAF by leveraging global R&D efforts, to quickly mature its WAF solution, despite being a relatively recent entrant on the market. Recent release of FortiWeb Cloud now offers a solution to Fortinet’s large customer base of midmarket enterprises.
  • Capabilities: FortiWeb’s recent use of machine learning algorithms to complement ad hoc signatures and detect attacks from their behavior is promising. The syntax analysis pass on the request helps catch false alerts that could result from the new technique.
  • Capabilities: FortiWeb is a good choice to protect file-sharing services, because it offers comprehensive options and integration for malware detection. The WAF can inspect for malware, as well as integrate with Fortinet’s sandboxing solutions.

  • Cloud WAF Service: Fortinet has been late releasing a first version of a cloud WAF service, which is still unproven, especially in its ability to avoid and mitigate false alerts. FortiWeb Cloud has more limited capabilities than its appliance counterpart, and it lacks available peer references.
  • Organization: The vendor has a modest increase of its WAF R&D department this year. Its investment in WAF remains less important than for other products in Fortinet’s portfolio, and is relatively small, compared with some of its direct competitors.
  • Market Segmentation: Fortinet is not yet visible in shortlists for web-scale organizations trying to protect their core business-critical applications, and for cloud-native web applications that heavily leverage continuous integration.
  • Customer Experience: Some customers would like Fortinet to go one step further and unify the centralized management for WAF and firewall. Today, you need two separate management platforms for FortiWeb and FortiGate. They also would like better documentation in the form of “how-to,” especially on recent features, and better change control.
  • Capabilities: FortiWeb lags behind leaders in bot mitigation. The vendor does not offer, nor does it integrate with DDoS protection service.
  • Capabilities: FortiWeb’s machine learning does not work in high-availability deployments. In the initial version, the UI exposes a lot of the internal mechanics behind the machine learning engine. Although it compares nicely with other vendors’ “black box” approaches, and this helps with the credibility of the engine, which can be intimidating and lengthen the learning curve.


Imperva is in the Leaders quadrant. The vendor is one of the most visible in both the appliance and cloud WAF service segments. Imperva frequently wins on the basis of security features and innovation. Imperva can provide strong WAF functionality as a traditional appliance and cloud WAF service, but faces stronger competition for its cloud offering.
Imperva is an application, database and file security vendor, with headquarters in Redwood Shores, California. Its portfolio includes database security products (SecureSphere Data Protection and Database Audit and CounterBreach), a WAF appliance (SecureSphere WAF), and a cloud WAF service (Incapsula). Imperva also offers managed security services and managed SOC.
SecureSphere can be delivered as physical and virtual appliances. It is also available on AWS and Microsoft Azure marketplaces. The vendor also offers managed rule sets for AWS WAF.
In recent months, Imperva saw changes in its executive team, including a new CEO and CFO, followed by an internal reorganization to refocus on a cloud-first strategy. The company recently announced the acquisition of Prevoty, a RASP vendor. The vendor continued its investment in Incapsula infrastructure with new points of presence, refreshed some SecureSphere hardware appliances, and released Attack Analytics, a new real-time event management solution for Imperva SecureSphere and Incapsula.
Imperva is a good shortlist candidate for all kind of organizations, especially large enterprises looking for high-security WAF appliances, or organizations planning to transition their applications from on-premises to the cloud.

  • Marketing Strategy: Imperva’s offers a flexible licensing for organizations with a mix of on-premises and cloud-hosted applications. It allows the vendor to target a wider range of use cases and organizations, and to better manage the transition from WAF appliance to cloud WAF service.
  • Sales Execution: Imperva is one of the only vendors providing both WAF appliances and cloud WAF service to achieve strong visibility in shortlists and large customer bases for both segments.
  • Customer Experience: Gartner clients using SecureSphere continue to praise customer support. They’ve noted some improvements in Incapsula’s bot mitigation.
  • Capabilities: Incapsula and SecureSphere benefit from the shared threat intelligence from ThreatRadar.
  • Capabilities: Imperva has recently released attack analytics to get unified and improved monitoring for SecureSphere and Incapsula. The vendor has also made available a first version of role-based administration for Incapsula.
  • Geographic Strategy: Imperva has strong WAF presence in most geographies, and offers effective support across most regions. Recent presence has been especially strong in the APAC region.

  • Market Responsiveness: Imperva is experiencing a lot of organizational changes, which could be the source of a slower pace of release, especially for the SecureSphere product line.
  • Cloud WAF Service: Customers wish that Incapsula supported single sign-on (SSO) features, such as SAML 2.0. They also would like better and more-flexible canned reports.
  • Capabilities: Customers considering Incapsula to replace SecureSphere often notice the lack of feature parity. The cloud WAF service cannot yet match the depth and breadth of security function covered by the appliance product line.
  • Pricing: SeveralGartner clients cited higher-than-competitive prices for Imperva WAF SecureSphere, and to a lesser extent for Incapsula.
  • Cloud WAF Service: Incapsula’s infrastructure does not include any point of presence in China, and its infrastructure lags behind other cloud-native WAF services in South America and Africa.
  • Customer Experience (WAF Appliance): SecureSphere customers report that the management console remains complex when using the more advanced capabilities. Customers frequently mentioned that deployment often requires professional services to effectively implement the offerings at scale. They also would like to see closer integration between Attack Analytics and the WAF management consoles, and more-unified management capabilities between SecureSphere and Incapsula.
  • Customer Experience (Cloud WAF Service): Some customers complain about Incapsula’s limited cross-sites and multidomain management and reporting, especially when multiple applications share the same IP address. Surveyed customers and resellers indicated that they did not get the same quality of support for Incapsula, compared with what they are accustomed to with Securesphere. They cite too many canned and not necessarily helpful answers as a first response when contacting support.


Instart has moved from the Visionaries quadrant to the Niche Players quadrant. The vendor’s security roadmap has seemed to stagnate. WAF is positioned as an add-on to the CDN and performance optimization platform, and its visibility in shortlists remains limited.
Headquartered in Palo Alto, California, Instart (until recently named Instart Logic) employs 200 employees, and came out of the stealth mode in 2010. Instart offers a bundle of cloud services, including CDN, WAF and DDoS protection. The vendor’s core marketing message for its WAF (InstartWeb App Firewall) is about being “endpoint aware,” facilitated through a lightweight JavaScript agent (Nanovisor), which is injected into HTTP traffic and analyzes aspects of client-side web browser behavior. Instart offers rule tunings and 24/7 SOC as an option. Instart’s team continually analyzes logs for its clients with a tool called Helios, which the vendor uses to update its client policies.
In recent months, Instart has completed a new round of $30 million funding. Product-related news includes the launch of a self-service rule feature, enabling clients to create their own traffic processing and WAF rules. Instart has continued to grow its infrastructure, adding more than 15 points of presence across all regions.
Instart is a valid shortlist contender for the vendor’s existing clients, and for organizations that need to quickly combine performance optimization and security features in front of their cloud-native web applications.

  • Organization: Instart is part of a new wave of web app security vendors developing easy-to-deploy, cloud-native solutions. The lack of technical debt from legacy solution allows the vendor to try new approaches, such as the Nanovisor, more easily.
  • Viability: Instart continues to grow quickly, demonstrating its ability to attract new customers. It is well-funded to further enhance its solutions in the future.
  • Vertical Strategy: Instart continues to be visible in shortlists for small and large e-commerce companies. Customers from these organizations report that they selected Instart for its ability to combine security features with the performance optimization and anti-advertisement blocking features for which they were primarily looking.
  • Customer Experience: New customers continue to be satisfied with the ease of deployment when collaborating with the vendor. They also mention high-quality vendor support.
  • Capabilities: Instart has released a bot mitigation feature, priced separately from the WAF. It is too early to judge the quality of the feature. However, customers from Instart’s top verticals, e-commerce and online media, are heavily targeted by bots, and welcomed the new feature.
  • Capabilities: Instart management provides a fully featured API, which facilitates its integration in dynamic application ecosystems. When adding a new feature, such as the custom rule creation, a related API is also available.

  • Product Strategy: Instart positions its WAF as an add-on, and sells it mostly to its existing customer base for its other products, who don’t conduct in-depth evaluation of the security modules. The vendor has yet to demonstrate that it is interested in more than selling security as a commodity to its IT customer base.
  • Organization: Instart is a growing company, but has experienced organizational hiccups recently, with a change of CEO and internal reorganizations intended to overcome slower-than-investor-expected growth and market awareness. As the vendor prepares for its IPO, it might be distracted from innovating in the security space. Its WAF development team is one of the smallest among the vendors evaluated in this research.
  • Capabilities: Instart does not offer API security features. It does not parse JSON or XML payloads, does not offer authentication features, or integrate with identity providers to enable SSO, using SAML protocol.
  • Geographic Strategy: The vendor still has a low visibility in shortlists, especially outside the U.S. Prospective customers should first verify the availability of local skills, assess their need for support in their native language and ask for local peer references. The vendor has not yet deployed points of presence in China.
  • Capabilities: Instart does not provide a fully featured, self-service option. Although customers can now create their own rules, they still need the vendor for on boarding. The role-based access control (RBAC) feature is reputed to be quite limited. Configuration tuning quickly requires a request to Instart’s team. Many clients point out the poor documentation and scarcity of available technical resources.
  • Customer Experience: Customers would like to see more improvements in the reports, as well as more customizable dashboards. Because the WAF lacks integration with ticketing systems, AST and most SIEM technologies, organizations faces difficulty integrating it into their enterprise incident workflows.


Microsoft is in the Niche Players quadrant. The vendor has released a first version of WAF, which offers baseline protection to web applications, and is visible mostly in its customer test initiatives. The vendor needs to demonstrate a continued commitment to improving the solution and building a more-feature-rich WAF.
Based in Redmond, Washington, Microsoft is a one of the most well-known IT brands, with a diversified and broad portfolio. Microsoft Azure, its IaaS solution includes virtual machines (VMs), storage and database services. Its WAF (Azure WAF) is built on the top of its application delivery solution (Azure Application Gateway) integrates with other Azure products, such as Azure Traffic Manager (ATM) and Azure Load Balancer (ALB). Azure WAF is priced per gateway and per hour, as part of the Application Gateway consumption-based model.
Azure Portal and Security Center are the management solutions for Azure Application Gateway and for Azure WAF.
In 2017, Microsoft made its WAF available globally.
Microsoft Azure WAF is a good choice for organizations looking for an ad hoc WAF available immediately while deploying workloads on Microsoft Azure.

  • Sales Strategy: Azure WAF is bundled with the Application Gateway, making it easy for clients to enable it, while deploying the underlying application delivery infrastructure, and providing protection to their applications right away.
  • Capabilities: Azure WAF includes a fully featured REST API for managing the WAF configuration.
  • Capabilities: The vendor can parse JSON and XML payloads, and apply security rules to this content.
  • Geographic Strategy: Now that Azure WAF is available globally, it benefits from Microsoft’s global infrastructure of data centers, with multiple points of presence in all regions, except Africa and the Middle East.

  • Organization: Microsoft is still building its WAF team, which is relatively small, when compared with the challengers and leaders in this research. Prospective buyers should get references to validate expected capabilities.
  • Product Strategy: At this point in time, Azure WAF consists mainly of a repackaged ModSecurity engine, using ModSecurity core rulesets (CRSs). Although many WAF offerings have started with similar approach, the vendor must continue to demonstrate its commitment to developing the WAF beyond basic.
  • Capabilities: As with any recent introduced product, customers should expect that Azure WAF lacks some of its competitor features. It lacks integrated CDN, bot management and user credential abuse detection. It cannot block based on geolocation or inspect malware.
  • Customer Experience: Rule propagation can take several minutes. WAF onboarding, based on deploying an Application Gateway virtual appliance, is more complicated than its cloud-native WAF’s competitors.
  • Customers Experience: Because of the limited number of deployments to protect applications in production, the feedback on Azure WAF is scarce. Early adopters mention initial scalability issues, because Microsoft’s WAF is built on VMs in the back end, and the lack the ease of autoscaling that other cloud-native WAFs offer.
  • Technical Architecture: Azure WAF is built on the top of Azure Application Gateway. It lacks autoscaling features, requiring the use of an Azure load balancer (Traffic Manager) to dynamically route the traffic between Azure WAF’s instances in multiple data centers.


Oracle is in the Visionaries quadrant. Although the product is relatively recent, and feedback is scarce, Zenedge, its recently acquired WAF solution, uses machine learning to risk score events as a differentiator in this market.
Oracle is a large provider of applications, databases and cloud services, with headquarters in Redwood, California. Originally known for its database products, Oracle now offers a broad portfolio of solutions, including IaaS (Oracle Cloud Infrastructure [OCI]). Oracle offers multiple products in security, notably comprising Identity and Access Management (IAM), Cloud Access Security Brokers (CASBs), Security Information and Event Management (SIEM), compliance, data security, and managed security services. Oracle acquired Dyn, a managed domain name service (DNS) service provider, in 2016. Oracle then acquired Zenedge, a cloud-native WAF provider, in February 2018. Zenedge is now a relatively small team, part of OCI, and the WAF product has been rebranded as Oracle WAF. Oracle continues to offer Oracle WAF as a managed service.
Zenedge was under evaluation for this market research before the acquisition. Recent product news includes the release of a bot mitigation solution, combining JavaScript challenges, Captcha and rate limiting, and improved management API.
Oracle WAF is a good shortlist candidate for organizations looking at a managed cloud WAF service, especially those looking for new ways to detect anomalies.

  • Market Responsiveness: Surveyed customers liked the vendor’s responsiveness to feature requests, and the regular product improvements.
  • Market Execution: Through OEM agreement, the vendor has quickly acquired a sizable customer base.
  • Customer Experience: Although the solution is still recent, early feedback on the new bot manager features are promising. The vendor’s team in charge of managing the WAF also get good scores from surveyed customers and resellers.
  • Capabilities: Oracle WAF leverage statistical analysis to create a risk score for suspicious queries, and trigger alert, or blocking actions, based on this score. Feedback from customers indicates that this feature enables them to better tune the WAF configuration, and to focus on important events.
  • Capabilities: As Zenedge is now part of Oracle, it can get visibility on a big chunk of traffic, which could be useful to further improve the learning algorithms and, therefore, the quality of Oracle WAF’s detection.
  • Support: Contacted customers confirmed to Gartner analysts that the acquisition had no impact on the quality of their interactions with Zenedge team.

  • Product Strategy: Zenedge, a relatively small startup, has been acquired by Oracle, which is a cloud provider and a large enterprise. In other network and application security acquisitions, Gartner analysts have observed that a cultural chasm, and potential conflicts in roadmap priorities could slow down feature delivery. Prospects, especially those protecting applications not hosted on Oracle cloud, should request commitment on the vendor’s roadmap delivery, in case required capabilities are missing at the time of purchase.
  • Technical Architecture: Oracle WAF infrastructure lacks points of presence in China, the Middle East and Africa. It has a limited number of points of presence in South America and Asia. Oracle infrastructure is global, so the vendor might quickly increase the number of available points of presence for Oracle WAF.
  • Capabilities: Although many features are available with a self-service portal, Oracle recommends to its customers to connect with Oracle Dyn managed services team to onboard new applications. Oracle WAF does not yet integrate with SIEM vendors. Logs can be exported in a comma-delimited flat file (.csv) format, or pulled through an API, but are not available in CEF or over syslog.
  • Customer Experience: Customers would like to see improvements in Oracle WAF’s reporting. The event view, which is different from the active-learning view, where the risk score appears, does not aggregate individual alerts into attack or attack campaign, resulting in a large number of alerts.
  • Product: Some early clients highlighted that Zenedge WAF, prior to the acquisition, was still a work in progress, lacking some expected features. Oracle Dyn has a smaller team for WAF-related threat research, compared with many of its leading competitors.


Radware is in the Visionaries quadrant. This vendor has robust technical capabilities delivering consistently most of its technology through on-premises, as well as cloud-based, and good understanding of the DevOps environment. However, the vendor lags behind the leaders in being visible in WAF shortlists.
Based in Tel Aviv, Israel, and Mahwah, New Jersey, Radware is a DDoS protection and application delivery and security provider, employing nearly 1,000 people. Alteon, its ADC platform, continues to contribute significantly to its revenue. However, Radware’s security portfolio drives the vendor’s growth, with a DDoS mitigation appliance (DefensePro) and a cloud DDoS mitigation service (Cloud DDoS Protection). Radware also offers a specialized security solution for carriers and service providers (DefenseFlow). Its WAF, AppWall, may be deployed as a physical or virtual appliance, as a module on top of Radware’s ADC appliance (Alteon) or, using the same technology as part of Radware’s Cloud WAF Service. The Radware Cloud Security Services is a fully managed service that delivers security protection through three categories of protection: cloud DDoS protection service, application protection (cloud WAF service and cloud web acceleration service), and cloud CDN.
Recent announcements on Radware products include the release of AppWall to support Microsoft Azure. Radware has also introduced security policy templates (customizable) to accelerate the WAF deployment and improve its bot mitigation feature.
Radware is a good shortlist candidate for most organizations, especially those that want strong positive security and want to deploy the same security levels across hybrid environments. Organizations with high-security use cases, or applications that are unlikely to be compatible with a whitelisting approach should engage in security testing, as part of the evaluation of the technology.

  • Capabilities: Radware’s Emergency Response Team (ERT) leverages in-house threat research and provides 24/7 managed SOC, in addition to ad hoc support, when Radware’s customers are under attack.
  • Product Strategy: At the heart of the AppWall WAF technology is Radware’s automatic policy learning. Radware’s engine tracks changes and updates to the application and updates the policy, also leveraging integration with AST solutions to implement virtual patches in case of new vulnerabilities. This also works for APIs.
  • Customer Experience: Radware customers praise the combination of high-efficacy DDoS protection and WAF. Users of the AppWall appliances are satisfied with the level of effort required to tune the positive security model.
  • Market Execution: Many customers of Radware’s WAF were initially DDoS protection customers, or purchase the WAF and DDoS protection offers all together. Radware’s good reputation in the DDoS protection space reflects positively on its WAF prospects.
  • Cloud WAF Service: Radware customers, relying on the vendor to manage the WAF, express satisfaction with the vendor’s professional service and incident response (ERT) teams.
  • Vertical Strategy: Radware has good visibility in media and retail organizations, two vertical segments combining large-scale web applications, budget constraints and relatively small security teams.
  • Marketing Strategy: The vendor regularly publishes threat reports as a tool to raise awareness about issues. However, this also incidentally demonstrates the efficacy of its approach.

  • Customer Experience: Although comments on support are generally positive, customers in the APAC regions are less satisfied with the timeliness of the response from Radware’s support for issues that require more than a canned answer.
  • Cloud WAF Service: Managed WAF is not the preferred option for many customers; however, it is the main option for Radware cloud WAF service. Radware cloud WAF service clients express interest in further improvements of the self-service management capabilities.
  • Customer Experience: Radware’s customers cite a need to improve the AppWall UI. It scores low on surveys, and the most frequently cited issue is its lack of intuitiveness, when searching for a configuration option. Customers also comment on the lack of out-of-box reports related to compliance. These reports are available on APSolute Vision reporter, Radware’s dedicated reporting solution.
  • Capabilities: Some prospects encountered challenges successfully implementing Radware’s positive security approach.
  • Market Execution: Radware is not as visible in U.S. shortlists as many of its competitors. Organizations evaluating AppWall should focus on their evaluation of the vendor’s capabilities, relative to their requirements, rather than on the overly aggressive communications from the vendor and its channel partners, who frequently exaggerate capabilities relative to leading competitors.
  • Customer Experience: Radware customers continue to be dissatisfied with the training and documentation on AppWall, mentioning that it lengthens the learning curve when trying to deploy the technology, implement new features or understand whether there’s a configuration issue.

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity is in the Niche Players quadrant. Its WAF appliance product line bundles several advanced security features, resulting in most deployments being in blocking mode. The vendor struggle with market reach beyond its home country, and its cloud WAF offering has made little progress.
Headquarted in Munich, Germany, Rohde & Schwarz is a large electronics group. The vendor has acquired several vendors to build Rohde & Schwarz Cybersecurity, which has almost 500 employees. Its WAF business unit, DenyAll, was acquired in 2017, and employs nearly 90 people. In addition to the R&S Web Application Firewall, Rohde & Schwarz Security’s products include R&S Unified Firewalls (acquired from German company gateprotect), a network firewall targeting midsize enterprises and endpoint security solutions.
A key concept in the DenyAll WAF is the use of graphical workflow to configure traffic processing and inspection. Workflow view is a diagram, where administrators can drag-and-drop controls, response modifications and other actions. The DenyAll WAF is available on AWS and Microsoft Azure. R&S Cloud Protector is the cloud WAF service solution.
In addition to the rebranding, recent news include a refresh of the WAF appliance product line, active-active high availability and improved processing of JSON payloads.
Rohde & Schwarz Cybersecurity is a good shortlist contender for organizations looking for a WAF appliance, combining ease of use and in-depth security features, especially those located in Europe.

  • Customer Experience: Rohde & Schwarz customers like the graphical workflow, backed up by a more traditional view. Former DenyAll rWeb users noted that the addition of a web security engine in the new WAF product improved their results.
  • Product Strategy: Following the acquisition, the DenyAll team maintained an open security culture, participating in events where they let penetration testers try to hack or pass through the WAF. R&S WAF is also one of the only products evaluated in this research with an official bug bounty program.
  • Capabilities: DenyAll WAF includes multiple analysis engines and leverages user session risk scoring to ensure accurate detection and low false-positive rates.
  • Capabilities: Building on previous enhancements to its reporting solution, Rohde & Schwarz has improved its investigative capabilities by enabling attack replay and dedicated investigation dashboards.
  • Capabilities: R&S Cloud Protector offers predefined configurations only using the management console, like most cloud WAF services built on the foundation of a WAF appliance. However, customers can fully manage the WAF, using the API.
  • Customer Experience: Customers continue to give positive feedback about presale and postsale local support.

  • Market Responsiveness: The number of new features released on R&S WAF and R&S Cloud Protector has been severely limited for a few years now. Smaller vendors evaluated for this research have achieved significantly more during the same period, especially when it comes to the development of a cloud WAF service.
  • Marketing and Sales Execution: Even though the acquisition gave DenyAll access to Rohde & Schwarz’s sales force, the vendor is losing market share.
  • Capabilities: The acquisition by Rohde & Schwarz did not lead to significant investment in the DenyAll small threat research team. DenyAll WAF does not automatically deploy ad hoc signatures, following an attack, relying on the generic engine, and leaving customers to guess from the detailed log information whether the alert triggered is related to recent attack campaigns.
  • Capabilities: Rohde & Schwarz does not offer unified centralized management for its WAF appliance and R&S Cloud Protector. The vendor offers limited bot mitigation, compared with many of the vendors evaluated in this research.
  • Geographic Strategy: R&S WAF is not visible in shortlist outside its original home market, France, and Germany. Prospective customers outside of these countries should verify the availability of peer references.
  • Customer Experience: Many customers have complaints about the Java-based UI, and would like to see faster transition to the web-based management promised for years. They also note that bot mitigation could be better.

Vendors Added and Dropped

We’ve updated the inclusion criteria to reflect enterprise’s more demanding requirements. Part of the change is a new requirement for vendors to have a customer base outside of their home region.
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


  • Microsoft (Azure)
  • Oracle (acquired Zenedge)


  • NSFOCUS, Penta Security, Positive Technologies and Venustech were dropped, due to updated and more-demanding inclusion criteria.

Inclusion and Exclusion Criteria

WAF vendors that meet Gartner’s market definition/description are considered for this Magic Quadrant under the following conditions:
  • Their offerings can protect applications running on different types of web servers.
  • Their WAF technology is known to be approved by qualified security assessors as a solution for PCI DSS Requirement 6.6, which covers Open Web Application Security Project (OWASP) Top 10 threats, in addition to others.
  • They provide physical, virtual or software appliances, or cloud WAF service.
  • Their WAFs were generally available as of 1 January 2017.
  • Their WAFs demonstrate global presence, and features/scale relevant to enterprise-class organizations:
    • $12 million in WAF revenue during 2017; able to demonstrate that at least 200 enterprise customers use its WAF products under support as of 31 December 2017.
    • And, the vendor must have sold at least 40 net-new customers in 2017.
    • Or, $7 million in WAF revenue during 2017, and two years of compound annual revenue growth of at least 30%growth.
  • The vendor must provide at least three WAF customer references for WAF appliances, or three customer references for cloud WAF service, or both, if the vendor offers both solutions.
  • The vendor must demonstrate minimum signs of global presence:
    • Gartner received strong evidence than more than 5% of its customer base is outside its home region. Vendors appearing in Gartner client inquiries, competitive visibility, client references and the vendor’s local brand visibility are considered.
    • The vendor can provide at least two references outside its home region.
  • The provider offers 24/7 support, including phone support (in some cases, this is an add-on, rather than being included in the base service).
  • Gartner has determined that they are significant players in the market, due to market presence, competitive visibility or technology innovation.
  • Gartner analysts assess that the vendor’s WAF technology provides more than a repackaged ModSecurity engine and signatures.
  • The vendor must provide evidence to support meeting the above inclusion requirements.
WAF companies that were not included in this research may have been excluded for one or more of the following reasons:
  • The vendor primarily has a network firewall or IPS with a non-enterprise-class WAF.
  • The vendor is primarily a managed security service provider (MSSP), and WAF sales mostly come as part of broader MSSP contract.
  • The vendor is not actively providing WAF products to enterprise customers, or has minimal continued investments in the enterprise WAF market.
  • The vendor has minimal or negligible apparent market share among Gartner clients, or is not actively shipping products.
  • The vendor is not the original manufacturer of the firewall product. This includes hardware OEMs, resellers that repackage products that would qualify from their original manufacturers, and carriers and internet service providers (ISPs) that provide managed services. We assess the breadth of OEM partners as part of the WAF evaluation, and do not rate platform providers separately.
  • The vendor has a host-based WAF, WAM, RASP or API gateway (these are considered distinct markets).
In addition to the vendors included in this Magic Quadrant, Gartner tracks other vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or WAF revenue and/or competitive visibility levels in WAF projects, including A10 Networks, Alibaba, Alert Logic, Array Networks, Avi Networks, Beijing Chaitin Technology, Brocade, DBAppSecurity, DB Networks, ditno., Indusface, Kemp Technologies, Limelight, ModSecurity, NGINX, NSFOCUS Penta Security, PIOLONK, Positive Technologies, Qualys, Sangfor, SiteLock, Sucuri, Threat X, Trustwave, Venustech, Verizon and Wallarm.
The adjacent markets focusing on web application security continue to be innovative. This includes the RASP market and other specialized vendor initiatives. Those vendors take part in web application security, but often focus on specific market needs, such as bot mitigation (Distil Networks, PerimeterX, Shape Security and Stealth Security), or take an alternative approach to web application security (e.g., Signal Sciences and tCell).

System Integrity Management Platform (SIMP)

System Integrity Management Platform (SIMP)

The System Integrity Management Platform (SIMP) is an Open Source framework designed around the concept that individuals and organizations should not need to repeat the work of automating the basic components of their operating system infrastructure.

Expanding upon this philosophy, SIMP also aims to take care of routine policy compliance to include NIST 800-53FIPS140-2, the DISA STIG, and the SCAP Security Guide.



The technology industry is renowned for innovation, disruption and the fast pace of change. And yet, an old approach to sales lingers after almost 30 years. Fortunately, solution selling is in its twilight years. It’s dying. And so will any technology vendor that persists with solutions as its primary focus.

A new generation of technology vendors has moved past solution selling. They’ve learned that solving a problem doesn’t guarantee the business result the customer needs. They’re focusing their considerable skill on enabling that business result, not just solving a current problem. This is the third generation of technology sales.

The First Generation was Crushed

The first generation of technology sales began in the 70s as software packages appeared. Customers would evaluate software packages using long lists of features and functions they thought they needed. The package with the most ticks would win the deal. Sadly, the correlation between the number of ticks and the ability to deliver business results for the customer wasn’t strong.

Software packages matured over the next decade or two. The features and functions became more similar in each package. It became more difficult for vendors to win deals based on their features and functions.

The Second Generation

In the late 80s, the second generation of technology sales appeared. Vendors asked customers about the problems they experienced. The vendors then showed customers how they could solve those problems. And because they had solved the same problems in other companies, they could often provide insight. They could show new ways to address the problems.

Customers started to buy from vendors they felt could best solve their problems. This second generation of vendors crushed the generation one vendors. Demonstrating features and functions just didn’t stack up against a competitor that zeroed in on customer pain points and showed how they could be solved. The technology industry rapidly adopted solution selling. Lots of different sales methodologies appeared. Strategic Selling, Solution Selling, SPIN Selling, Target Account Selling and many more were launched. More recently, The Challenger Sale has become popular.

Why the Second Generation Will be Crushed

The Pace of Change

An implicit assumption underpinned the solution-selling approach – if the customer solves their current problems, they’ll achieve the business results they need. The third generation of technology vendors knows they can no longer make this assumption.

The pace of change in business has had a profound effect. Few people doubt that business changes more rapidly than ever before. And that the pace of change will continue to increase. The technology industry itself has been a major driver of this rapid change. The problem for customers lies in the time it takes for a second-generation approach. It takes too long to analyse current problems, evaluate alternative approaches, evaluate different vendors, implement the vendor’s products and wait for the positive effect on business results. By the time this process is finished, a whole new set of problems has arisen. The customers remain in catch-up mode.

Customers need to focus directly on the future business results they need to achieve. And they want a vendor who can show them how to get there.

Failed Implementations Cost Vendors More than Ever

Other factors affect the achievement of the customer’s business results. The quality of implementation leads the list. Failed implementations leave the customer with significant expenses, poor results and deep anger. The vendor usually has some culpability. But, so does the customer. Lots of factors affecting the implementation are owned by the customer. The quality of the new processes the customer wants, for example. Or how the technology will be used. For the project itself, the quality of the customer’s project team, the amount of resources committed, the involvement of senior executives, the decision-making process and the quality of change management deeply affect the results. The customer decides on all these things.

But, a big problem has emerged for vendors. Subscription pricing means a failed implementation has a major impact on future revenue. The customer may cancel their subscription. Or, they just don’t grow their usage because of the poor results. Either way, the vendor’s revenue suffers.

The third generation of technology vendors has learned they can no longer leave those other factors up to the customer. There’s too much risk to the vendor’s revenue. The vendor needs to play a proactive role on all factors affecting the customer’s business results.

New Insights

The third generation of vendors can provide new insight. The second generation provided insight on problems, helping customers see issues they didn’t realise they had. The third generation can provide insight on business results the customer didn’t know were possible. They can describe a new to-be state or ongoing business result. They have insight into results achieved by other companies and into the ability of technology to enable these new business results.

These vendors attract the attention of customers with their insights. And they win deals by selling their ability to enable them.

Characteristics of the Third Generation of Technology Vendors

They Focus on Customers’ Business Results

These vendors are crystal clear about the business results needed by their customers. And in many cases, they provide insight into a new to-be state or business result the customer can aspire to. They’re thriving because they build their business around enabling those business results.

They Leave Less to Chance

Subscription pricing means a failed implementation has a much bigger effect on future revenue. These vendors have become experts at everything required to achieve the needed business results. And they proactively help the customer with all of them.

They Sell Differently

The second generation of vendors sold their ability to solve a set of problems. The third generation sells their ability to enable the customer’s business results. And they differentiate by providing new insight into what results are possible.

How to Move to the Third Generation

It starts by developing crystal clarity about the business results you can help your customers achieve. And, like Steve Jobs, don’t ask the customers first. Work out what they need, tell them and then see if your new insight resonates.

Next, work out how to sell the business results. Your methodology may not change much, but what you’re selling will be different.

Then, work out the other things you need to do to enable the business results you’re selling.

Finally, develop a plan to evolve to your new model. Just as the move from generation one to generation two did not take place overnight, the move from generation two to generation three will be more of an evolution than a revolution. It will take some time.

There’s a good chance you’ve already started this journey. But you don’t want to be like the generation one vendors who didn’t evolve to generation two – and were crushed!