A single solution to protect all your apps and APIs

When your business is growing and innovating at a rapid rate, other web application firewalls can fail to keep up: too many false positives, limited DevOps integrations, and incompatibility with your mix of applications and differing architectures. The Fastly Next-Gen WAF (powered by Signal Sciences) provides advanced web application and API protection (WAAP) for your applications, APIs, and microservices, wherever they live, from a single unified solution.

Protection everywhere your apps operate

The Fastly Next-Gen WAF flexibly deploys in any environment and can protect apps and APIs wherever they are—in containers, on-prem, in the cloud, or on the edge—with one integrated solution.

See real threats, not false positives

Almost 90% of our customers have our WAF in full blocking mode. We take a threshold approach to blocking so you can run our solution in full, automated blocking mode in production with virtually no false positives. This enables you to scale protection without dealing with the maintenance overhead that legacy WAFs require.

Defeat advanced threats

Get protection that goes beyond OWASP Top 10 injection-style web attacks. We provide coverage against advanced threats including account takeover (ATO) via credential stuffing, malicious bots, API abuse, and more—all in one solution.

Fast time-to-value

Unlike traditional web application firewalls, our next-gen WAF deploys in an average of 60 minutes and you don't need to pay extra managed services fees for rules tuning or ongoing maintenance.

Visibility for faster remediation

Reporting and alerting feedback loops provide Layer 7 visibility across your entire app and API footprint. Integrations with DevOps and security toolchains empower teams to make decisions from the same baseline of security data provided via alerts, our API, or management console.

Key Benefits

• Eliminate false positives: Almost 90% of customers are in full blocking mode
• Trusted and proven: 90,000+ app deployments protected
• Deploy anywhere: From edge to on-prem with support for 100+ cloud-native and data center platforms.

What we detect and block 

• OWASP Top 10 - Protect against both classic OWASP Top 10 attacks and advanced web attacks.
• Account takeover (ATO) - Block ATO attacks by inspecting web requests and correlating anomalous activity with malicious intent.
• API protection - Stop API abuse by monitoring for unexpected values and parameters submitted by endpoints and blocking unauthorized requests.
• Bot protection - Prevent bad bots from performing malicious actions against your websites and APIs by identifying and mitigating them before they can negatively impact your bottom line or your user experience.
• DDoS - Prevent malicious automated traffic that aims to overwhelm or abuse your apps so they are unavailable. When defined traffic thresholds for key application functions are met we automatically block the abusive traffic.
• Rate limiting - Stop malicious and anomalous high-volume web requests, reduce web server and API utilization, and let legitimate traffic through to application and API endpoints with our advanced rate limiting features.

Our patented approach

Using lightweight software modules and agents throughout your web servers and applications, we collect information about your security posture and surface these real-time event details through self-service dashboards, intelligent alerting, and powerful reporting, powered by the Signal Sciences-developed Cloud Engine.  Unlike common regex-based WAFs, the Fastly Next-Gen WAF uses SmartParse, our highly accurate detection method that evaluates the context of each request and how it would actually execute to determine if there are malicious or anomalous payloads in requests. This feeds into our Network Learning Exchange (NLX), which recognizes attack patterns across our customer network and then proactively alerts and defends all our customers against the same attack.  Our management console quickly provides actionable information and key metrics in a centralized interface, unlike many legacy WAF vendors who require you to log in to multiple instances to gain visibility across your deployment footprint. Additionally, any request telemetry reported in our console can be ingested into your other security tools via our API.