Security Without Speed Bumps: How The RealReal Protects Users Without Slowing Down Developers

The Challenge

The luxury goods market is built on trust: consumers expect that every link in the supply chain—the materials, the design, the artisans, the sellers—is of the highest quality. Whether a buyer is motivated by brand status or superior craftsmanship, confidence is everything. As an online reseller, The RealReal faces the additional challenge of making sure user experience is consistently flawless and user data is secure. For a large e-commerce platform facing approximately 31,000 attacks each month, there is absolutely no room for error. Malicious actors and disruptive bots must be effectively blocked while ensuring seamless access for legitimate customers. Developers require the flexibility to deploy updates and changes instantly, keeping the site agile. At the same time, these safeguards must be implemented without burdening or overwhelming the security team.

The Solution

The RealReal implemented the Fastly CDN, Next-Gen WAF and Bot Management to provide the security, delivery, and ease-of-use necessary to meet the challenges of being a high-profile retailer. First and foremost, The RealReal has been able to use immediate blocking without fear of stopping legitimate users. "If we have a customer buying a high-end item, we don't want to lose the sale because of false positives. We feel very confident that traffic being blocked today by Fastly is malicious users," said Alex Wang, Staff Security Engineer at The RealReal. Just as important, the security team gets these results with a solution that's easy to use and supports their CI/CD pipeline.

Intuitive design gets security teams working right away

Instant usability was a major out-of-the-box differentiator between the Fastly Next-Gen WAF and other WAF solutions. The RealReal experienced a full turnover of its infosec team in 2024, which required rapid onboarding of new engineers without disrupting security operations. The RealReal Director of Cybersecurity of Engineering Kevin Ponds credits Fastly with helping the team stay on track. "Getting a whole new team ramped up was a pretty big challenge, but Fastly made it easy," Ponds said. "The Next-Gen WAF is a very intuitive platform and a very well-designed tool," Ponds said.

The tuneless detection capabilities of the WAF’s SmartParse detection engine mean there's no need for writing regex-based rules. The team also leveraged Fastly's rule builder to quickly block malicious traffic. "The rule builder made it easy for a new team without Fastly-specific rebuilding expertise to get started," said Wang. "We were able to come in and just start using the WAF and understand how to do any necessary configurations or additional tunings."

Visibility provides insight for swift responses

Both Wang and Ponds credit the visibility built into the Next-Gen WAF for making the security team responsive right out of the gate. The signals-based approach makes it simple to identify not only common attacks and anomalous traffic requests but also create custom signals for specific business uses. "The signal-based clarity Fastly provides makes it easy for us to tell through the requests what type of attack we're seeing, like cross-site scripting or SQL injection," said Wang.

In addition, system-generated dashboards give quick visibility and insights into dozens of security factors, such as traffic anomalies, bot activity, or compromised credentials. "The visibility we get helps us diagnose whether or not something is actually a security issue," said Ponds. "The dashboards help us validate that we're blocking the right things and not any of the wrong things."

Integrated solutions keep developers and security in sync

Getting developers and the infosec team working together sometimes leads to a tug-of-war in priorities. For The RealReal, using both Fastly's CDN and security solutions has helped bring the teams together, so there's no need to sacrifice agility for security. According to Ponds, "The coupling of the WAF and CDN components make Fastly an extremely good choice for us." The security team is closely partnered with The RealReal's DevOps team, sharing traffic information that has both security and operations value.

Most importantly, developers can actively deploy new code to production multiple times a day. According to Wang, "We have a frictionless relationship with our developers. I've been at other organizations where you can't deploy quickly without having to request a change window and then stay up until 10pm. We don't need to do that, because we feel confident in Fastly's capabilities to protect our applications." The RealReal also leverages native integrations to ensure transparency. "With a lot of security tools, it's like a black box for anyone who isn't part of the security team. With Fastly, we leverage GitHub and the Terraform Provider so any developer can see the configuration and the rules we have in place," Wang said.

Key takeaway

The RealReal maintains the high-quality platform users expect by leveraging solutions that seamlessly balance performance and security without overburdening their security team. The reliable blocking capabilities, intuitive tools, and real-time visibility of the Fastly Next-Gen WAF ensure luxury shoppers and sellers enjoy a trusted, flawless experience that keeps them coming back. With Fastly powering both delivery and security, The RealReal's engineers and developers can ship code on demand, innovate faster, and continue delighting customers at every interaction.