The Fastly Next-Gen WAF (powered by Signal Sciences) protects your apps wherever they live: on-premises, in containers, in the cloud, and at the edge. It’s so effective at preventing false positives that over 90% of our customers use it in full blocking mode.
customers in full blocking mode
app deployments protected
Cloud-native and datacenter platforms supported
Consecutive years as a Gartner Peer Insights Customer' Choice
Get protection that goes beyond OWASP Top 10 injection-style web attacks. Gain coverage against advanced threats, including account takeover (ATO) via credential stuffing, malicious bots, API abuse, and more — all in one solution.
Unlike traditional web application firewalls, our next-gen WAF deploys quickly, in hours — not weeks or months — and is so easy to manage that you won’t need to pay extra managed services fees for rules tuning or ongoing maintenance.
Designed for maximum deployment flexibility, our hybrid SaaS WAF installs via an agent-module software pair or via cloud-based options that require no software installation.
Reporting and alerting feedback loops provide Layer 7 visibility across your entire app and API footprint. Integrations with your DevOps and security toolchains encourage the sharing and correlation of data and help simplify automation, both decreasing security risks and speeding up CI/CD.
Our customers repeatedly point to our superior technical efficacy and customer support. That’s why we’re the only WAAP vendor to receive the Gartner Peer Insights Customers' Choice distinction five years in a row.
Read the reportTraditional web application firewalls (WAF) rely on regular expression pattern-matching rules. They’re difficult to manage and require never-ending rules tuning to eliminate false positives that can block legitimate traffic. The Fastly Next-Gen WAF leverages a fundamentally different approach, developed by Signal Sciences, that effectively detects and blocks malicious traffic without rules tuning, leaving your AppSec teams to focus on bigger problems.
Network Learning Exchange (NLX)
NLX is a trusted IP reputation feed based on anonymized, confirmed malicious activity collected from tens of thousands of our distributed software agents. It is uniquely able to recognize attack patterns across our customer network, then proactively alert upon and defend your web apps and APIs.
Learn more
SmartParse
Unlike common regex-based WAFs, our next-gen WAF uses SmartParse, a highly accurate detection method, to evaluate the context of each request and how it would execute, to determine if there are malicious or anomalous payloads in requests. SmartParse enables near-zero tuning and the ability to start detecting threats immediately.
Learn more
We’ve got a lot on our plate, so we look for technology that gives us what we need out of the box. [Security solutions like the Fastly Next-Gen WAF] that you can turn on and immediately get known threat signature detection is really helpful for a team like ours.
Fastly and its team of security experts genuinely know what it means to keep companies safe from hackers. The customer experience has been outstanding and added support is rated five stars. I would 100% recommend any company join the Fastly band if you want to ensure your customer data is secure.
Our site is often the target of attacks, both automated and manual, and we needed a consistent way to identify these threats and continuously stop them at the doorstep with minimal effort. With the out-of-the-box ruleset already defined by Fastly, getting up and running was easy, leaving us time to further refine what we want to block.
We selected Signal Sciences [Fastly] because it just worked. We didn’t want to divert internal resources to maintain coverage by tuning security controls. Signal Sciences seamlessly integrated into our toolset, while giving us realtime security visibility — without the noise.
We were really impressed with how easy deployment went. Dropping Signal Sciences [Fastly] into our existing highly-available architecture with minimal effort was critical to the project’s success. The Signal Sciences approach to determining when to block things is super smart. False positives affecting Duo customers are nonexistent.
PROTECTING THE BEST OF THE WEB
Protect against both classic OWASP Top 10 attacks and advanced web attacks.
Block account takeover (ATO) attacks by inspecting web requests and correlating anomalous activity with malicious intent.
Stop API abuse by monitoring for unexpected values and parameters submitted by endpoints and blocking unauthorized requests. Further expand traffic coverage and parse GraphQL requests with new out-of-the-box capabilities. Learn more about our new GraphQL Inspection feature.
Prevent bad bots from performing malicious actions against your websites and APIs by identifying and mitigating them before they can negatively impact your bottom line or your user experience.
Prevent malicious automated traffic that aims to overwhelm or abuse your apps so they are unavailable. When defined traffic thresholds for key application functions are met we automatically block the abusive traffic.
Stop malicious and anomalous high-volume web requests, reduce web server and API utilization, and let legitimate traffic through to application and API endpoints with our advanced rate limiting features.
The Fastly Next-Gen WAF is a hybrid software as a service (SaaS) solution with three main components. This patented approach, developed by Signal Sciences, allows us to easily scale and protect even the highest volume applications and APIs without impacting performance.
Agents
Perform detection and decisioning against requests quickly and accurately. Can install on your infrastructure or be hosted in the cloud or on the Fastly Edge Cloud Network.
Modules
Optional but powerful component pairs with our agents to enforce high performance and reliability guarantees.
Cloud Engine
Cloud-hosted analytics backend enriches the agent asynchronously with both external and proprietary intelligence to make dynamic, app-specific detections.
Fastly offers the most flexibly deployed WAF on the market and can protect your apps and APIs wherever they are with one integrated solution offering the same level of visibility and actionable insights and alerts.
Our agent-module pair installs at your web server, API gateway, or at the app-level within minutes. Additionally, our native integrations with containers, like Kubernetes, and service meshes, like Envoy Proxy and Istio, provide visibility into both north-south (client-server) and east-west (service-to-service) requests.
The Fastly Next-Gen WAF can be installed to inspect traffic prior to web requests reaching the app or API endpoint such as at the load balancer (HAProxy, NGINX) or at the API gateway (Ambassador, Kong, Cloudentity). If your requirements don’t allow for installation at the load balancer or API gateway, our agent can be deployed in reverse proxy mode.
We host the agent for you so there’s no software to install. You just change your DNS record to route traffic to our hosted agent where inspection and decisioning occurs: legitimate traffic is let through to the app or API origin.
Our edge deployment bundles the best of the Fastly Next-Gen WAF, always-on DDoS mitigation, and full site delivery. Realize the performance benefits of our global delivery network while simultaneously securing your traffic — all without having to deploy and manage multiple solutions.
Have a variety of infrastructure and technology in your environment? Our range of deployment options means you don’t have to cobble together various different WAF solutions or leave some apps and APIs under-protected. Deploy everywhere and still get centralized management and visibility.
Datasheet
Blog
Analyst report
Report