App and API ProtectionPowered by Signal Sciences

Unified web app
and API security, anywhere

Request a demo
Web api video header image

Highly performant protection for any environment

The Fastly Next-Gen WAF (powered by Signal Sciences) protects your apps wherever they live: on-premises, in containers, in the cloud, and at the edge. It’s so effective at preventing false positives that almost 90% of our customers use it in full blocking mode.


customers in full blocking mode


app deployments protected


Cloud-native and datacenter platforms supported

Seriously useful security

Defeat advanced threats

Get protection that goes beyond OWASP Top 10 injection-style web attacks. Gain coverage against advanced threats, including account takeover (ATO) via credential stuffing, malicious bots, API abuse, and more — all in one solution.

Rapid time-to-value

Unlike traditional web application firewalls, our next-gen WAF deploys quickly, in hours  — not weeks or months — and is so easy to manage that you won’t need to pay extra managed services fees for rules tuning or ongoing maintenance.  

Protection everywhere your apps operate

Designed for maximum deployment flexibility, our hybrid SaaS WAF installs via an agent-module software pair or via cloud-based options that require no software installation.

Visibility for faster remediation  

Reporting and alerting feedback loops provide Layer 7 visibility across your entire app and API footprint. Integrations with your DevOps and security toolchains encourage the sharing and correlation of data and help simplify automation, both decreasing security risks and speeding up CI/CD.

Don’t take our word for it

Our customers repeatedly point to our superior technical efficacy and customer support. That’s why we’re the only WAAP vendor to receive the Gartner Peer Insights Customers' Choice distinction five years in a row.

Read the summary

What sets Fastly apart

Traditional web application firewalls (WAF) rely on regular expression pattern-matching rules. They’re difficult to manage and require never-ending rules tuning to eliminate false positives that can block legitimate traffic. The Fastly Next-Gen WAF leverages a fundamentally different approach, developed by Signal Sciences, that effectively detects and blocks malicious traffic without rules tuning, leaving your AppSec teams to focus on bigger problems.

Network Learning Exchange (NLX)
NLX is a trusted IP reputation feed based on anonymized, confirmed malicious activity collected from tens of thousands of our distributed software agents. It is uniquely able to recognize attack patterns across our customer network, then proactively alert upon and defend your web apps and APIs.
Learn more

Unlike common regex-based WAFs, our next-gen WAF uses SmartParse, a highly accurate detection method, to evaluate the context of each request and how it would execute, to determine if there are malicious or anomalous payloads in requests. SmartParse enables near-zero tuning and the ability to start detecting threats immediately.
Learn more


The modern solution for web application and API Protection (WAAP)

OWASP Top 10

Protect against both classic OWASP Top 10 attacks and advanced web attacks.

Account Takeover

Block account takeover (ATO) attacks by inspecting web requests and correlating anomalous activity with malicious intent.

API Protection and GraphQL Inspection

Stop API abuse by monitoring for unexpected values and parameters submitted by endpoints and blocking unauthorized requests. Further expand traffic coverage and parse GraphQL requests with new out-of-the-box capabilities. Learn more about our new GraphQL Inspection feature.

Bot Protection

Prevent bad bots from performing malicious actions against your websites and APIs by identifying and mitigating them before they can negatively impact your bottom line or your user experience.


Prevent malicious automated traffic that aims to overwhelm or abuse your apps so they are unavailable. When defined traffic thresholds for key application functions are met we automatically block the abusive traffic.

Rate Limiting

Stop malicious and anomalous high-volume web requests, reduce web server and API utilization, and let legitimate traffic through to application and API endpoints with our advanced rate limiting features.

Built for the most demanding environments

The Fastly Next-Gen WAF is a hybrid software as a service (SaaS) solution with three main components. This patented approach, developed by Signal Sciences, allows us to easily scale and protect even the highest volume applications and APIs without impacting performance.

Perform detection and decisioning against requests quickly and accurately. Can install on your infrastructure or be hosted in the cloud or on the Fastly Edge Cloud Network.

Optional but powerful component pairs with our agents to enforce high performance and reliability guarantees.

Cloud Engine
Cloud-hosted analytics backend enriches the agent asynchronously with both external and proprietary intelligence to make dynamic, app-specific detections.

Deploy anywhere

Fastly offers the most flexibly deployed WAF on the market and can protect your apps and APIs wherever they are with one integrated solution offering the same level of visibility and actionable insights and alerts.

Cloud and container-native

Our agent-module pair installs at your web server, API gateway, or at the app-level within minutes. Additionally, our native integrations with containers, like Kubernetes, and service meshes, like Envoy Proxy and Istio, provide visibility into both north-south (client-server) and east-west (service-to-service) requests.

Datacenter and legacy apps

The Fastly Next-Gen WAF can be installed to inspect traffic prior to web requests reaching the app or API endpoint such as at the load balancer (A10 Networks, HAProxy, NGINX) or at the API gateway (Ambassador, Kong, Cloudentity). If your requirements don’t allow for installation at the load balancer or API gateway, our agent can be deployed in reverse proxy mode.

Cloud WAF

We host the agent for you so there’s no software to install. You just change your DNS record to route traffic to our hosted agent where inspection and decisioning occurs: legitimate traffic is let through to the app or API origin.

Edge WAF

Our edge deployment bundles the best of the Fastly Next-Gen WAF, always-on DDoS mitigation, and full site delivery. Realize the performance benefits of our global delivery network while simultaneously securing your traffic — all without having to deploy and manage multiple solutions.


Have a variety of infrastructure and technology in your environment? Our range of deployment options means you don’t have to cobble together various different WAF solutions or leave some apps and APIs under-protected. Deploy everywhere and still get centralized management and visibility.

Looking for more?


Fastly Next-Gen WAF data sheet

Data Sheet

Fastly Managed Security Service

Analyst report

Gartner Magic Quadrant for Web Application Firewalls and API Protection (WAAP) in 2022


Gartner “Voice of the Customer” : Web Application and API Protection 2022