Fastly Next-Gen WAF

Advanced web application and
API protection

Web Application Firewall (WAF)API securityBot protectionSecurity

The Fastly Next-Gen WAF provides advanced protection for your applications, APIs, and microservices, wherever they live, from a single unified solution.

On this page

A single solution to protect all your apps and APIs

When your business is growing and innovating at a rapid rate, other web application firewalls can fail to keep up: too many false positives, limited DevOps integrations, and incompatibility with your mix of applications and differing architectures. The Fastly Next-Gen WAF (powered by Signal Sciences) provides advanced web application and API protection (WAAP) for your applications, APIs, and microservices, wherever they live, from a single unified solution.

Protection everywhere your apps operate

The Fastly Next-Gen WAF flexibly deploys in any environment and can protect apps and APIs wherever they are—in containers, on-prem, in the cloud, or on the edge—with one integrated solution.

See real threats, not false positives

Almost 90% of our customers have our WAF in full blocking mode. We take a threshold approach to blocking so you can run our solution in full, automated blocking mode in production with virtually no false positives. This enables you to scale protection without dealing with the maintenance overhead that legacy WAFs require.

Defeat advanced threats

Get protection that goes beyond OWASP Top 10 injection-style web attacks. We provide coverage against advanced threats including account takeover (ATO) via credential stuffing, malicious bots, API abuse, and more—all in one solution.

Fast time-to-value

Unlike traditional web application firewalls, our next-gen WAF deploys in an average of 60 minutes and you don't need to pay extra managed services fees for rules tuning or ongoing maintenance.

Visibility for faster remediation

Reporting and alerting feedback loops provide Layer 7 visibility across your entire app and API footprint. Integrations with DevOps and security toolchains empower teams to make decisions from the same baseline of security data provided via alerts, our API, or management console.

Key Benefits

  • Eliminate false positives: Almost 90% of customers are in full blocking mode

  • Trusted and proven: 90,000+ app deployments protected

  • Deploy anywhere: From edge to on-prem with support for 100+ cloud-native and data center platforms.

Betterment logo

"It works straight out of the box, scales automatically, and does a great job at providing visibility while securing the application."

Anson Gomes

Lead Security Engineer

What we detect and block 

  • OWASP Top 10 - Protect against both classic OWASP Top 10 attacks and advanced web attacks.

  • Account takeover (ATO) - Block ATO attacks by inspecting web requests and correlating anomalous activity with malicious intent.

  • API protection - Stop API abuse by monitoring for unexpected values and parameters submitted by endpoints and blocking unauthorized requests.

  • Bot protection - Prevent bad bots from performing malicious actions against your websites and APIs by identifying and mitigating them before they can negatively impact your bottom line or your user experience.

  • DDoS - Prevent malicious automated traffic that aims to overwhelm or abuse your apps so they are unavailable. When defined traffic thresholds for key application functions are met we automatically block the abusive traffic.

  • Rate limiting - Stop malicious and anomalous high-volume web requests, reduce web server and API utilization, and let legitimate traffic through to application and API endpoints with our advanced rate limiting features.

Our patented approach

Next-Gen WAF Architecture Overview diagram

Using lightweight software modules and agents throughout your web servers and applications, we collect information about your security posture and surface these real-time event details through self-service dashboards, intelligent alerting, and powerful reporting, powered by the Signal Sciences-developed Cloud Engine. 

Unlike common regex-based WAFs, the Fastly Next-Gen WAF uses SmartParse, our highly accurate detection method that evaluates the context of each request and how it would actually execute to determine if there are malicious or anomalous payloads in requests. This feeds into our Network Learning Exchange (NLX), which recognizes attack patterns across our customer network and then proactively alerts and defends all our customers against the same attack. 

Our management console quickly provides actionable information and key metrics in a centralized interface, unlike many legacy WAF vendors who require you to log in to multiple instances to gain visibility across your deployment footprint. Additionally, any request telemetry reported in our console can be ingested into your other security tools via our API.

Axon Logo

“It’s refreshing to work with a security product that not only provides exceptional security benefits, but also prioritizes performance, reliability, and overall operational manageability.”

Jenner Holden

VP of Information Security

Deploy anywhere 

Our deployment options provide the flexibility in development, security, and operations that teams need, enabling you to install our solution at different points in your stack, from edge to on-premises. For further detail on deployment options, see our Architecture and Deployment Overview

Cloud and container-native: Our agent-module pair installs at your web server, API gateway, or at the app level within minutes. Native integrations with container orchestration tools, like Kubernetes, and service meshes, like Envoy Proxy and Istio, provide visibility into both north-south (client-server) and east-west (service-to-service) requests. 

Datacenter and legacy apps: The Fastly Next-Gen WAF can be installed to inspect traffic prior to web requests reaching the app or API endpoint such as at the load balancer (A10 Networks, HAProxy, NGINX) or at the API gateway (Ambassador, Kong, Cloudentity). If your requirements don’t allow for installation at the load balancer or API gateway, our agent can be deployed in reverse proxy mode. 

Edge WAF: Our edge deployment bundles the best of the Fastly Next-Gen WAF, always-on DDoS mitigation inherent in our edge cloud network, and TLS management. Realize the performance benefits of our global network while simultaneously securing your traffic—all without deploying and managing multiple solutions. 

Cloud WAF: We host the agent for you so there’s no software to install. You just change your DNS record to route traffic to our hosted agent where inspection and decisioning occurs: legitimate traffic is let through to the app or API origin. 

Hybrid: Have a variety of infrastructure and technology in your environment? Our range of deployment options means you don’t have to cobble together different WAF solutions or leave some apps and APIs unprotected. Deploy everywhere and still get centralized management and visibility.

Remitly Logo

“Signal Sciences [Fastly] in three words: Easy. Powerful. Magic. I would absolutely recommend Signal Sciences to other companies looking for a WAF solution that does a great job protecting environments and doesn’t require a ton of time and effort to tune and manage. It gets things right the first time.”

Kevin Hanaford

Senior Manager of Security & IT

Right-sized protection 

Fastly provides right-size protection to meet your business needs. Our Security packages provide comprehensive web application and API protection in easy-to-purchase options.

Gartner Peer Insights Voice of the Customer

Fastly is the only vendor to be named a Gartner Peer Insights Customers’ Choice for Web Application and API Protection (WAAP) for five consecutive years and is one of the highest-rated WAAP solutions on the market with an overall rating of 5/5 stars.

Fastly Next-Gen WAF Architecture and Deployment Overview

Details on the patented architecture of our WAF and deployment options available.

Blog Post
WAF Efficacy Framework

Discover how the WAF efficacy framework helps you measure the effectiveness of your WAF.

Analyst Report
Gartner® Magic Quadrant™ for WAAP Analyst Report

Fastly is a Cloud WAAP Challenger. Compare vendors in this report.

Analyst Report
Gartner® Peer Insights “Voice of the Customer”: WAAP

Fastly is the only vendor to be named a Customers’ Choice for five consecutive years.

Ready to get started?

Get in touch.