Fastly Security Packages

Right-sized protection for the digital experiences that power your business

Web Application Firewall (WAF)Professional servicesAPI securityBot protection

Fastly’s Security Packages help you confidently protect your web apps and APIs in any environment — on-premise, cloud, or hybrid.

On this page

Each of Fastly's Security Packages features our next-gen WAF, which offers multiple layers of protection and is so effective that more than 90% of our customers use it in full blocking mode. Fastly delivery customers can also take advantage of additional security features such as our comprehensive DDoS protection and TLS encryption.

Security packages summary

  • Essential: Ideal for companies looking for effective app and API protection, our Essential package includes our award-winning next-gen WAF, along with DDoS protection and TLS encryption.

  • Professional: Our Professional package is designed for organizations looking for effective app and API protection but with more custom security requirements.

  • Premier: Our Premier package is ideal for organizations with advanced security requirements and a need for enhanced customization, visibility, and control.

Features by package





Workspace and RPS

1 Workspace 

25 RPS included

Various Workspace and RPS options available

Various Workspace and RPS options available

Fastly Next-Gen WAF

Deploy anywhere: cloud, datacenter or hybrid

DDoS protection*

TLS encryption*

Virtual patching

Custom signals

API and ATO protection rules

Rate limiting

Eligible for Response Security Service add-on

*Customer must separately purchase a Fastly delivery product to leverage DDoS and TLS capabilities.

Features and capabilities

Fastly Next-Gen WAF

Our next-gen WAF is designed to detect and stop OWASP Top 10 attacks like SQL injection and cross-site scripting (XSS). We also protect against advanced web-layer attacks like account takeover (ATO) via credential stuffing, API abuse, shopping cart ID enumeration, malicious bots, and more — all in one solution.

Deploy anywhere: cloud, edge, datacenter, or hybrid environments

With a flexible software agent-module pair, our next-gen WAF is designed for rapid deployment in any environment. No matter where you operate your apps and APIs, you’ll quickly gain protection and visibility across your entire application footprint.

API and ATO protection rules

We provide dedicated API and Account Takeover (ATO) rules to help surface security telemetry for advanced attack scenarios, like user ID enumeration, credit card validation flow abuse, and password reset attempts. With dedicated visual dashboards, your security, development, and operations staff can quickly gain granular visibility into Layer 7 attacks with minimal effort.

Custom signals

Our custom signals provide increased visibility into rules and how they automatically block or allow web requests. Rules can be configured with custom signals to show why requests were blocked. Signals can be created on individual Workspaces or organization-wide so you can easily use them in multiple workspaces.

Rate limiting

Our next-gen WAF provides rate limiting capabilities that include intelligent controls to reduce the number of requests directed at key web application functions. By utilizing application-specific rate limiting rules, we can detect and mitigate fraudulent abuse of apps and APIs.


Our workspace feature gives you the ability to manage and access security metrics for a discrete collection of apps and APIs in our next-gen WAF management console. You can group apps and APIs to suit your business requirements, like grouping apps and APIs by specific business units or production environments.

Requests per second (RPS)

RPS is a measure of the web requests our next-gen WAF inspects per second to detect and stop malicious traffic. Organizations with few apps in production benefit from our default 25 RPS, while organizations with many apps will have higher traffic volumes. We’ll work with you to ensure you have adequate request inspection volume to suit your traffic.

DDoS protection

Available to Fastly delivery customers, our DDoS Protection blocks volumetric attacks at Layer 3 and 4. Additionally, our next-gen WAF provides application layer DDoS prevention. When unexpected web request traffic exceeds your pre-defined thresholds, excessive request volumes are automatically blocked to keep your apps and APIs available to legitimate customers.

TLS encryption

Available to Fastly delivery customers, Platform TLS provides a simple way for you to configure TLS on our network using a web API. It’s fast, easy to manage, and highly scalable.

Get started today

Reach out to our team to learn more about our secure packages and how quickly you can protect the digital experiences that drive your business.

Fastly Next-Gen WAF Datasheet

Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.

Fastly DDoS Mitigation Datasheet

Our DDoS mitigation service protects against Layer 3-4 and complex Layer 7 DDoS attacks.

Analyst Report
Gartner® Peer Insights “Voice of the Customer”: WAAP

Fastly is the only vendor to be named a Customers’ Choice for four consecutive years.

White Paper
10 Key Capabilities of Next-Gen WAF White Paper

A look at why our next-gen WAF is the security tool of choice for modern software teams.

Ready to get started?

Get in touch.