Table of Contents
1. Executive Summary
Application development architecture has been changing to accommodate new platforms, processes, and application needs. Increasingly, applications are collections of APIs, both public and private, connected in the core application to a user interface (UI).
Modern applications need a comprehensive security capability that covers all points of vulnerability. This means a combination of what we have seen in traditional web application firewalls (WAFs), plus all the protection offered by API security and API management products. Together, these types of protection create a comprehensive application and API security (AAS) solution category.
Application deployment architectures have also changed—applications can be spread across multiple clouds, running in Kubernetes, hosted in a data center, or co-hosted with a vendor. AAS products must protect all important parts of the overall application, wherever they are deployed.
Critical to protecting modern applications is understanding them. AAS products provide two tools to help understand and validate an application via its APIs. The first is API “import from definition,” whether in WSDL, OpenAPI, or another standard. This helps us to understand what the API should be doing. The other is “runtime detection” of APIs, which covers what the API is doing. It also offers a view of APIs that are outside the system and do not have a valid API definition file—which often make up the majority of an organization’s APIs.
As application architectures became more complex, the sophistication and volume of attacks increased as well, causing a litany of issues for IT staff. The volume of attack data, the number of attack vectors, and dispersion of attack activity all make protecting applications harder. AAS products must either block known and identifiable attacks outright or offer advanced filtering of data that’s escalated to IT staff to keep the volume of alerts at a manageable level.
There are many attack vectors, some requiring unique protection capabilities. The AAS space requires that application-layer distributed denial of service (DDoS) attacks be protected against while other well-known attacks are detected and/or blocked at the same time—even though these two types of protection generally use different detection and remediation techniques.
Integration with security information and event management (SIEM) solutions allows this critical piece of application security to be included in post-mortem and even secondary detection generated and managed on the SIEM solution.
This is our third year evaluating the AAS space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.
This GigaOm Radar report examines 13 of the top AAS solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading AAS offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.
GIGAOM KEY CRITERIA AND RADAR REPORTS
The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.
2. Market Categories and Deployment Types
To help prospective customers find the best fit for their use case and business requirements, we assess how well AAS solutions are designed to serve specific target markets and deployment models (Table 1).
For this report, we recognize the following market segments:
- Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
- Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category have a strong focus on flexibility, performance, and features to improve integration with the organization’s broader security framework and include data leak protection (DLP). Scalability is another big differentiator, as is the ability to protect the same service in different environments.
- Service provider (cloud, managed, or network service provider): Offerings targeting service providers are likely to be focused on reselling because service providers thrive in that environment. The solution’s ability to protect multiple customers and multiple applications per customer requires increased attention to scalability. For self-serve scenarios, the service provider will want ease of use to be paramount for their customer’s sake.
- Public sector: Governments have their own sets of requirements that often echo those of the private sector but are unique in several ways. Pricing flexibility, multiple-year contracts, ability to prove that protection is good enough, and massive logging capabilities are all more important in public sector work. The ability to interoperate with older software, while not limited to the public sector, is more common in this environment.
In addition, we recognize the following deployment models:
- Public cloud image (including hybrid and multicloud): This encompasses solutions that protect applications deployed to one or more public clouds.
- Local: With these solutions, applications run exclusively on the customer’s hardware and network with possible links out for feeds but not to application parts of the solution.
- Software as a service (SaaS)/private cloud: This encompasses solutions that protect applications running in whole or in part on private cloud stacks like OpenStack.
- Hybrid: With these solutions, applications run on both vendor and local hardware.
Table 1. Vendor Positioning: Target Market and Deployment Model
Vendor Positioning: Target Market and Deployment Model
Target Market |
Deployment Model |
|||||||
---|---|---|---|---|---|---|---|---|
Vendor |
SMB | Large Enterprise | Service Provider | Public Sector | Public Cloud Image | Local | SaaS | Hybrid |
Akamai | ||||||||
Barracuda | ||||||||
Check Point | ||||||||
Cloudflare | ||||||||
F5 | ||||||||
Fastly | ||||||||
Fortinet | ||||||||
Imperva | ||||||||
Indusface | ||||||||
NetScaler | ||||||||
Radware | ||||||||
ThreatX | ||||||||
Wallarm |
Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).
“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.
3. Decision Criteria Comparison
All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:
- Rules engine
- Support for common standards
- Zero-day protection
- Layer 7 DDoS protection
- Runtime protections
- WAF
Tables 2, 3, and 4 summarize how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.
- Key features differentiate solutions, outlining the primary criteria to be considered when evaluating an AAS solution.
- Emerging features show how well each vendor is implementing capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
- Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.
These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating AAS Solutions.”
Key Features
- AI-enhanced vulnerability detection: Modern systems, modern attacks, and modern architectures are all getting more complex, yet application security staffing shortages have only grown. Add to this the increasing sophistication of attacks and it is clear that the need for AI enhancement of protection solutions is becoming acute and will become even more prominent in the future. AAS tools must be able to at least use AI to increase automated detection.
- API import and discovery: An AAS can protect only what it knows about. Telling the solution what to protect and how to protect it is a lengthy process if done only by humans. The overarching goal of this key criterion is to determine how much work it will take to implement API protection initially and then how much effort it will take to add new APIs in the future.
- Data leak protection: While detecting attempts to infiltrate the application space is important, it’s equally important to detect situations when data is being leaked out of the organization through applications and APIs. DLP is increasingly critical. Applications and APIs can accidentally leak data like personally identifiable information (PII). Even worse, attackers can establish themselves within an organization (via inside help or circumventing other protections) and start to exfiltrate data.
- Account takeover protection: Credential stuffing occurs when an attacker uses passwords from previous successful attacks and tries those login credentials on a different site or application. For example, if information leaked from one of several large-scale hacks on social media sites included an email address from a company an attacker wants to target, the attacker could use those credentials to try and gain access to the systems of the target company. It is a largely successful attack vector because so many people reuse username and password combinations across home and work accounts, and so much login data has been leaked over the years.
- Bot management: Though there are negative connotations to words like botnets, bots are not, by definition, bad. The internet is full of bots that are doing vital work, such as indexing the web for search engines and testing the availability of important APIs and applications. These are examples of bots that are helping us every day. Sadly, there is the other kind of bot—the ones that create DDoS agents or look for weak defenses to help attackers determine where to devote their time.
- Metadata evaluation: Increasingly, both rules-based and AI-enhanced systems require access to information about the connection and the user that can help organizations to identify and block threats. Solutions differ in what types of metadata they collect, how it’s collected, and what can be done with it. As attacks become more dispersed—with attempts made against a variety of targets within the enterprise, application portfolio, or application—the ability to put this information to use is more important than ever.
- Integrations: As broad as AAS solutions are, they are just one piece of the security and deployment architecture. More and more, they must work well with the other tools that impact applications and security footprint to bring a more comprehensive solution than they implement alone.
Table 2. Key Features Comparison
Key Features Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
Emerging Features
- Advanced threat intelligence: This involves security operations center (SOC) or AI/ML evaluation of existing threats across the internet and their potential impact on customer organizations, networks, and applications. The ability to rapidly correlate between outside events and potential threats is a value-add that greatly enhances an IT team’s ability to respond to the changing threat landscape. This correlation capability is rapidly moving to the mainstream in this space and will likely move to the key feature section in a future iteration. But for now, the existence and quality of integrated advanced threat intelligence is still too varied to be considered core functionality.
- AI for real-time detection and response: One of the great benefits of the current state of AI is pattern recognition, and that can benefit AAS greatly. The ability to watch for anomalous behavior as an exception, rather than for a series of events or signature as a trigger, opens protection to a much more broad set of challenges. AI used to memorize the range of normal, and then to alert or even block when an API call or an application function is outside normal bounds will create some false positives, but it will also offer another layer of protection that would take too long to craft and maintain by humans alone.
Table 3. Emerging Features Comparison
Emerging Features Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
Business Criteria
- Flexibility: For deployment flexibility, the AAS should work according to the needs of the organization. It must be deployable to a platform that the organization supports, and it should protect applications and APIs on every platform the organization supports. The product should also be easy to use—the best product is of limited value if access to it is difficult or obfuscated.
- Scalability: Over time, organizations continue to grow and develop applications. What scaling methodology does the AAS use to keep up? The combination of “more applications,” “more features in use,” and “more users” can become a toxic mix. How does the system scale?
- Ease of use: From installation and configuration to daily use, this criterion considers how much work it is going to take IT or security staff to operate the product day after day. While a product could be difficult to get going, if it practically runs itself after that, then it is worth it.
- Cost: Installing and maintaining an AAS is worthwhile if it successfully protects your applications and reduces the labor costs of doing the same job. But before implementing a solution, compare the products in light of your organization’s situation and budget. The time for a company to look at costs, both direct and implied, is before implementing a solution because that offers the chance to limit costs through comparison shopping.
- Compliance: A tool that advertises umbrella protection for applications and their APIs must be part of the organization’s compliance program. AAS solutions see all APIs and web apps placed under their protection and, as security solutions, are well suited to the type of reporting that compliance requires.
Table 4. Business Criteria Comparison
Business Criteria Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
4. GigaOm Radar
The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for AAS
As you can see in the Radar chart in Figure 1, vendors in this space offer solutions across the ranges of Platform Plays versus best of breed Feature Plays and Innovation versus Maturity.
For this report, our criteria for Platform designation are:
- Single install
- Single license
- Single initial configuration
- Singular pricing
The further a product gets from this list, the further to the left it falls on our chart. Likewise, the more point solutions that a solution is composed of, the further to the left it will appear on our chart.
Innovation versus Maturity is much the same. If a product is based upon a highly agile release cycle, with new versions rolled out quickly and force-applied to customers, it will fall into the Innovative hemisphere of the chart. A product that has scheduled release dates on a longer (quarterly or greater) schedule and does not force users to use the new code will be placed more likely on the Maturity side. While the number of new features and roadmap are a consideration, so are the number of changes to the system in general.
New to the report this year is Indusface Apptrana, a SaaS based solution that debuts as a Platform Play Challenger in the Innovation hemisphere.
For the other vendors in this report, there is a fair amount of motion through the chart from last year’s positions, and we recommend viewing each capsule for details. For example, our Platform description above is much more specific and quantifiable than it was last year, and it shows in vendor positioning. Similarly, the specific vendors that are currently innovating and taking some time to consolidate and clean up their solutions change from report to report, so they will move around the chart. We also changed our rating scale for decision criteria from 0-3 to 0-5. This introduces a bit of change, mostly by spreading out the vendors, as we have more rating options. Fives are far rarer than threes were, for example, because there are more ratings to choose from.
In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; there are aspects of every solution that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.
INSIDE THE GIGAOM RADAR
To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.
Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.
For more information, please visit our Methodology.
5. Solution Insights
Akamai, App & API Protector
Solution Overview
App & API Protector consists of many technologies that Akamai has merged into a single solution. These include a WAF, bot mitigation, API security, and DDoS protection. As a content delivery network (CDN), Akamai inspects traffic even before it gets to a customer’s network, let alone to an application. No matter where the application resides, this involves terminating the secure sockets layer (SSL), inspecting the requests, and then (typically) re-encrypting with an SSL connection to the application. Note that Akamai has a completely separate solution for local API protection called API Security, should that be an organization’s primary use case. Unlike AAS, customers installing API Security do not need to otherwise be using Akamai’s tools.
Strengths
Akamai’s inline access to significant volumes of metadata is on par with every other proxy or reverse proxy solution out there. The compelling difference is that with Akamai, if it is tracked metadata, it is available to the rules engine—whether it’s rules the user implements, Akamai implements, or its AI engine is using. This indicates Akamai’s other great strength. Early on, the organization saw the potential of AI for advanced threat intelligence and invested in folding this functionality into the product. Now, unlike most competitors, Akamai customers are getting the benefit of this system every day, and it’s one that’s been refined over a longer timeline.
Challenges
The largest challenge that Akamai faces is the number of different products required to gain full AAS functionality. Features that most vendors have bundled into the core offering or platform are separate products for Akamai, including data leak prevention, account takeover protection, and bot management. This increases both cost and complexity, and we do hope eventually they are merged together into a full solution. These key features, though suitable to task—and even better than most in one case—were rated as average in our evaluation because of this separate licensing and implementation.
Like most vendors in the space, Akamai is working on AI for real-time protection and response but does not yet have a thorough and comprehensive product in this area.
As an emerging feature, it’s one that users will probably be fine doing without while it’s being developed, but for the few who insist on a complete product, there are vendors that are further along. Note that Akamai has some of the best overall use of AI in this analysis, but we have begun asking more specific questions than, “How much AI is in your product?” because the answers are no longer informative enough.
Purchase Considerations
The largest factor that customers need to understand is licensing. Akamai does not make licensing public, but the market makes it very clear that it is expensive for smaller organizations. Likewise, pay-as-you-grow pricing is useful but can be a problem if growth precedes revenue, so prospective customers should consider whether predictable billing or usage-based pricing is more useful for their scenario.
For Akamai customers, adding application and API protection is a clear go-to option over implementing other solutions. Like other SaaS offerings, it is relatively easy to get into place, and the base real-time protections can be up and running quickly. Customers that need to protect APIs that are not publicly accessible will want to also purchase Akamai’s API Security product, but given both of these, a relatively complete solution is available.
Radar Chart Overview
This iteration saw Akamai move from Feature to Platform Play. We have become more exacting in how we evaluate a solution for Platform designation, and while the product has not changed, we have decided that its “license these parts separately” policy is not enough to keep it on the Feature Play side of the Radar because once licensed, they are fully integrated and use the same UI. Aside from the move to the Platform side, Akamai’s features brought it closer to the center of the graph as a Fast Mover because the product is improving at a steady rate in the market, and it shows.
Barracuda, Application Protection
Solution Overview
Barracuda Application Protection is a web AAS solution that uses a mix of traditional and ML-powered protections. Primary deployment modes are as a SaaS solution or containerized WAFs, followed by hardware and virtual and cloud appliances. In general, there is a form factor available for any chosen deployment model: on-premises, private cloud, public cloud, or hybrid.
Strengths
Barracuda’s Account Takeover Protection is two tiered and market leading. From blocking known compromised credentials to slowing the rate of requests accepted by repeat offenders and more, we found it to be thorough enough to earn our highest rating. Barracuda is the only vendor to earn that rating in this analysis.
Similarly, Barracuda’s metadata usage and accessibility is top-notch, with all of the various functions having access to a wide pool of metadata from wire to application, and those tools also allowing users to implement rules based upon that metadata. This made Barracuda one of only a couple of vendors to earn our highest score in this category.
Challenges
Barracuda’s support for compliance with various regulations is not as advanced as the highest scoring vendors. While support for PCI/DSS is built in, other regulations would have to be handled elsewhere via API integration. This garnered a below-average score for compliance, but this may not matter to customers with compliance solutions already in place.
While Barracuda’s scaling capabilities are better than many, we wish that this entire market was able to scale SaaS deployment as appliances are scaled. The idea that one model is based upon instances and another on throughput is not optimal, but it is standard in the industry. As such, Barracuda scored only average on the scalability decision criterion.
Purchase Considerations
Barracuda scored relatively well across the board as a good overall solution. It has some definite high points, making it worthy of consideration. Barracuda has a solution for whatever architecture you have. When considering which solution to choose, if the organization is complex, Barracuda should be on the list.
Radar Chart Overview
Two changes from last year, in keeping with our new tighter validation of platforms, are that we have moved Barracuda from a Platform Play to a Feature offering. While much functionality is available as a platform in the SaaS implementation, across the board some functionality is purchased, implemented, and managed separately. This is changing over time, but at this point in the product’s development, we rate it as feature-based. The other change is that the product’s features and functionality are substantially improved from last year. This moved Barracuda Application Protection from Challenger to Leader in our analysis.
Check Point, CloudGuard Web Application Firewall/open-appsec
Solution Overview
Check Point CloudGuard Web Application Firewall (WAF)/open-appsec is one of a large selection of application security tools available from Check Point. CloudGuard WAF/open-appsec is focused on AAS, and is available as a SaaS with local enforcement points.
Check Point uses an AI-supported solution to detect attacks and allows users to create exceptions for those strange corner cases all complex systems have. Modern solutions—like next-generation firewalls (NGFWs) and AI-powered security—have often left behind the toolset that security is generally familiar with. At least in the case of Snort, Check Point has kept those tools, so security can migrate over without having to relearn the job. At the same time, Check Point has moved fully into the world of modern security monitoring, so users have access to toolsets for both today and tomorrow.
Strengths
The biggest strength of the CloudGuard WAF/open-appsec solution is API protection. While all vendors in this analysis can either import or detect APIs, and most vendors can do both, CloudGuard is able to do both and generate sample protection rules based upon the definition and information gleaned from traffic. This earned them our highest score on the API import and discovery key feature.
We were also impressed by CloudGuard WAF/open-appsec bot management capabilities. This part of the solution goes above and beyond, offering all of the options an organization might need to monitor and control bot traffic. From auto-detection to source IP tracking, and from behavioral analysis to centralized management, if bot protection is important to an organization, Check Point’s solution will be a good fit. This earned the highest rating in our bot protection key feature.
Challenges
CloudGuard WAF/open-appsec scored lower than average on our AI-enhanced vulnerability protection key feature, but users may be okay with this solution, depending upon needs. The AI engine stops short of generating WAF rules and offers suggestions for protection instead. We were looking for outright generation of rules, but it appears that CloudGuard is comfortable with (a) runtime zero-day style protections and (b) other rule creation mechanisms. If having a set of rules to look at and modify is not a requirement, an organization will still be well served by the platform.
It can be difficult to estimate or plan for CloudGuard WAF/open-appsec costs because there are an array of pricing models that vary based upon license chosen, platform, features, and so on. This complexity puts it near the bottom of our cost factors evaluation.
Purchase Considerations
Evaluators need to be careful to understand the licensing model that best suits their environment and the chosen model’s implications for long-term costs. Note that ease of use is pretty solid at this point in the product’s history, offsetting the license complexity in terms of overall cost.
Check Point has taken steps to improve ease of use on top of being well integrated across the organization, so it should be a primary consideration for organizations that will be using fewer technical staff to implement this solution. The ability to say, “Here is a web app, start learning,” or “Here is an API, start learning,” and then install an enforcement point and go is appealing for time-strapped or tech-light teams.
Radar Chart Overview
Check Point is one of several vendors that flipped from Feature Play to Platform Play under our new definition of what makes a platform. The product has a single logon for all functionality and is even integrated beyond CloudGuard WAF/open-appsec if customers wish to do more in the platform. It is one login, one set of functions, unified UIs, and one integration point, so even though agents (enforcement points) are separate installs, they are part of the platform, configured from the central UI. Otherwise, Check Point has held its own in a space that is changing rapidly in terms of both market characteristics and technology.
Cloudflare, Application Security Portfolio
Solution Overview
Cloudflare’s application protection products consist of a WAF and separate subsystems for additional functionality from API protection to DDoS. The solutions are implemented on Cloudflare’s edge network, and because routing is the way protection is added, it is one of the faster solutions to get up and running. Like a few other vendors in this analysis, Cloudflare is a CDN-backed platform with AAS representing just a piece of what the overall solution offers.
Strengths
Cloudflare does an excellent job of data leak protection and earned a high score in this key feature. The ability to watch for and protect data in a wide variety of languages across a wide variety of transports is limited only by the fact that it is licensed as an addition to the platform.
Cloudflare earns the highest possible score on the cost factors business criterion. The pricing model is a simplified tiered licensing system with add-ons that is far easier to understand and afford than much of the competition.
Challenges
Cloudflare fares less well on the Integrations key feature. Security software does not run in a vacuum, but Cloudflare’s integrations are more limited than most competitors. Cloudflare is integrated to enterprise systems—identity providers and SIEM solutions are found on its lists of integrations, for example. We would like to see more notifications and security integrations across the board, though.
Further, in relation to the AI-enhanced vulnerability detection key feature, Cloudflare uses AI to protect but not to detect possible attack points proactively. There is not any AI enhancement to API protection at the time of this analysis, though we expect market forces will cause that to change quickly. Compared to other vendors in the space, Cloudflare earned a less than average score on this decision criterion, but users focused on overall protection and not forward-looking mechanisms will likely not have a concern on this point.
Purchase Considerations
Organizations that need a CDN and want to get cost-effective protection with it should include Cloudflare and a very few others in this analysis on their short list. We would warn customers that many functions of the CDN (like API gateway) are licensed as add-ons, and a list of all functionality is required to form an accurate pricing picture.
Cloudflare’s AAS products are easy to understand and purchase, easy to install, and clearly priced. Organizations looking for help getting started, or those that have a use for the other wide selection of functionality available in this platform, should consider Cloudflare.
Radar Chart Overview
Cloudflare is one of several vendors who moved across the Platform Play/Feature Play divide in this year’s iteration of this Radar report. The organization has traditionally indicated that it offers both a platform and a set of independent features, so we have historically rated it as more feature oriented. This year’s analysis is driven more by the way it is used than how it is sold, and the product has a single UI with features turned on and off, so it is indeed a platform. The rate of new features has slowed a bit, as Cloudflare comes off of a year that saw much new functionality introduced and is now heading into a more stabilized period of planned releases. This moved it from Innovation to Maturity and changed it from Outperformer to Fast Mover. The new features over the last 12 to 18 months have stayed ahead of competitors’ releases a bit, moving it closer to the center of the Radar chart.
F5, Distributed Cloud Web Application and API Protection (WAAP)
Solution Overview
F5 offers Distributed Cloud WAAP as its AAS solution. This cloud-based platform integrates a variety of tools to offer protection across the infrastructure. As just one piece of F5’s comprehensive application delivery and security offerings, it is available in all of the deployment models we asked about and in any granularity that an enterprise might need.
Strengths
F5 scored very well on both our flexibility and scalability decision criteria. This solution had struggled over the last few years with integrations and platforming. While F5 had many great technologies, they were all contained in silos and, in some cases, were less well integrated than other tools. For the last couple of years, F5 has been taking forceful steps to resolve these issues and build a highly flexible, highly scalable platform. That work has paid off, and this year’s ratings in these two categories reflect that investment.
We also want to recognize the best possible score received on our metadata evaluation key feature. F5 has always collected far more data than nearly any vendor not dedicated to observability. That data is all available for rules and protections in a variety of ways, and organizations looking for granular and complete metadata to use in determining rules results should have F5 on their short list.
Challenges
F5 scored below average on our compliance business criterion. The tools themselves are compliant, and reporting is available to assist compliance efforts, but there is no specific compliance support built in at this time, and no integrations with compliance tools. For organizations that have their compliance needs covered elsewhere, this will not likely be an issue, though reports in the F5 offering will have to be manually gathered.
F5 also scored below average in account takeover protection. This functionality is part of the Bot Defense product and not a specific feature. Evaluators should consider whether this solution fits with their organization’s needs before short-listing the product.
Purchase Considerations
F5 is an enterprise solution for enterprise customers, meaning F5 is well tied into the enterprise infrastructure and software ecosystem. The platform or its features are integrated with most of the tools an enterprise requires, and common enterprise pain points have been identified and addressed. The rest of this story is that WAAP is not targeted at SMB customers. While parts of the F5 solution are highly adaptable to an SMB environment, F5 Distributed Cloud as a whole is not sold for SMB. Evaluators at smaller organizations should consider whether this solution is best suited for their environment.
Customers that require advanced protection across a variety of deployment targets, standards, and infrastructures should have F5 on their short list. From this single integrated platform, tools can be managed and applications protected wherever an organization has them deployed. Customers with a large enterprise architecture presence and standard operations tooling will also find F5’s broad support appealing.
Radar Chart Overview
F5 sits in the Innovation/Platform Play quadrant of our Radar chart. This is a change from the last iteration of this report—the creation of their global platform and the integration of offerings for a variety of deployment models has the product line moving more quickly than in past iterations of this report. This time around, F5 has focused on improving its now thoroughly integrated platform and adding support, and we look forward to the next iteration. The integration and UI delay issues caused the F5 solution to lag the market a tiny bit over the last 12 months, but we expect the current rate of improvement will change that.
Fastly, Web Application and API Protection
Solution Overview
Fastly security products include NGFW, API security, bot protection, and DDoS mitigation. The Fastly offering is hybrid, with a central SaaS and local agents that perform real-time actions and communicate with the Fastly cloud infrastructure. For this analysis, we included all of the products listed above—both bundled and separately licensed—which impacted some of our analysis by making us consider a more complex solution in terms of integrations and licensing.
Strengths
At its heart, Fastly is a global edge cloud platform with roots as a CDN. This allows it to have excellent bot management because it has broad visibility. Fastly offers bot protection as an add-on, and the level of support is high. It scored above average in bot management for the ability to detect bots from several different gauges, while offering the full spectrum of responses.
Fastly also scored above average for the flexibility business criterion. The tools are able to serve in any environment, and support for APIs includes the expected standards but also extends to newer API standards like GraphQL. The ability to fit in any environment, protect an array of APIs out of the box, and cover both bots and DDoS without massive environmental changes earned it an above-average score for flexibility.
Challenges
Fastly has some pieces of data leak prevention in the product but not an entire feature set. Specifically, the account protection functionality has some data leak prevention, but while there is a rule on the developers’ site that can be deployed to watch for sensitive data, it is not a comprehensive solution and was developed for a specific use case. Given this absence, the tool earned a below-average score on the DLP key feature.
Fastly also scored below average on our ease of use business criterion. Specifically, it is a highly technical solution that the vendor has taken steps to make easier to use, but there is still room for improvement. The solution also assumes that day-to-day operations will be handled in its UI. Given the nature of the entire product offering—from CDN to security—this is probably a straightforward assumption for their existing customer base.
Purchase Considerations
Much like other CDN vendors, Fastly is offering a broad solution to a collection of application delivery and application security problems. It is best considered in this broader context.
Fastly CDN customers should have this solution at the top of their short list.
Another solid use case is more technical shops. Fastly makes granular control available to skilled users, and this might be appealing to some IT departments that would appreciate that level of control.
Radar Chart Overview
Fastly sits in the Maturity/Feature Play quadrant of the Radar chart. This reflects its ability to solve specific problems, separate installation and configuration requirements for a Feature Play versus a Platform, and its slowing of new features as the company works through a last burst of innovative changes. It’s an Outperformer due to its rate of development compared to the market—Fastly is pure agile with consolidated weekly updates. Scoring makes it a Challenger, and it has moved a bit back from the center of the chart. This shows how rapidly this space is improving—Fastly has been making improvements, but products from other vendors have moved just a bit faster. This also reflects a slightly lower score in the newer AI categories we have begun to monitor.
Fortinet, FortiWeb
Solution Overview
FortiWeb is Fortinet’s current generation of AAS. The product presents as a platform but consists of multiple underlying solutions. Fortinet took the time to correctly integrate these products and develop a unified UI and licensing model. The tools can be deployed to just about any target an enterprise might require. Like other vendors in the space that support a variety of deployment models, local versus SaaS versions have different interfaces but perform the same function.
Strengths
While there are areas in which FortiWeb scored better, we want to draw attention to their score on our compliance business criterion. Few vendors in this space have the compliance reporting capabilities that FortiWeb has, and for real-time issues, FortiWeb has the ability to block traffic based on compliance issues. While there is not a direct link to compliance management tools, once linked via API, FortiWeb is a powerful addition to those tools’ functionality. This earned an above-average score on compliance.
FortiWeb also excels at data leak prevention. There are many good products for DLP on the market, but FortiWeb has it interwoven at several layers of the application stack. Core FortiWeb implements DLP through the WAF, but there is some DLP in multiple locations, from email to network firewalls. The breadth and depth of this offering garnered a top score in DLP for the FortiWeb product.
Challenges
The FortiWeb product includes more than just security. This means that the approach to daily operator interaction assumes that operators will log into the system directly. While this assumption may be valid for a subset of the customer base, operations (or DevOps) staff logging into special-purpose security tools is not a normal daily process. We would like to see the ability to control the tool from non-Fortinet interfaces. Adding to this issue is the fact that FortiWeb can be installed and configured on pretty much any platform, which guarantees more configuration and management complexity. SaaS counters this complexity issue somewhat, and Fortinet believes that integrations/APIs alleviate it further, but this issue contributed to FortiWeb’s below average score on our ease of use criterion.
Purchase Considerations
FortiWeb has excellent licensing. In a market largely marred by complex licensing that can be confusing and even unpredictable, Fortinet has taken the steps to simplify its license. If knowing what it will cost while maintaining flexibility to move applications between platforms is important, FortiWeb is worth looking into. Local installations will require more skilled staff. This is not a limitation of FortiWeb/FortiManager, but the reality of pure SaaS versus a box or container to install and configure. Nonetheless, it is worth remembering when determining usage and implementation architecture.
Current customers using any of Fortinet’s many other products should include FortiWeb on any short list. Complex environments that require a mix of local, SaaS, and/or public cloud should also include FortiWeb for evaluation.
Radar Chart Overview
Fortinet is a Leader positioned in the Maturity/Platform Play quadrant of the Radar chart. This is an improvement from last year that reflects both its competence in the new areas we cover and its improvement in the categories we looked at last year. Its continuing unification and ability to deliver without creating instability made an outsized difference in its leadership rating in the last year. While not leading the market in enhancements, last year it added API detection and is now enhancing that functionality while implementing more AI/ML functionality; it’s rated as an Outperformer due to its release cadence.
Imperva, Web Application and API Protection
Solution Overview
Imperva Web Application and API Protection (WAAP) is a collection of products and services that, according to its website, can be purchased as a stack. The main page of the site advertises it as a platform; the solution is well integrated but, like some others, not yet a fully-fledged platform per se. It is available for pretty much any environment that an enterprise might need.
Strengths
Imperva is a leader in API ingestion. With support for both discovery and import of APIs and the ability to support many API formats, Imperva WAAP pushes beyond the competition by including support for tools like programming language RAML, which specializes in format-agnostic API development. This earned the product the top rating on our API import and discovery key feature. The product also scored highly for bot management and security integrations, offering a model other vendors should follow in both areas.
Imperva’s work in advanced threat intelligence also garnered the product a top score in this emerging feature space. Advanced threat intelligence can be a stretch for a vendor because it requires working with outside feeds, massive coordination of data, and an SOC team to review results before rolling out intelligence data to customers. Imperva took these steps and embraced the process to produce some of the best threat intelligence available today. We are reluctant to award top scores and slower to award them for an emerging feature, but Imperva WAAP impressed us enough with this feature to warrant it.
Challenges
The Imperva WAAP solution is solid across the board, and its largest weakness is its pricing structure, which is complex and, in the case of WAAP functionality, often based upon data volume. Costs are complex to begin with and change over time, which is bad for IT. This is made worse by the fact that the solutions are available pretty much anywhere, so implementation has variable costs. This is the trade-off of having a massively adaptable solution set: installers must be massively adaptable also. Normally we would not bring up this part of the equation, but it does make the initial licensing model feel worse. This earned Imperva WAAP a below-average score for the cost factors criterion. Imperva has moved to bundled plans for its data protection product portfolio, and we would like to see it do the same for WAAP.
The other area that is not stellar is DLP. While the product can be made to operate on par with average competitors, it does take add-on products to do so. The best products in the market have DLP as a feature, not an add-on. This garnered Imperva WAAP only an average score for our data leak protection key feature. Organizations willing to acquire and implement separate products will find functionality beyond what is required of an AAS tool but will have to do the extra work to get there.
Purchase Considerations
Imperva has products in a wide range of application delivery and security areas. For organizations that need more than just AAS, understanding the overall product line is worthwhile. Understanding licensing for a given use case will also be essential before inking a contract.
An organization seeking forward-looking API protection as part of a wider AAS solution should have Imperva on their short list. The product supports tools that will play an increasing role in API development, which will make it more adaptable moving forward. Likewise, organizations that need strong data protection alongside an AAS should have Imperva on their short list.
Radar Chart Overview
Imperva was a market leader last year and has retained, and indeed slightly improved, that position in spite of an evolving market. This year, it’s positioned in the Maturity/Feature Play quadrant. This is a big move from last year’s Innovation/Platform Play positioning.
The move from Platform to Feature Play results from our increasing scrutiny of claims to be a platform. It is possible to merge a broad selection of products into a unified platform, and some vendors in this report have completed that journey. However, Imperva has not done so yet, and even the company’s website acknowledges in several places that these are separate products that can be bought together. Movement is definitively toward a platform, but it is not there now.
The move from Innovation to Maturity reflects Imperva’s shift from rapidly iterating to applying updates as needed. Organizations go through cycles, and Imperva’s recent innovative stretch is now being balanced by a bit of clean-up and validation.
Indusface, AppTrana
Solution Overview
Indusface AppTrana is Indusface’s offering in the AAS space. The product is a pure-play platform that comes as a single license with a single sign-on for all functionalities.
Strengths
Indusface is a standout in this technology space because of its pricing model: charging a flat fee for the entire platform until a given throughput is reached. This is nearly our ideal solution for just a flat fee but takes into account the reality that the more the product is used, the more it costs a SaaS provider. This pricing model earned this vendor the highest possible score for the cost factors business criterion.
This pricing model for a SaaS solution also drove its scalability to the highest possible score. For SaaS, scalability in the technical sense should not be a problem and almost never is. Licensing is the area where scalability hits a wall for many SaaS solutions, but AppTrana’s licensing offers flat pricing until the throughput is large.
Challenges
Like many vendors, the AppTrana solution itself is compliant, and there are some reports built into the system that could help customers become compliant or prepare for audits, but there is no specific support for compliance in the product. This earned a below-average score on the compliance criterion.
AppTrana lags significantly behind in the use of AI to enhance vulnerability detection. While most vendors are using AI to correlate and quickly process feeds at least from their own customers, AppTrana’s use of AI is more restricted. While AI is used for DDoS rules to protect against growing threats and to inform AppTrana’s own SOC, there is no built-in AI enhancement for real-time protection. This earned it a score that indicates it has some functionality, but it is not really a feature at this time.
Purchase Considerations
Like some other vendors, Indusface offers more in the security realm than the AAS product. If an organization is looking for dynamic application security testing (DAST) and penetration testing, the overall Indusface product offering should be more compelling.
Organizations that have skimped on security due to staffing and development pace issues should consider this solution set, bundling AppTrana with Indusface WAS, to jump-start that process. Add static application security testing (SAST) and software bills of materials (SBoM) from other sources, and application security will be rather well covered. While this analysis was being finalized, Indusface also released an automated penetration testing tool. While beyond the scope of this Radar, it does broaden the offering even more.
Radar Chart Overview
This is Indusface’s first year on our AAS Radar chart—it’s positioned in the Innovation/Platform Play quadrant. AppTrana is a platform and is intended to remain a pure play solution with one login, one UI, and one configuration with different parts. Indusface is currently improving the AppTrana product and has adopted an agile delivery model for its product.
NetScaler
Solution Overview
NetScaler offers an application delivery and application security portfolio as a platform. The AAS functionality is only part of the overall solution set, licensed as a single platform. The product is available on all expected local and public cloud platforms but does not offer a full SaaS at this time.
Strengths
NetScaler offers top-notch DLP functionality as a part of its overall platform offering. While other vendors offer quality DLP as a separate or add-on product, this functionality is core to the NetScaler offering. The ability to detect vulnerabilities, its built-in rules, and regex for an organization’s special needs, are all just parts of the solution that garnered NetScaler a top score for our data leak protection key feature.
NetScaler also earned the best possible score for the advanced threat intelligence emerging feature. The solution uses all available sources–IP Reputation, external feeds, an SOC team, and even community feeds–to determine current and evolving threats. This is the most comprehensive solution tied into an AAS product that we analyzed.
Challenges
NetScaler has not yet implemented a modern AI engine. This leads to both of the largest challenges for the product in our analysis.
First, NetScaler scored a zero for our AI-enhanced vulnerability detection key feature. This is currently the best way to determine vulnerabilities, by allowing AI to sift through large volumes of data. Given NetScaler’s high score for advanced threat intelligence, this may not be an issue for some users, but there is no AI engine. Second was a zero for the AI for real-time detection and response emerging feature due to NetScaler’s lack of an AI implementation for that.
Purchase Considerations
Lack of a SaaS or managed solution means organizations will need the staff and skills to implement the solution internally or budget for external professional services to implement it and train staff to maintain it.
Organizations that require a purely local solution should have NetScaler on their short list. Organizations with broad application delivery and security needs will find NetScaler to be one of the best solutions to offer both AAS and a variety of other security and application delivery features, all bundled into a single platform for a single price and implementation expense.
Radar Chart Overview
NetScaler is a Leader in the Maturity/Platform Play quadrant of our Radar chart. This is the same as last year’s rating, with only the rate of change shifting from Fast Mover to Forward Mover, reflecting the rate of new feature deployment slowing to digest recent changes in both the product and the company.
Radware
Solution Overview
Radware has amassed a broad selection of deeply integrated tools that are available à la carte to build the protection that an organization needs. In the case of AAS, this analysis considered Radware products Cloud WAF, Bot Management, Kubernetes WAF, ERT Active Attackers Feed, and Alteon ADC with Integrated WAF.
Strengths
Radware is the only vendor in this analysis to earn a top score on the AI-enhanced vulnerability detection criterion. Radware includes everything that we currently look for in this feature; the AI vulnerability enhancement system uses both IP and application layer information to learn of attacks to protect against and offer suggestions to IT. This subsystem works with data from and provides feeds to the many other products in the solution set.
Radware also earned a top score for the bot management key feature. While the reasons for top scores on this criterion vary, Radware is the only one that offers cryptochallenge. This is the ability to increase computational complexity of challenges issued during bot attacks to increase the workload of the attacking platforms. Combined with an otherwise exemplary bot management solution, we find this a compelling feature.
Challenges
Like several other vendors in this analysis, Radware makes certain the product is compliant, so as not to be a negative to compliance efforts, but beyond that, any support for compliance efforts is ancillary to other functionality. As such, the product earned a below-average score for compliance.
Radware’s score on DLP was average. The limited functionality for auto-blocking known forms of critical data would have resulted in a below-average score, but an engine for organizations to create their own rules brought it up to average because DLP can, in principle, be implemented in the product.
Purchase Considerations
Implementation may well take more work than for some other solutions based upon environment complexity, but Radware can solve the problem, whatever needs protection, wherever it needs protection.
Organizations looking to start with one piece of functionality and expand in the future to a single source for AAS and app delivery will find Radware one of a few good choices. Organizations with a complex architecture should have Radware on their list of options as well.
Radar Chart Overview
Radware sits in the Maturity/Feature Play quadrant of the Radar chart. This is a change from last year’s Innovation/Platform Play placement. Given our evolved analysis of what is and is not a platform, Radware moved from Platform to Feature Play based upon the collection of separate tools that are still in the process of being merged into a single unified platform.
After some rapid changes and new features added to the product and extensive integration efforts, we expect Radware to move to a steadier and more predictable rollout and upgrade cycle. This changed its designation from Innovation to Maturity.
Similarly, our expectation of more measured and predictable updates combined with our belief that integration work will continue apace kept the product in the Fast Mover category.
ThreatX
Solution Overview
ThreatX Edge API and Application Protection is a SaaS-based AAS solution that addresses the breadth of the market. ThreatX Runtime API and Application Protection (RAAP) offers additional application and OS-focused protections along with runtime enhancements.
Strengths
ThreatX earned the highest possible score on our metadata evaluation key feature. While several companies offer extensive inline metadata for use in things like rules, ThreatX’s Runtime protections include internal application and platform data (via eBPF) that other vendors simply do not. This put the product over the top for this feature.
Similarly, the eBPF functionality of RAAP put the ThreatX offering over the top for our bot management key feature criterion. The additional information available on the systems targeted is a major boost for the already good bot protection in the edge product. This earned the tool our highest rating for bot management.
Challenges
ThreatX does not offer AI-enhanced vulnerability detection at this time, which caused the product to receive a zero for this feature.
ThreatX also lags behind the competition in integrations. Restricted mostly to logging tool integrations, the availability of an API for user integrations earns the tools a below-average score for our integrations key feature. The product can be integrated, but it will take more work than other offerings in this space.
Purchase Considerations
Organizations should be aware that there is no version of the complete offering that leaves users 100% in control, and there is no version that is 100% local. While RAAP can be completely local, Edge API and Application Protection cannot. ThreatX Edge Sensor can be installed in a private cloud environment, however, meaning that only those who require a 100% on-premises solution will be impacted by this issue.
For organizations that want to outsource most of the work for this functionality, ThreatX should be at the top of the list. The tools are managed by ThreatX, and user interactions are minimal compared to most solutions.
Radar Chart Overview
ThreatX is positioned in the Innovation/Platform Play quadrant of the Radar chart. In last year’s chart, ThreatX was identified as a Feature Play. Our increased requirements and scrutiny of what is and is not a platform changed that position even though nothing in the product changed. It is a single login to a single platform for the vast majority of the product offering, making it more platform than feature oriented.
ThreatX moved from Leader to Challenger on the Radar chart. This reflects the fact that the decision criteria we evaluated this year are not features of the ThreatX product. For instance, this is the first year we have considered AI-enhanced vulnerability detection important enough to rate it as a key feature, but ThreatX does not support it at this time. The market has also been changing at a rapid rate, and other vendors have moved forward, while ThreatX has not advanced at the same rate. It’s listed as a Forward Mover as its rate of change is not at pace with the market.
Wallarm, API Security Platform
Solution Overview
Wallarm is an AAS platform that offers SaaS and public cloud-hosted servers. There is also an out-of-band local solution using mirroring.
Strengths
Wallarm has one of the better account takeover protection solutions on the market, with the ability to detect anomalous behavior, use curated databases of known compromised credentials, and view takeover attempts in a report.
Wallarm offers acceptable deployment models, but protection for applications and APIs wherever they reside is still possible. The tool is also more thoroughly integrated into modern IT infrastructure than most competitors. Taken together, these items earned the Wallarm product an above-average score on our flexibility business criterion.
Challenges
The Wallarm offering does not have specific bot functionality at the level of most competitors. It does offer some protections for bots but mostly as a side effect of the excellent account takeover protections. We would like to see bot management as a feature with commensurate UI and tooling. This earned Wallarm a below-average score on our bot management key feature.
Likewise, The Wallarm offering itself is compliant with most regulations, so it does not get in the way, but there is little tooling for compliance built in. While some reports could be crafted with work to meet compliance analysts’ needs, the tool does not offer the support that other vendors do and earned a below-average score for compliance.
Purchase Considerations
Like some competitors, pricing is based upon request count. Evaluators should be aware of this pricing model and what it means for their use case.
Wallarm has taken steps to fit well into the enterprise environment. Larger organizations with a variety of integration needs will find the tool easiest to use and should have it on their short list.
Radar Chart Overview
Wallarm is a Challenger in the Maturity/Platform Play quadrant of the Radar chart. This is the same quadrant as last year, but market changes moved it from Leader to Challenger. The product is a Fast Mover, reflecting its steady rate of change relative to the market. This is a change from last year’s Outperformer rating, when new functionality was coming out in a rushed cadence.
6. Analyst’s Outlook
This market space has continued to expand, with solutions offering more and more varied protections. We expect this trend to continue, and we believe that this market will absorb API security completely in the near future, simply because customers need both WAF and API security, and these solutions solve both needs with one toolset.
The vendors in this space are varied, with backgrounds ranging from CDN to application delivery to pure play AAS and even development security. That means whatever an organization’s approach to AAS and needs outside of the AAS space, it is likely one of these tools can meet and exceed expectations. There are a variety of Leaders in the space, and the Challengers meet expectations well also; for specific use cases, they may very well outperform a solution scored as a Leader.
Organizations that are just getting started on this journey should begin by evaluating what is in use already. Many customers have these vendors in production for specific functionality and could talk with that vendor to expand use cases. If not, customers should consider what their organization’s core needs are and use that as a guide for evaluations. These products vary in terms of their strengths and weaknesses, and inputs like this analysis and crowdsourced evaluations can help craft your own short list to look at.
One interesting thing that we are seeing, as this market overtakes standalone API security, is an increase in vendors that offer some form of SAST or DAST as part of the solution set. This portends a continuing consolidation of application security, at least for some vendors. We expect at least the SAST/DAST trend to continue because it offers AAS tools more information to protect applications. It would be worth asking vendors if their tool currently has or plans such support in the next 12 to 18 months.
To learn about related topics in this space, check out the following GigaOm Radar reports:
- Gigaom Radar for API Security
- GigaOm Radar for Development Security
- GigaOm Radar for DDoS Protection
7. Methodology
*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.
For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
9. Copyright
© Knowingly, Inc. 2024 "GigaOm Radar for Application and API Security (AAS)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.