Tests have shown that not all WAFs are equally useful

RUTEST, a leader in IT/IS solutions and infrastructure testing, explained why not all WAFs are equally useful.

Drivers have a saying: "If you don't know what car to buy, buy a Volkswagen." Information security specialists have a similar saying: "If you don't know how to secure a cloud system, install a WAF (Web Application Firewall)." A WAF is designed to effectively block malicious attacks at the entrance to cloud applications and proactively identify potential threats through signature and behavioral analysis of incoming traffic.

In real life, things are not so simple

However, as practice shows, not all WAFs are the same. Some are good at blocking malicious traffic but poor at passing useful traffic, generating many false positives. Others, on the contrary, are good at passing legitimate traffic but often let malware through. Of course, there are WAFs that block malware and allow legitimate application requests through. But how can you spot them if the vendor's marketing documents sound perfect?

For the third year in a row, Check Point Software Technologies has been benchmarking WAF effectiveness, testing industry-leading WAF solutions under real-world conditions. The goal of the tests is to determine how well these WAFs ensure the proper operation of applications.

In 2024-25, tests revealed the architectural limitations of traditional WAFs. As malware becomes increasingly sophisticated, the limitations of legacy analysis methods based on signatures and attack prevention mechanisms become increasingly apparent.

In December 2025, Check Point's tests focused on "padding evasion" attacks, a hacking technique used to allow a malicious byte pattern to penetrate a system despite all WAF protections. To avoid detection by signature analysis, the attacker, while preserving the semantics of the malicious content, mixes it with various byte "garbage," adding strings, comments, spaces, and other elements to make it appear harmless and successfully bypass WAF protection.

What to look for when choosing a WAF

When choosing a WAF, two most important parameters are crucial:

• Security quality (true positive rate) is the WAF's ability to correctly identify and block malicious requests. It should effectively counter known attack methods used by hackers.
• Detection quality (false positive rate) is the WAF's ability to correctly respond to legitimate requests without triggering false positives, which can lead to business disruption and increased workload for IT staff, as a WAF requires a lot of configuration to function properly.

What was tested?

A wide range of data was used to test the WAF:

• 1,040,242 legitimate HTTP requests from 692 real websites in 14 categories
• 74,284 malicious combinations of the most common attack vectors

What was tested?

In December 2025, the following popular WAF solutions were tested:

• Microsoft Azure WAF – OWASP CRS 3.2 Rule Set
• AWS WAF – AWS Managed Ruleset
• AWS WAF – AWS Managed Ruleset and F5 Ruleset
• CloudFlare WAF – Managed and OWASP Base Ruleset
• F5 NGINX App Protect WAF – Default Profile
• F5 NGINX App Protect WAF – Strict Profile
• NGINX ModSecurity – OWASP CRS 4.20.0 (updated from previously tested version 4.3.0)
• open-appsec / CloudGuard WAF – default configuration (high assurance)
• open-appsec / CloudGuard WAF – Critical Confidence Configuration
• F5 BIG-IP Advanced WAF – Rapid Deployment Policy
• Fortinet FortiAppSec – Default Configuration
• Google Cloud Armor – ModSecurity Preconfigured Rules (Privacy Level 2)
• Imperva Cloud WAF (2024-2025) – Default Configuration

Some WAFs were tested in two configuration modes, which allows them to be considered independent products.

What's the bottom line?

Testing has shown that detection and security parameters are often mutually exclusive, and only a few WAFs can boast a near-perfect balance of both.

An optimal WAF solution must strike a balance between two key metrics: security quality and detection quality. For this purpose, there is a metric called Balanced Accuracy—the arithmetic mean of the security quality and detection quality metrics.

What has changed in the threat landscape and testing methods in 2026?

1. A new attack vector has emerged: the so-called Padding Evasion, specifically the React2Shell malware, which was introduced into the tests.
2. Malware is becoming increasingly larger. A recently discovered vulnerability in React2Shell demonstrated that critical application requests often exceed the default WAF inspection buffers of 8 KB or 128 KB.
3. It has been observed that some WAFs by default do not perform analysis if the request length exceeds certain sizes (e.g. 128 KB) in order to preserve performance, effectively forgoing checks for large malware.
4. To achieve protection without sacrificing performance, specialized architectural approaches are required, such as stream analysis combined with machine learning.

Conclusions

The best way to secure web applications is to use machine learning rather than static signatures. This approach provides the best balance between security and usability and remains the only solution for proactively blocking zero-day attacks.

Experience shows that choosing solutions based on vendor reputation and vendor test results (if any) is often fraught with subsequent disappointments: reduced traffic speeds, the emergence of vulnerabilities, etc. It's no secret that vendors, no matter how respected they may be, are interested in presenting their solutions in the best possible light and therefore often embellish the reality of the situation.