Imperva WAF review & Altrnatives

Imperva is a leading cybersecurity system provider and it understands the different needs of each type of business. It makes sense for such a major security brand to cover both on-site solutions and a cloud WAF service. The two systems are not exactly the same security services. So, there are two Imperva WAFs to look at.

The Imperva WAF has some big corporations on its client list including Siemens, AARP, and the telecoms and internet provider EE.

What is a web application firewall?

The purpose of a web application firewall (WAF) is to protect web servers and the websites that the host. This is a little different from a traditional firewall. A WAF needs to block malware but it also needs to look at the responses of any user on a website because there are a number of hacker attacks that can be implemented through the input fields on a web page.

A key requirement of a WAF is that it should be able to process traffic before it gets to the webserver. Cloud systems are becoming increasingly popular as vehicles for WAFs. In this configuration, a WAF is known as an edge service. This means that the service is performed outside of the boundary of the protected network.

Where WAFs are implemented on-site, it is better to deploy them on dedicated appliances. This is because the firewall is more effective if it can prevent malicious traffic from touching the resources of the business. Hacker activity can disable a webserver even without infecting files on the system. A malicious program can overload a server, impairing its performance and damaging the delivery of the web pages that it hosts.

A third option is to run the WAF software directly on a server. This has obvious downsides; however, WAF producers are aware of the risks that leaving traffic checks until connections have been made to onsite equipment. The typical configuration of a hosted WAF is that it runs on a virtual machine. This blocks any possible access that malware could get to the server’s operating system, should it manage to slip through all of the firewall controls.

The decision over whether to buy an appliance, install WAF software, or take out a subscription to a cloud WAF service is really up to the personal preferences of the people running the company to be protected. An in-house solution is the most secure option, but it requires competent and experienced cybersecurity experts to be on staff and few companies can afford that category of specialists.

A Cloud WAF is the most economical option and it removes the need for keeping specialists on staff. Some cloud-based WAFs offer a managed service option, which is the best solution for smaller businesses that don’t have the capacity to justify an in-house cybersecurity team.

WAFs are very easy to integrate with other important services that help to make the delivery of a website a success. The businesses that produce WAFs usually also offer website acceleration services, such as a content delivery network. Other security services dovetail with the WAF concept. These include data loss prevention, DDoS protection, and SIEM security monitoring systems.

About Imperva

Imperva was founded by Shlomo Kramer in 2002. Kramer is a great leader in cybersecurity and also created Check Point. The company was originally called WEBcohort and it became Imperva in 2004. The company’s first product was released in 2003. That was SecureSphere, a web application firewall that focused on protecting the databases used in websites. So, Imperva was one of the first businesses to produce a WAF. The SecureSphere brand was in operation until very recently. Although the company has now dropped that name for its on-premises WAF, it still supports versions of the legacy firewall system.

Imperva owns Incapsula, which is another very strong brand in cybersecurity. In 2018/2019 Imperva was bought by Thoma Bravo, a tech private equity conglomerate that also owns Sophos, SolarWinds, Dynatrace, and Barracuda Networks, among other top technology brands.

The Imperva product list is an impressive range of protection tools for internet-connected networks. Apart from its two web application firewall options, Imperva offers DDoS protection, bot management, account takeover protection, and many other device and data security tools.

About Imperva WAF options

The most accessible WAF offered by Imperva is the Imperva Cloud WAF. The Cloud service expects to pick up small business clients, so it has been designed to be very easy to use and can be set up by anyone without technical skills.

The Cloud WAF includes a secure Content Delivery Network (CDN), which distributes copies of a protected website on many servers around the world to make it quicker to deliver to faraway places. The CDN also covers for downtime on the primary server.  Another useful feature is its virtual patching service that schedules patches for all of the software and operating systems of the protected network.

The Cloud WAF also includes bot management, API security, account takeover protection, and backdoor protection. The designers of the cloud-based service also made it easy to interface the WAF system to a number of leading SIEM services to improve network security.

The on-site WAF is called Imperva WAF Gateway. This is aimed at businesses that have expert network managers in place. It protects websites and web-linked APIs just like Cloud WAF. However, this implementation is a lot more complicated than the cloud-based service.

This service deploys machine learning and looks for chains of events that indicate hacker activity on a web page. These factors include a reputation rating for each user, marking certain visitors as likely intruders.

Imperva doesn’t see the Cloud WAF product as the online version of the WAF Gateway. The WAF Gateway can itself be implemented in the cloud by installing it on an AWS server.

Imperva WAF features

Both Imperva WAFs implement both whitelisting and blacklisting of traffic sources to protect web applications. Both also include web page checks as well as traffic controls. This category of cybersecurity protection includes blocks to prevent cross-site scripting and SQL injection and other security threats, such as remote file inclusion.

The Imperva WAF Gateway is a little more sophisticated than the SaaS WAF. This is because it deploys machine learning to model visitor behavior. This AI-based technique speeds up the problem detection capabilities of the WAF by focusing attention on site visitors that seem to display typical hacker behavior. This targeted approach removes the need to impose stringent checks on all users, such as an enforced Captcha access phase.

Both Imperva WAF options include a patch management module. This gathers patches for all of the software and operating systems on the protected system and rolls them out at times when system activity is low. That service removes the dangers of patching being overlooked by busy network managers or deferred due to the pressures of availability.

Of the two Imperva WAF options, the Cloud WAF includes more complimentary services out of the box. These include DDoS protection and a content delivery network. These services are also available to customers of the Imperva WAF Gateway however, they are not automatically included in the base-package of web application firewall and need to be selected and paid for as separate services even though they will coordinate once operating on the appliance or VM.

Imperva WAF data standards compliance

Both the Imperva Cloud WAF and the Imperva WAF Gateway are certified for PCI DSS compliance. The WAF Gateway has stronger compliance capabilities, however, because it is useful for the implementation of other data security standards. That list includes SOX, HIPAA, and FISMA.

Imperva WAF configurations

The Imperva Cloud WAF is a straightforward system to implement. The main choice of the SaaS Imperva WAF is whether to go for a self-managed solution of a managed service. Businesses that don’t have any on-site technicians would be better off relying on the managed service, particularly if they need to prove compliance with a data security standard, such a PCI DSS, which can be difficult to implement without experienced staff. The dashboard for the Imperva Cloud WAF is accessed through any standard browser or a mobile app.

The Imperva WAF Gateway has more configuration options than the Imperva Cloud WAF. The system can be delivered on a network appliance. This takes the processing load off your own servers. However, the WAF is also available for hosting on a virtual machine configuration. Although this requires that the business must ensure sufficient processing capacity, the VM configuration prevents any newly arrived malware from getting down to the server’s operating system.

A third option is to create a private cloud service, similar to the Cloud WAF by installing the Imperva WAF gateway software on an AWS server. This option would require a DNS management phase to switch all traffic channels towards the cloud-hosted WAF and then a backend VPN through to the webserver.

Pros & Cons


  • Combines in-depth audits and compliance tests with breach detection features
  • Offers highly technical compliance auditing features, great for enterprise environments
  • Available both as a cloud product or on-premise solution


  • Many features are not applicable to smaller organizations that don’t have to monitor compliance

The best alternatives to Imperva WAFs

Imperva has attempted to cover all of the markets for web application firewalls with its two versions. Each is tailored towards a different customer profile with the SaaS system serving small business owners with little technical knowledge and a network appliance that will please a network management team.

WAFs are very important elements of system security and the decision over which service to buy shouldn’t be rushed. Web server owners should take a long-term approach and realize that the WAF that they choose should be good enough to keep protecting websites for a long time. In this respect, Imperva’s strong track record as a competent cybersecurity business that has managed to keep up with developing attack strategies works strongly in its favor.

The cybersecurity market is very complicated. There are constant changes in hacker strategies and from time to time new defense systems arise to meet those changes with a new approach. A WAF buyer needs to be assured that the product chosen is future-proofed and is likely to be developed and adapted over time to meet new challenges. To find out more about web application firewalls, you could read the Buyer’s Guide to the Leading Web Application Firewalls. However, if you don’t have time to read another article on the topic, you can just look at the rundown of the best web application firewalls listed below.

Here is our list of the 10 best Imperva WAFs alternatives:

  1. AppTrana Managed Web Application Firewall (FREE TRIAL) A cloud-based edge service that includes technicians to run the system as well as software and server resources. This package of services includes an application scanner, a CDN, and managed custom security rules with Zero WAF False-positive assurance backed with SLA and 24×7 support. Start a 14-day free trial.
  2. Sucuri Website Firewall An edge service package based on the cloud that includes site acceleration and a web application firewall.
  3. Fortinet FortiWeb An appliance-based cybersecurity system that combines a number of web application network services including a web application firewall, an SSL off-loader, and a load balancer.
  4. BIG-IP iSeries Platform – An appliance that implements the F5 Advanced Web Application Firewall.
  5. F5 Essential App Protect – A SaaS web application firewall that is an online version of the appliance-based F5 Web Application Firewall.
  6. MS Azure Web Application Firewall Although available as part of an Azure service, this WAF can protect web applications hosted on any device, not just those resident on the same cloud Azure server.
  7. Radware AppWall A network appliance that implements positive and negative signature-based protection strategies.
  8. Barracuda Web Application Firewall A network appliance that implements a WAF, DDoS protection, caching, and web acceleration.
  9. Citrix Netscaler Application Firewall A WAF from a leading virtualization provider that is available as an appliance or as a SaaS system and that includes a load balancer.

Imperva WAF FAQs

What OS is Imperva WAF based on?

Imperva WAF uses a proprietary operating system, called SecureSphere Linux. This is based on CentOS Linux.

How does Imperva WAF work?

The Imperva WAF uses DNS redirection to attract all traffic that is intended for the protected network. This enables it to absorb excessive requests and identify abnormal traffic. Approved traffic is then forwarded to the protected server over a VPN.