Dec 19, 2025 – Jeremy Snyder – A recent posting by Dr. Chase Cunningham from Ericom Software on LinkedIn took an interesting view on web application firewalls, most commonly known as a WAF.
WAF’s Must Die Like the Password and VPN’s
Here at FireTail.io, we are also not fans of a WAF. Why? We do not believe that a WAF will catch most modern attacks. WAFs are fundamentally based on firewall (perimeter defense) structures that are designed to keep attackers out based on where they are coming from, where they are going to, and what they are trying to access. A simple search for bypassing a WAF returns quite a lot of results:
Bypass WAF, 1.28M results
Dr. Cunningham’s post shares some interesting opinions and statistics on WAFs:
* “WAFs are antithetical to the move to Zero Trust”
* “According to most innovators and experts, the pattern and rule-based engine used by WAFs are not aligned with current security needs.”
* “Ponemon conducted research at that time to probe the market for issues with WAF solutions, and more than 600 respondents made their point clear: WAFs aren’t helping.”
The Ponemon WAF research referenced also included some eye-opening statistics:
* While 66% of respondent organizations consider the WAF an important security tool, over 40% use their WAFs only to generate alerts (not to block attacks)
* 86% of organizations experienced application-layer attacks that bypassed their WAF in the last 12 months.
* Managing WAF deployments are complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.
* The CapEx and OpEx for WAFs together average $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.
SUMMARY OF WAF FAILURES FROM DR. CHASE CUNNINGHAM
If you wanted the tl;dr version of what Dr. Cunningham had to say, it’s this:
> In other words, WAFs are not stopping attacks, require continuous configuration and intensive management and security human capital, and are more expensive than other better-suited technologies.
WHAT IS A BETTER APPROACH THAN USING A WAF THEN?
This is where our view may both overlap with and also differ from from Dr. Cunningham’s. Dr. Cunningham speaks of the model of W
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: