What’s new in Gartner WAF Magic Quadrant 2017?

To tell the truth, I was not much interested in Web Application Firewall market since the time when I was doing competitive analysis in Positive Technologies. And a few days ago Gartner published a fresh WAF research with interesting Magic Quadrants. I decided to figure out what’s new there.

Here you can download full Gartner WAF MQ 2017 report for free. Thanks to Positive Technologies for such an opportunity!

First of all, let’s look at the illustrations. I took the Magic Quadrant from this year’s report:

Gartner Magic Quadrant WAF 2017

And for comparison from 2014 and 2015 reports:

Gartner Magic Quadrant WAF 2014 and 2015.

The first thing that caught my eye was Akamai in the leaders! And apparently this will be the main message.

CDN class products with some WAF and Anti-DDoS functionality that previously were not taken seriously now starting to conquer the market and displace traditional players. According to Gartner, these solutions occupy less than 20% of the market now, but in 2020 they will occupy about half. Of course, they are only suitalbe for protecting public web applications. But, on the other hand, it is the main usecase for WAFs, right?

Traditional Web Application Firewall vendors, that make mainly hardware appliances, also understand this. They are trying to transfer their products to the cloud and create SAAS solutions. Usually such solutions are more functional, but they are not so convenient to use. Another option is to buy a cloud WAF company, as Imperva did with Incapsula.

Well, if some vendors are trying to deploy their solutions in cloud, it would be logical to have someone cloud giants with own WAF products at the market. And here it is – AWS WAF by Amazon Web Services.

What abilities Application Firewall should have? Where is the boundary between the firewall and the WAF? For example, NGFW with the “application awareness” functionality will be also a WAF? Gartner doesn’t think so. In their opinion WAF should be specialized on finding vulnerabilities in the company’s own applications. Actually, it’s a lot of confusion there. Now when the Web Application Firewall can be combined with API gateway, bot management, ADCs, CDNs or DDoS functionality, it’s quite subjective what a good WAF should be able to do.

And what about the technological innovations in the main functionality? Read in WAF Market Trends section: “As in previous years, little innovation has occurred during the last 12 months. Use of machine learning is rare and often still unproven.”

As far as I understand the logic of Gartner, to be considered a Visionary company need to show the progress in machine learning.

There are three Visioners this year. Including the company where I worked – Positive Technologies. Last year they were all alone in this quadrant. Two more players: Radware and Instant Logic.

  • Radware is a company from Israel. They recently bought Seculert, which adds machine learning, big data analytics and sandboxing capabilities. Well, that’s probably why they moved from Niche Players to the Visionaries.
  • Instart Logic from Palo Alto. It seems that they are visionaries because of their semi-automated security rule service (Helios) that uses machine learning to generate suggested policies based on log analysis.

It’s great that companies in Quadrants are from around the world, not just US. 2 Chinese companies: NSFOCUS and Venustech, Ergon Informatik from Switzerland, Rohde & Schwarz Cybersecurity from Germany, Penta Security Systems from Korea.

Reading about all the companies in a row maybe rather boring, but if you are choosing a WAF, be sure to read about them here. However, I would also not advise you to draw conclusions based of this report only. This is nothing more than marketing description still and the real possibilities of products can be estimated after a real PoC in your organization.

It has become popular to blame Gartner. The main point is that the organization takes money from vendors and estimates them at the same time. And the financing is not transparent. Read here a good post about it. However, my opinion is that the reports are still useful and beneficial. Where else can you read so much information about different WAFs vendors and about the whole market? But you should understand that this is a powerfull marketing tool in the hands of corporations, so do not rely on it completely. 😉

2 thoughts on “What’s new in Gartner WAF Magic Quadrant 2017?


    Ergon Informatik from Germany, Rohde & Schwarz Cybersecurity from Switzerland. It’s wrong. Ergon is from Switzerland and Rohde from Germany


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.