The Era of the Security-based CDN

Incapsula and Akamai are changing the CDN landscape. In two years, the primary growth engine for CDNs will be their security offering. Incapsula, the security based CDN that is now part of Imperva, is focused on serving the SMB market. Akamai, with the recent acquisition of Prolexic, is focused on the enterprise market. With the SMB and enterprise segment covered, there is a gap in the middle market.

It’s only a matter of time before Incapsula starts going upstream, and Akamai downstream, in order to capture more market share. The competing CDNs have a short window span to create a security suite that rivals Incapsula’s, tailored to the mid-market. While Incapsula has a head start in the security space, CDNs have more experience with the middle market customer, and middle market economics, like pricing models.

Akamai and Incapsula

Akamai and Incapsula offer a security suite that is magnitudes more comprehensive and feature rich, than all other current CDN players. The CDNs that fail to create their own robust security suite now, will have a difficult time staying relevant in 2 years. At an absolute minimum, CDNs need to offer a WAF product today. If not, they should get it on the road map ASAP.

All websites need protection beyond the Layer 3 and Layer 4 attacks, they need protection against Layer 7 attacks. The Layer 7 attack is the place where cyber-criminals attack websites with programs incorporating advanced techniques of logic, mathematics, and deception. For the CDN that doesn’t have WAF today, should start with the ModSecurity plugin. Then go from there, creating custom rules, and developing it to fit the particular CDN environment.

The other route to go is to deploy hardware based appliances in the CDN infrastructure. However, buying hardware for 20 to 30 POPs is expensive. In the CDN industry, I believe it’s better to start with open source, than build from there. However, the open source product must be solid, have good documentation, and have a large open source development community around it.

WAF Pricing

There are a few ways to price out WAF. Some do it better than others. Akamai has the best WAF pricing model in the industry. If I were in charge of pricing out the WAF product for a CDN, it would be a two tier pricing model. First, there would be a monthly platform fee. Second, there would be a bandwidth (data transfer) fee, that is higher than the standard content delivery fee. The WAF bandwidth fee means that WAF customers are on separated networks, and clusters of servers in the CDN POP.

I would never offer a WAF product for free, bundling it with the standard CDN delivery plan. In fact, I would charge a premium for it, and build a separate NOC that deals specifically with WAF customers and all security incidents. The 24×7 security NOC should have a cool name like Advanced Security Operations Center (ASOC). The ASOC provides 24×7 real time security monitoring. From my experience, customers appreciate a premium service that allows them to sleep better at night. We all understand that you get what you pay for; what website owner wants to skim on security. An intrusion is going to be much more damaging than paying a nominal monthly fee.


We are in the era of the security based CDN. Akamai and Incapsula are leading the way, and collapsing the CDN and Cloud Security markets. It is only a matter of time before more cloud security companies start invading the turf of the CDN. How will the current CDNs respond, that’s the question at hand.