Can AWS WAF and CloudFlare Commoditize the Edge Security Market Within 2 Years


In October of 2015, Amazon introduced two new security features: AWS WAF and Amazon Inspector. Amazon Inspector is a web application scanner that scans for vulnerabilities within the AWS environment. From a competitive standpoint, the Inspector tool is one of many tools that exist in a hyper-competitive market.


However, the AWS WAF might be the biggest threat the Edge Security market has ever faced. It can do to the Edge Security market what CloudFront + S3 did to the CDN Origin Storage market, obliterate it. And this time AWS is not alone but has the company of CloudFlare, the #1 DDoS Mitigation startup by customer count and sales growth. Is it possible the dual threat of AWS and CloudFlare can force the DDoS + WAF market to suffer the same fate as CDN Origin Storage?

Access this market insight

Get full access to this research brief for $159.00. Or sign up for our monthly membership and have full access to it. Thanks for your support.

Buy Now

[MM_Member_Decision membershipId=’5|7|9|11|12|13|14|16|18|22|27′] Subscribers, please ignore the “Buy Now”.

The “Amazon Way”

Presently, the AWS WAF is an entry level product which lacks the functionality of competing products. The functionality absent in the AWS WAF are techniques such as “instant WAF rule updates”, “machine learning and profiling”, “anomaly detection and mitigation” and so on. Competing WAFs from the likes of Incapsula, CDNetworks, EdgeCast, Akamai, and others offer a more advanced feature set.

However, based on AWS’s history with product launches, the first version of a feature will merely introduce it to the market, and over time it will undergo significant improvement (i.e. CloudFront). It’s safe to say that Amazon will update its WAF dozens of times throughout the year and drop pricing along with it to become a low cost leader, as it did with EC2 and S3. This, in turn, will impact with Edge Security CDNs, at least those who are unprepared.

CloudFront’s History

When Amazon first launched CloudFront, it lacked many of the features offered by the Pure-play CDN. In fact, CloudFront did not even have some of the more basic features like streaming, raw log file access, query string caching support, SSL, and real time reporting, let alone Rules Engine, FEO and DSA (Dynamic Site Acceleration). Today, even though CloudFront still lacks some of the more advanced features, it has all of the basics in place such as raw logs, SSL support, and advanced reporting. In a relatively short period, CloudFront has become a mature and stable platform on par with some of the non-innovative CDNs.

Effects of AWS WAF on the Market

There is typically a twelve month learning curve when it comes to understanding and selling a technical product like the CDN WAF. In the short term, the AWS WAF will have no impact on the competitive landscape. In the mid-term, Amazon will improve its WAF, transforming it from an entry-level product into a more robust, stable and scalable WAF.

AWS marketing efforts will likely focus on one demographic – their “installed user base.” There is no need to go outside of the base since most organizations use AWS in one form or another. Under normal circumstances, the strategy of going after only one target market would be a problem, but not for AWS. The AWS “installed user base” likely includes 99% of the Fortune 1000 along with hundreds of thousands of companies from all over the world.

Within 12 months, Amazon’s WAF is likely be the least expensive product on the market. In 24 months, Amazon is expected to have hundreds, if not thousands of customers using it. When it comes to cross-selling services, Amazon is a leader, and bundling WAF with EC2 is a no-brainer. Amazon will put tremendous downward price pressure on the entire Edge Security industry in due time.

Amazon and CloudFlare

Today, there are companies giving away WAF for $20 per month, like CloudFlare, who has hundreds of thousands of customers. AWS is likely to match CloudFlare on WAF and DDoS Mitigation pricing, and the effects will be similar to the CloudFront + S3 effect on CDN Origin Storage. The CloudFront + S3 combo forced price drops of 85% or more on CDN Origin Storage. Within 24 months, we expect Amazon to do the same with its WAF and DDoS Mitigation pricing. For the unprepared, some existing cloud security business models are likely to crumble, along with those once profitable revenue streams.

Although Amazon’s market introduction of WAF is surprising and unexpected, it was overshadowed two weeks later by news that CloudFlare received a hefty investment of $128 million from Google and several other large investors. With this new round of funding and strategic partnerships, CloudFlare will acquire hundreds of thousands of new customers and develop a number of new security features. Also, they will ramp up operations globally, expand its platform into new territories and hire dozens of security engineers to fuel growth.

6 Disruptive Events in Edge Security Market

There has been six major events over the last several years that have transformed the Edge Security CDN segment into what it is today. These events have forced competitors to respond appropriately and has impacted the general cybersecurity industry for the better. Each event is significant on its own and has caused a major disruption to the edge security business model.

  1. Imperva starts Incapsula
  2. Akamai acquires Prolexic
  3. CloudFlare grows its customers base to 500,000
  4. Akamai acquires Bloxx
  5. Amazon introduces WAF
  6. Cato Networks and Reblaze enter the market with a new business model and the most advanced security feature set to date

Who Will Be Impacted First

In twelve months when Amazon introduces an even lower-cost tier for its feature-rich WAF and DDoS Mitigation service, the DDoS Mitigation Pure-plays (i.e Black Lotus) are likely to be impacted the most. Security companies whose livelihood depend on sales from DDoS Mitigation and WAF will experience revenue deceleration, if that is all they have. Presently, some companies are keen to what’s going on, and have countered the coming threat by taking drastic measures in expanding their product offerings. Even new security startups are coming to market with cloud security suites that offer more advanced features beyond the standard WAF and DDoS Mitigation service.

CloudFlare Pricing

CloudFlare is the number one Edge Security CDN in the mid-market sector (Akamai #1 = Enterprise) with 500,000 customers with 4+ million websites. Here is the current CloudFlare pricing structure:

  • Pro Plan: $20/month and $5/month for each additional website, includes WAF and mobile acceleration
  • Business Plan: $200/month/website for WAF and Advanced DDoS Mitigation

CloudFlare clearly notes on its pricing page that they “never charge for bandwidth.” Whether a customer experiences a 1 Gbps attack or 300 Gbps, the price for mitigation remains the same. The CloudFlare pricing structure is different that what other companies charge, especially the DDoS Mitigation Pure-play, who charge customers based on a bandwidth metric or clean traffic that’s delivered over GRE tunnel to clients. Some telcos are follow in the footsteps of the DDoS Mitigation Pure-plays. Here is AWS WAF pricing as of 4/3/16.

AWS’ WAF pricing is based on three different metrics.

  • Access Control List (ACL): $5/month per ACL
  • Rules: $1/rule/ACL/month
  • Request Charges: $.60/1 million requests
AWS WAF Pricing Example
  • Client has WAF enabled on 8 CloudFront Distributions
    • CloudFront Distributions are created upon account setup
  • 2 ACL’s created for the 8 Distributions noted above
  • 1 ACL has 4 rules associated with 6 Distributions
  • 1 ACL has 6 rules associated with 2 Distributions
  • Total request per month = 10 million
Quote Example
  • 2 ACLs x $5/month = $10
  • 10 rules x $1/month = $10
  • 10 million requests x $.60 = $6
  • Total = $26/month

CloudFlare and AWS offer the two lowest pricing models to date. Over the next few quarters, they’ll drop prices, especially as other CDNs enter the market with their own low cost WAF + DDoS Mitigation product. Although Amazon currently provides a “build-it-yourself DDoS Mitigation product”, eventually they will notice and change their strategy so it mimics CloudFlare.

The New Standard: $20/Month for WAF + DDoS Mitigation

Are we to conclude that CloudFlare’s and AWS’s market strategies will force the industry into the $20/month WAF? Possibly, at least for the SMB/SME and mid-market. Of course, banks and some other online companies will continue to need pricier, more premium Edge Security services. But even this niche is likely to experience some price degradation over time.

Market Effect Cascades

What can we expect from CloudFlare and Amazon within 24 months

  • Basic CDN WAF (and likely DDoS Mitigation) will start at $20/month
  • CloudFlare will triple its customer base from 500,000 to 1.5 million and its number of websites from 4 million to 12 million
  • CloudFlare will quadruple its Fortune 1000 / Global 2000 customer base
  • Amazon will roll out a low-cost basic DDoS Mitigation service on par with other CDNs
  • AWS’ WAF will be feature rich like CloudFlare
  • Amazon will have tens of thousands of customers using its WAF by 2020
  • Amazon will capture a large percentage of the Fortune 1000 / Global 2000 in need of WAF (compared to Edge Security CDNs)

Impacted Groups

The tiers presented below represent the group of companies that will be impacted the most starting from Tier 1. Tier 1 companies will be impacted the most, followed by Tier 2, and so on.

Tier 1 Staminus, DOSarrest, Nexusguard, and other DDoS Mitigation Pure-plays: Once AWS WAF and CloudFlare introduce their lower-tier pricing models in twelve months, some of these companies will implode. CloudFlare and Amazon will provide nearly identical services to these companies for under $20 per month.
Tier 2 Verisign and Neustar: Neustar and Verisign are in a better position to survive the AWS + CloudFlare assault, due to the diversity of their product lines. Neustar offers Marketing Services and Voice Services in addition to DDoS mitigation. Verisign is the largest domain registrar and also offers web hosting and other services.
Tier 3 Akamai: Their Security Solutions business unit generates $300M yearly, and commoditization is bound to impact the Prolexic business.
Tier 4 Verizon EdgeCast and Level 3: Their WAF + DDoS Mitigation represent only a tiny fraction of their overall business.

Not included in the group are the Edge Security CDNs. Even if DDoS Mitigation and WAF were to become commodities, these companies would survive because they’re innovation leaders who are introducing new features at regular intervals.


Scroll to Top