IDC MarketScape

IDC MarketScape: Worldwide Web Application and API

Protection Enterprise Platforms 2024 Vendor Assessment
Christopher Rodriguez

THIS IDC MARKETSCAPE EXCERPT FEATURES F5

IDC MARKETSCAPE FIGURE

FIGURE 1

IDC MarketScape Worldwide Web Application and API Protection Enterprise

Platforms Vendor Assessment

Source: IDC, 2024

September 2024, IDC #US51795524e

See the Appendix for detailed methodology, market definition, and scoring criteria.

IN THIS EXCERPT

The content for this excerpt was taken directly from IDC MarketScape: Worldwide Web
Application and API Protection Enterprise Platforms 2024 Vendor Assessment (Doc #
US51795524). All or parts of the following sections are included in this excerpt: IDC
Opinion, IDC MarketScape Vendor Inclusion Criteria, Essential Guidance, Vendor
Summary Profile, Appendix and Learn More. Also included is Figure 1 and 2.

IDC OPINION
Web applications are foundational components of the modern digital business,
providing the functionality required to interact with customers and prospects, partners
and guests, and employees and contractors. Attackers continually probe these
applications and related application programming interfaces (APIs) for opportunities to
steal data, gain illicit access, or defraud businesses for personal illicit gain. Attacks
targeting web applications and APIs have led to high-profile data breaches, costly
downtime, and real-world impacts including theft. End users and customers often bear
the brunt of the impact through financial losses. Eventually, this can result in a loss of
customer trust and less willingness to conduct business online.

Online cybercrime is more than a mere nuisance. It has the potential to degrade and
disrupt business results. Over the years, businesses have adopted numerous security
tools to address the steady stream of new threat tactics and expanding attack surfaces.
Web application firewall (WAF) offers a foundational level of protection against known
and emerging application layer exploits. Enterprises have layered in numerous
specialized solutions such as DDoS mitigation, bot management, and more recently, API
security.

Web application and API protection (WAAP) combines these essential security
technologies into an integrated, coherent platform to ensure a reliable level of
protection against vast online threats. Consolidated, integrated platforms help reduce
security gaps, reduce management complexity, and provide streamlined inspections.
IDC research shows that 77% of businesses rate integration between security solutions
as "important" or of "critical importance." Applications face an array of threats each
day, and attackers intentionally leverage multiple tactics to identify weaknesses in the
defenses. As a result, application security strategies that focus on specialized security
silos are set up for eventual failure. Security convergence and consolidation are a
critical step for enabling a stronger security posture, whether through improved

©2024 IDC #US51795524e 2

detection accuracy or decreased false positives or reliable detection of advanced and
zero-day threats.

However, convergence yields many business benefits as well, such as reduced time and
resources required for deployment and management, improved user experience, and
improved analytics. In addition, performing all security functionalities in one service
reduces the latency introduced by routing traffic to multiple security inspection points.

Simultaneously, businesses must take a measured approach in adopting the full

breadth of application protection technologies gradually, as needed, or as time and
resources permit. For customers, a modular, integrated platform for implementing
WAAP easily over time is essential. For vendors, the challenge is to identify the precise
mixture of integrated capabilities across core security functional areas that should be
included at various product tiers.

While WAF is a foundational component, modern application protection is impossible

without a coherent API strategy. APIs now play a major role in the modern digital
business era, providing a streamlined and efficient process for integrating applications
to deliver powerful, net-new functionality. However, APIs change the attack surface in
new ways. APIs are vulnerable to misconfigurations, sensitive data exposure, and
denial-of-service attacks. Importantly, while APIs are vulnerable to many of the same
attacks that target user interfaces, they also introduce API-specific threats such as
broken object-level authorization (BOLA). APIs also provide a means for application-to-
application communications that may not cross a perimeter protection solution such as
WAF. This can result in a security blind spot that attackers can exploit to move laterally,
behind network-based defenses.

The combination of WAF and API security is critical to ensure complete coverage of web
applications across all interfaces and attack surfaces. The WAAP value proposition is
rounded out by technologies designed to address specialized threat types such as
DDoS attacks and unwanted bot activities. These threats vary widely in terms of ease of
detection, difficulty of mitigation, frequency of occurrence, and severity of impact.
Ultimately, a complete application protection stack requires WAF and API security,
DDoS mitigation, and bot management. However, the unique technical requirements of
APIs and specialized requirements of DDoS attacks and bot activities mean that the
evolution toward WAAP is a long winding journey.

IDC MARKETSCAPE VENDOR INCLUSION CRITERIA

WAAP is a converged security solution for active application protection with WAF at its
core. IDC has identified key attributes discussed in this section that must be present in

©2024 IDC #US51795524e 3

the solution considered to qualify for inclusion in this IDC MarketScape analysis for
WAAP enterprise platforms.

Vendors must offer a converged WAAP solution that combines two more of the
following into a unified security platform:

▪ API security
▪ Bot management
▪ DDoS mitigation
▪ Web application firewall
Note that WAF is considered foundational and must be included to be considered as
WAAP. Furthermore, one-off sales of WAAP components as standalone solutions will
not be counted as WAAP.

In addition, this IDC MarketScape analysis includes the following requirements for
market participation and presence:

▪ Market participation: The vendor offered critical WAAP functions as a unified

solution as of 2023. Specific core or extended functionality may be offered as
part of a different bundle or platform, or as standalone solutions, as long as the
functions were not only offered as standalone or separate products. See the
Market Definition section for a full, detailed description of required and optional
functionality.
▪ Market representation: The vendor achieved a minimum established share of
revenue in the WAAP competitive market in 2023, as confirmed in IDC's Security
Products Tracker.
▪ Global presence: The vendor has a minimum distribution of revenue across
each major global region including North America, Latin America, EMEA, and
Asia/Pacific as of 2024 and as confirmed in IDC's Security Products Tracker.
IDC notes that some cloud and security providers that offer components of a WAAP
were not included in the analysis due to a point product focus instead of an integrated
WAAP approach. Similarly, some vendors that offer WAAP did not reach the minimum
market representation or global presence requirements.

ADVICE FOR TECHNOLOGY BUYERS

Key Considerations for Vendor Capabilities

The IDC MarketScape analysis for WAAP enterprise platforms factors in a common level
of protection required and expected by IT buyers, as well as extent of integration, ease
of use, adjacent professional and managed services, and total cost of ownership. At the

©2024 IDC #US51795524e 4

enterprise level, a WAAP must deliver excellent protection, reduce the performance
impact of security, and add minimal friction into the end-user experience. The analysis
also emphasizes the primary goal of WAAP, which is to combine multiple essential
security technologies into a single integrated, coherent platform. Extensibility and
offering of multiple pricing models are also required to enable WAAP adoption in a
manner that best supports the needs for consistent protection against vast online
threats along with the need for business value.

User expectations continue to climb. Businesses continue embracing emerging

technologies to deliver innovative, delightful user experiences. Applications are only
becoming increasingly reliant on complex, distributed infrastructure. DevOps teams are
working faster and smarter to race new functionality to market. Businesses may want
to assign extra consideration to specialized product- and feature-specific capabilities
that may or may not be offered by vendors natively, included in the solution by default,
or through other means such as first-party add-on functionality or separate products or
through third-party OEM or technical integrations. Furthermore:

▪ Client-side WAF: Client-side WAF, also called client-side protection, is an

emerging security technology designed to address a specialized threat vector —
the web application code that runs on end-user devices. This code includes
scripts that execute in the browser to perform various functions on the device
rather than at the web server.
▪ Fraud/abuse prevention: Online fraud and abuse prevention capabilities are
typically rooted in bot management capabilities tuned specifically to address the
unique patterns indicative of specific fraudulent activities such as account
takeover or new account fraud (also called fake account fraud). Insights into user
identity, client- and device-level telemetry, and user behavior are required to fully
detect fraud and other actions that indicate abuse of properly functioning
applications and APIs. As a result, significant variance exists between WAAP
solutions in their ability to detect fraud, as well as how these capabilities are
packaged and marketed to buyers.
▪ Residential proxies: WAAP solutions vary in their ability to detect attackers that
hide behind residential proxies or other obfuscation methods such as IP
rotation.
▪ WebSockets: It involves support for applications that utilize WebSockets, a
protocol that enables real-time communications over a full duplex connection.
Support for WebSockets is increasingly important as online users expect
interactive, real-time applications.
▪ WebAssembly (WASM): It is a low-level language that provides portable binary
code format. The primary benefit of WASM to date has been the ability to easily

©2024 IDC #US51795524e 5

 support a wide array of development languages. The importance of WASM
support in WAAP increases as adoption increases.
▪ Runtime application self-protection (RASP): RASP is an advanced security
capability that protects the application runtime environment and monitors data
inputs to identify, detect, and block attacks. RASP may be a useful option for
deep application security, if expectations for deployment complexity and
performance impact are properly understood.
▪ Private access tokens (PATs): Apple and other technology companies have
increased their attention to end-user privacy, offering methods that attest to the
authenticity and trustworthiness of access requesting devices, without exposing
personally identifiable details. WAAP support for Apple PAT may help reduce
reliance on CAPTCHAs or other bot detection techniques that introduce friction
or uncertainty into the user experience. Apple PAT is part of a broader industry
push toward privacy preserving technologies that allow sharing and processing
of user data to select parties without exposure of sensitive PII.
▪ Automation: Automatic implementation of updates improves ease of use and
adds business value.
▪ Simulation testing: It allows for the testing of rule updates prior to
implementation to production. Simulation testing is most effective when it can
be performed on real-world traffic.
▪ eBPF: eBPF is a Linux feature that allows sandboxed programs to run in the
operating system kernel, which has strong implications for improving security
observability, particularly in cloud-native environments.

Strategy Considerations
In addition, given the rapidly evolving nature of web application and API technologies,
shifting business practices, and a constant level of adaptation and innovation by threat
actors, security buyers should be highly aware of the solution's ability to meet their
needs over the next three to five years. Furthermore:

▪ Detection obfuscation: Cybercriminals are increasingly brazen in their efforts to

steal data and products, commit fraud, and harass or extort companies. The
sophisticated tools and clever tactics are typically reserved for the lucrative
targets. When security companies identify and block attacks, cybercriminals then
begin a process of adaptation. WAAP providers should invest significantly in
concealing the nature of the detections to ensure the longevity of their mitigation
efforts. Furthermore, the most productive strategies prevent attackers from
understanding when they have been detected to drain their resources. Advanced
bot and fraud mitigations have been noted including the usage of deception

©2024 IDC #US51795524e 6

 technologies to prevent attackers from closing the loop on the cyberweapon
development process.
▪ Platformization: Industries are being reshaped by platforms that reduce
complexity, delivering specialized functionality through a simple user interface
that abstracts away the need for original technical development. For example,
Shopify is an ecommerce platform that simplifies the process of establishing a
new online business. Functions such as customer information, inventory, and
payment processing are offered as a complete, turnkey SaaS. Security, including
basic WAF and DDoS protections, is included as built-in functionality of the
platform. This will change buyer needs and expectations for WAAP solutions, and
for vendors, strategic adaptations will be required.
▪ "Shift left" strategies: The need to implement security testing and practices
earlier in the software development life cycle is not new. Detection of
vulnerabilities prior to release in production prevents attackers from ever having
an opportunity to discover and exploit the vulnerability. Early detection and
correction are also more efficient and cost-effective. However, in recent years,
the concept of shift left has emerged, which achieves these ideals through
integration of traditional post-production tools into developer tooling and
workflows. For example, the usage of APIs to invoke dynamic application security
testing (DAST) enables DevOps to find and correct threats quickly and easily.
Moreover, as DevOps teams work faster and utilize microservices, composable
code, infrastructure as code (IaC), and other means to shorten development
cycles, the need to support "shift left" strategies is becoming unavoidable.
▪ Changing personas: Platformization trends, "shift left" strategies, and a general
increase in security-aware culture (everyone is responsible for security) are
driving a shift in buyers and decision-makers. Developers, cloud and networking
teams, and even line-of-business buyers are involved in the WAAP buying
process. WAAP vendors must increasingly invest in simplification, automation,
strong out-of-the-box protection, and market education to better support a wide
audience of buyers and decision makers.
▪ GenAI: The introduction of GenAI raised concerns about the potential new risks
that the technology may introduce into business environments. IDC buyer
research found that organizations are considering the need to increase
application security budgets as a result. WAAP vendors vary widely in terms of
their attention and planning for potential GenAI-related risks across multiple
factors such as:
▪ Potential new threats that leverage GenAI to evade defenses more effectively
▪ Possible applications for emerging technologies (e.g., GenAI to mitigate bot
activities, tarpit, slow, or sabotage bot operations)

©2024 IDC #US51795524e 7

 ▪ The possible need to deploy specialized features or products, or the
possibility to rely on existing defenses, as businesses built out LLM
capabilities, or leverage third-party LLMs, in their application strategies
▪ Potential applications for GenAI in improving security operations efficiency
and productivity
▪ Potential applications for AI to improve security detection
Overall, despite the vast breadth of functionality required and implied in the definition
of WAAP, IDC noted a high level of capabilities in the solutions considered in this IDC
MarketScape. The definition of WAAP is expected to continue to change, given
emerging technologies and changing threats. There remains room for improvement in
some functional areas, and vendors have extensive road maps outlined. While
specialized point products may be required in certain use cases, or for exceptional
requirements, WAAP vendors have made great strides on the path toward complete,
powerful platforms with deep functionality required to ensure strong application
protection and performance.

VENDOR SUMMARY PROFILE

This section briefly explains IDC's key observations resulting in a vendor's position in
the IDC MarketScape. While every vendor is evaluated against each of the criteria
outlined in the Appendix, the description here provides a summary of each vendor's
strengths and challenges.

F5
F5 is a Leader in this 2024 IDC MarketScape for WAAP enterprise platforms.

F5 is a provider of high-performance application delivery solutions and security

solutions. The company offers a full, integrated WAAP suite along with dedicated
security solutions, available as hardware, software, SaaS, and managed services. F5
security solutions are available for a breadth of deployments from powerful, purpose-
built BIG-IP appliances to customizable software in NGINX and cloud/edge platforms in
F5 Distributed Cloud. These options are unified through the F5 Distributed Cloud
Console where security policies can be configured once and deployed across all hybrid
multicloud environments. The F5 architecture performs essential WAAP protections in
line with a single enforcement engine for consistency of protection across all
deployment form factors. These protections are enriched by offline advanced security
analytics Bot Defense data analysis, API discovery, malicious user detection, risk and
threat scoring, and false positive tuning of WAF signatures.

©2024 IDC #US51795524e 8

Strengths
Capabilities
▪ Malicious User Detection engine is a first layer of defense and unifying engine
between dedicated F5 solutions. This fast first layer detection of threats reduces
the need for additional inspections. It also acts as a "super engine" that
combines signals from other F5 engines.
▪ A complete set of deployment options is available that supports all applications
and environments. These options include BIG-IP, NGINX, and Distributed Cloud
for purpose-built, high-performance, flexible, and edge deployments.
▪ The solution supports complete API life-cycle security and key API security
practices including API discovery, API inventory, and automatic inventory;
different compliance requirements; and API testing including during
development to support "shift left" strategies. Some of these capabilities are
direct results from the HeyHack and Wib acquisitions.
▪ The solution offers step-up challenges for detected bots, which adds friction only
as needed based on bot risk. This includes an invisible JavaScript challenge, then
CAPTCHA, and then temporary block.
▪ Distributed Cloud supports customer hybrid, multicloud deployments, which
provides flexibility to support complex, hybrid use cases. The security stack can
be implemented across regional edge (RE) (POPs of the F5 network) or customer
edge (customer private cloud or public cloud environments).
▪ The solution architecture performs essential WAAP protections inline enriched by
offline advanced security analytics. This blended approach to detection ensures
security efficacy without compromising application performance.
▪ New features have been introduced to streamline security operations. For
example, the solution assists security teams through summaries, technical
insights, and remediation guidance.
▪ WAAP detections are supported through the Threat Intelligence Cloud, which
ensures rapid detection of emerging threats.
▪ Client-side protection is offered as an optional add-on. This offers purpose-built
protection against web skimming attacks such as Magecart.
▪ F5's portfolio includes specialized Mobile App Security suite as an optional
solution for extending WAAP protections mobile applications.
▪ The F5 Distributed Cloud supports management through APIs or user interface.
These flexible options allow teams to support shift left initiatives through
integrations with non-security team workflows.
▪ The F5 Distributed Cloud Console provides full integration and centralized
control of security policy across all F5 solutions including NGINX, BIG-IP, and

©2024 IDC #US51795524e 9

 Distributed Cloud. The approach ensures consistency of protection across all use
cases and application environments.
▪ F5 released BIG-IP Next in October 2023, including the BIG-IP Next LTM and WAF
updates. BIG-IP Next is designed for the cloud, provides hitless upgrades, and
offers a streamlined user interface. It provides BIG-IP software as containerized
offering for scalability and cloud deployment.
Strategy
▪ Strong partner training materials are available. Dedicated training materials help
partners go to market faster. F5 has demonstrated strong partner participation
previously and plans to launch additional education and incentive programs.
▪ Partner discounts for Distributed Cloud have been increased. These discounts
help increase partner participation.
▪ F5 has a strong track record in strategic acquisitions, turning point products into
a coherent platform, such as Shape Security, Volterra, Lilac Cloud, Heyhack, and
Wib. In addition, these investments are indicators of a dedication to security to
customers.
▪ The F5 strategic road map addresses AI security needs. GenAI is a new threat
vector but also provides customers an opportunity for optimization such as
penetration testing for LLMs.
▪ The company demonstrates attention to regional needs. The flexible
infrastructure is a foundation to support region-specific compliance needs.
▪ Multiple paths for customer engagement are offered such as through customer
conferences, regular advisory council meetings, and ad hoc feature request sites.

Challenges
Capabilities
▪ The F5 CDN is not as easily integrated/turned on as other features. This may limit
adoption or increase TCO; however, customer perception may play a sizable part
of the challenge.
▪ Limited CDN footprint was noted, as fewer POPs cause longer route times/more
hops, which increase latency.
▪ Block pages are not customizable in some circumstances, such as blocks
resulting from the Malicious User Detection engine.
▪ Customers noted a limited ability to query logs with more complex filter options,
such as "OR" logic.

©2024 IDC #US51795524e 10

Strategy
▪ The buildout of cloud infrastructure has been slow, and increased cloud scale
would demonstrate a high level of solution performance and reliability to
prospective buyers. F5 notes the regional edges are full capability datacenters
that require longer build cycles. Additional REs are planned in FY25 and FY26.
▪ Some features in the user interface were lacking documentation, such as API
protection, which may hinder time to full value for customers.

Consider F5 When
F5 solutions are oriented toward enterprise and service provider organizations with
demanding, large-scale applications and complex environments. F5 has demonstrated
a long history of delivering high-performance advanced security capabilities to secure
applications and APIs, often through strategic acquisitions of purpose-built point
solutions. By combining these point solutions into a single coherent, flexible platform,
F5 aids enterprises in their digital transformation journeys.

APPENDIX

Reading an IDC MarketScape Graph

For the purposes of this analysis, IDC divided potential key measures for success into
two primary categories: capabilities and strategies.

Positioning on the y-axis reflects the vendor's current capabilities and menu of services
and how well aligned the vendor is to customer needs. The capabilities category
focuses on the capabilities of the company and product today, here and now. Under
this category, IDC analysts will look at how well a vendor is building/delivering
capabilities that enable it to execute its chosen strategy in the market.

Positioning on the x-axis, or strategies axis, indicates how well the vendor's future
strategy aligns with what customers will require in three to five years. The strategies
category focuses on high-level decisions and underlying assumptions about offerings,
customer segments, and business and go-to-market plans for the next three to five
years.

The size of the individual vendor markers in the IDC MarketScape represents the
market share of each individual vendor within the specific market segment being
assessed.

For each specific criteria, vendors were evaluated on a one to five scale, with three
considered the baseline that indicates an average assessment, five representing the
best and rarest assessment, and one being the lowest and also similarly rare. The

©2024 IDC #US51795524e 11

criteria were then weighted based on analyst perspective and understanding of general
market trends to best inform IT buyer decision-making. Evaluations for each criterion
was also weighted between a "quantitative" assessment and a "qualitative" assessment,
as was most appropriate and relevant to the specific criterion.

Figure 1 provides a visual representation of several factors that are translated into a
positioning along each axis. Existing product-specific features and functionality are an
important component of the "capabilities" axis, but many more factors are considered
as well. Similarly, the "strategies" axis heavily considers the vendor's plans for future
product developments. However, several factors are also considered including the
strength of the overall business and go-to-market plans. These factors may have a long-
term impact on the solution, and IDC has adjusted the weights of these criteria
accordingly. Overall, several factors go into each vendor assessment, and readers are
advised to consider Figure 1 in the context provided in the vendor profiles.

IDC MarketScape Methodology

IDC MarketScape criteria selection, weightings, and vendor scores represent well-
researched IDC judgment about the market and specific vendors. IDC analysts tailor the
range of standard characteristics by which vendors are measured through structured
discussions, surveys, and interviews with market leaders, participants, and end users.
Market weightings are based on user interviews, buyer surveys, and the input of IDC
experts in each market. IDC analysts base individual vendor scores, and ultimately
vendor positions on the IDC MarketScape, on detailed surveys and interviews with the
vendors, publicly available information, and end-user experiences in an effort to
provide an accurate and consistent assessment of each vendor's characteristics,
behavior, and capability.

Market Definition
WAAP is a converged security solution for active application protection with WAF at its
core. WAAP solutions combine multiple functions into a unified security platform
including WAF, bot management, API security, DDoS mitigation, and other security
technologies. However, WAF is considered foundational and must be an integral
component to be considered as WAAP. Furthermore, one-off sales of WAAP
components as standalone solutions will not be counted as WAAP.

Essential WAAP Components

Web Application Firewall
WAF products monitor, filter, or block communications in transit to and from a web
application. A WAF can be either network based or cloud based and is often deployed

©2024 IDC #US51795524e 12

through a proxy in front of one or more web applications. WAF is the core component
of a WAAP solution.

API Security
API security solutions are specifically designed to protect API communications against
misuse, abuse, and exploits. These solutions provide essential capabilities, in part or in
whole, such as API schema ingestion, validation, and enforcement; dynamic and
adaptive traffic monitoring and pattern analysis; and detection/prevention of threats
such as malware, exploits, code injection, bots, DDoS attacks, fraud, and abuse.

Some API protection capabilities may be included in a WAAP offering by default, such as
inspections of API traffic that can be completed at the same inspection point as a WAF.
However, a full API security deployment may require additional sensors and
components to ensure visibility and inventory of all API endpoints and ultimately,
protection of all API communications.

Bot Management
Bot management is the practice of ensuring the integrity of online communications by
limiting access to only authentic human users and desirable bot activities under
controlled and approved conditions. Bot management solutions leverage numerous
signals and insights into client, device, browser, user identity, and behavior combined
with advanced analytics to detect the most sophisticated and elusive bots. These
solutions also provide granular categorization and control over the entire bot
ecosystem based on risk profiles, bot types, or for specific bots.

The broader bot management market is inclusive of purpose-built solutions designed

to address the unique security requirements imposed by unwanted bots. Various levels
of integration exist across WAAP solutions. A minimum level of bot detection and
control is typically offered as part of a WAAP solution, with advanced capabilities
offered as an add-on or upgrade subscription.

DDoS Mitigation
The DDoS mitigation market includes solutions that detect and filter distributed denial-
of-service attacks. While DDoS defense features can exist in firewalls, IPS, and other
security products, purpose-built DDoS mitigation solutions are designed to handle the
largest, most complex, and novel attacks. Such products can be on premises or through
the cloud — or a hybrid of the two.

Depending on the nature of the WAAP solution or deployment, various levels of

protection may be included freely in the solution. Expanded protections in the form of
additional capacity or coverage of specialized attack types may be offered as an add-on
or upgrade subscription.

©2024 IDC #US51795524e 13

Extended, Advanced, and Optional Components of WAAP
Client-Side WAF
Client-side WAF (CSWAF) extends application security visibility and control to the scripts
that execute in end users' browsers. CSWAF solutions vary drastically in terms of the
extent of their capabilities. Core capabilities typically include visibility, assessment, and
inventory of scripts and communications. The market is more fragmented in terms of
the advanced security functions offered such as vulnerability detection, encryption,
code obfuscation, anomaly and threat detection, and policy enforcement.

Online Fraud Prevention

Fraud prevention covers a broad range of solutions that work independently or
together to protect digital systems from fraudulent or otherwise unwanted activities.
Online fraud prevention may involve the usage of identity management, strong
authentication, identity proofing solutions, payment fraud protection, transaction fraud
detection, enterprise fraud prevention, and dedicated online fraud prevention
solutions.

As it relates to WAAP, online fraud and abuse prevention capabilities are typically
rooted in bot management capabilities tuned specifically to address the unique
patterns indicative of specific fraudulent activities such as account takeover or new
account fraud (also called fake account fraud). Insights into user identity, client- and
device-level telemetry, and user behavior are required to fully detect fraud and other
actions that indicate abuse of properly functioning applications and APIs. As a result,
significant variance exists between WAAP solutions in their ability to detect fraud, as
well as how these capabilities are packaged and marketed to buyers.

LEARN MORE

Related Research
▪ Web Application and API Security Survey Presentation, 2024 (IDC #US52509324,
August 2024)
▪ Identifying and Measuring the Costs of Cyberattacks Targeting Web Applications and
APIs (IDC #US52025924, April 2024)
▪ Market Analysis Perspective: Worldwide Active Application Security Market, 2023 (IDC
#US51332023, November 2023)
▪ IDC TechBrief: Client-Side WAF (IDC #US51199423, September 2023)
▪ Worldwide Application Protection and Availability Forecast, 2023–2027: Threat
Escalation and New Frontiers (IDC #US51178423, September 2023)

©2024 IDC #US51795524e 14

 ▪ Worldwide Application Protection and Availability Market Shares, 2022: Platforms
Compete with Emerging Technologies (IDC #US51204923, September 2023)
▪ Tales of the Tape: WAF and API Protection Emerge as Security Essentials (IDC
#US51187923, September 2023)

Synopsis
This IDC study provides an overview of available WAAP solutions on their own merit
while factoring in the advantages of the broader vendor portfolio, strategic and
technical partnerships, intellectual property, acquisitions, total cost of ownership,
customer satisfaction, and competitive differentiators. WAAP is an integrated approach
for enabling secure, performant access to important web applications and related APIs.
The market is rapidly evolving beyond the ability of point products to sufficiently
mitigate risk. As such, there remains a wide range of capabilities and approaches for
security buyers to consider.

"The WAAP market is at a critical juncture as vendors race to protect against the next
generation of online threats while defending against the relentless attacks of the
modern day," according to Christopher Rodriguez, research director for the IDC
Security and Trust team. "At the same time, enterprise buyers are approaching their
WAAP planning in the context of rapidly changing technologies."

©2024 IDC #US51795524e 15

ABOUT IDC
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory
services, and events for the information technology, telecommunications, and consumer technology
markets. With more than 1,300 analysts worldwide, IDC offers global, regional, and local expertise on
technology, IT benchmarking and sourcing, and industry opportunities and trends in over 110 countries.
IDC's analysis and insight helps IT professionals, business executives, and the investment community to
make fact-based technology decisions and to achieve their key business objectives. Founded in 1964, IDC
is a wholly owned subsidiary of International Data Group (IDG, Inc.).

Global Headquarters
140 Kendrick Street
Building B
Needham, MA 02494
USA
508.872.8200
Twitter: @IDC
blogs.idc.com
www.idc.com

Copyright and Trademark Notice

This IDC research document was published as part of an IDC continuous intelligence service, providing
written research, analyst interactions, and web conference and conference event proceedings. Visit
www.idc.com to learn more about IDC subscription and consulting services. To view a list of IDC offices
worldwide, visit www.idc.com/about/worldwideoffices. Please contact IDC report sales at
+1.508.988.7988 or www.idc.com/?modal=contact_repsales for information on applying the price of this
document toward the purchase of an IDC service or for information on additional copies or web rights.

Copyright 2024 IDC. Reproduction is forbidden unless authorized. All rights reserved.