Hidden Gaps in WAF Protection are Creating Inconsistent Enterprise Security

While web application firewalls (WAFs) are one of the most basic security protections, they are far less consistent than security practitioners believe. 

As we discuss security operations with security practitioners across multiple industries, one topic of conversation comes up time and again: reliable web application firewall coverage. When asked how confident they are that their assets are covered, the truth is often an uncomfortable one—not nearly as much as most organizations think.

WAFs are intended to be the seat belts of application security, an essential safeguard and first line of defense. Yet, in reality, significant portions of the enterprise attack surface remain dangerously unprotected due to fragmented deployments, organizational silos, and the pervasive challenge of unknown and unmanaged assets.

The myth of comprehensive WAF coverage

In our latest research, we examined over 500,000 internet-facing assets attributed to Forbes Global 2000 enterprises to understand just how often these gaps occur and what kind of risk they represent. The data shows a startling lack of consistency:

• 52.3% of assets hosted in the cloud were not protected by WAFs.

• Nearly two out of three assets not hosted in the cloud were also uncovered.

These figures refute the idea that WAF coverage has matured sufficiently at large enterprises, with mature processes and significant budgets that coverage gaps are the exception rather than the rule. Instead, they show a fractured landscape in which applications and services that are critical to business and customer-facing remain exposed to common attack patterns that WAFs can prevent.

The risk of these gaps is not hypothetical. Attackers frequently probe external assets for weaknesses such as injection flaws, credential stuffing opportunities, and outdated components. In many cases, WAFs can serve as a temporary measure to protect systems while patches are deployed or as a longer-term protection against categories of attacks that cannot be eliminated entirely. Without them, enterprises are leaving doors open for adversaries who know how to exploit these opportunities.

It is not just obscure systems that may be targeted. High-value, customer-facing assets are often those that are left vulnerable. Login pages, registration forms, checkout pages, password reset flows are typically the first things an attacker will try to abuse during reconnaissance. Yet nearly four out of ten of these PII-collecting assets in cloud environments lacked WAF protection, and the figure was more than half for off-cloud environments.

Fragmentation: WAF's hidden enemy

The fact that these problems are so common points to a deeper problem, one that goes beyond technology. Enterprises are not underinvesting in WAF solutions. Survey data revealed that the average organization runs roughly a dozen WAF products, with some customers using more than 30 different solutions.

The problem of fragmentation is the result of years of overlapping procurement decisions, regional rollouts, and acquisitions, as well as historically siloed security practices. The outcome is a sprawling and uncoordinated ecosystem of tools that is expensive to operate, difficult to manage, and almost impossible to standardize. Each WAF solution comes with its own policy model, its own configuration requirements, and its own operational idiosyncrasies.

When ownership of WAFs is spread across teams, regions, and vendors, it becomes almost inevitable that some assets will fall through the cracks. In this sense, a profusion of WAF solutions can actually undermine coverage rather than strengthening it.

To gain more insight into the practical security exposure resulting from these gaps, we extended our analysis by conducting manual inspections of the traffic to unprotected systems for a dozen of the world’s most well-known enterprises. These organizations included companies in industries as varied as airlines, retail, financial services, and media.

 he findings were notable: popular and high-traffic applications were running without WAF protections in place, even as the company’s flagship applications within the same enterprise were fully protected by WAFs. These side-by-side inconsistencies show that the challenge is less a lack of technology and more a failure to execute it at scale.

The risk is not limited to neglected or low-value systems: in some cases, high-value, customer-facing applications are the ones being left vulnerable.

Closing the gaps: consolidation and continuous verification

For security leaders, this should be a call to action. The long-held belief that WAFs are universally deployed at the enterprise level is no longer tenable. Leaders must verify that protections are in place rather than assuming they are. That begins with a critical examination of the external asset inventory. Leaders must use black-box discovery tools to surface shadow IT and unknown systems before attackers do. 

Once these assets are known, they should be triaged:

1. Retire any that no longer serve a clear business need.

2.  Prioritize the protection of critical assets.

3. Treat ongoing inventory and triage as a hygiene practice that will shrink the attack surface and ensure that resources are directed to the right assets.

The need for an agile and continuous approach to asset management and prioritization is also required to address the organizational fragmentation that has contributed to so many of these gaps. Enterprises must consolidate technologies, simplify ownership, and align policies across teams and regions.

This is not only to reduce cost and complexity but also to achieve consistency. A single, unified operational standard for WAF deployment that is adhered to at scale can make it possible to close coverage gaps systematically rather than relying on ad hoc solutions.

Simplifying and centralizing WAF management and policy enforcement, so it is clear who is responsible for what assets, is the best way to ensure that sensitive and high-value assets are not left exposed simply because they fall outside the purview of a particular team or vendor.

In a broader sense, this speaks to a lesson that applies not only to WAFs but to the entire security ecosystem. Security controls are only as good as the processes and governance frameworks that back them up. Attack surfaces change constantly as new assets are deployed, new services are rolled out, and business priorities evolve. What is covered today may not be tomorrow. In the end, security is not measured by the number of technologies deployed but by the efficacy of their application.

WAFs remain a fundamental part of the application security stack, but only if enterprises recognize the operational realities exposed in this study. By acknowledging the gaps, consolidating fragmented practices, and committing to a process of continuous verification, security leaders can turn inconsistent protection into a coordinated defense.