I still hold the maybe unpopular opinion that WAF products have done more damage to AppSec than they actually help, more times than not they are used as a “we don’t need to fix it we have WAF” and not as another layer of security approach.
WAF bypass is a daily occurrence