The tweet suggests that bypassing the WAF to exploit XSS (Cross-Site Scripting) or finding CSRF (Cross-Site Request Forgery) vulnerabilities on the main site is challenging. It emphasizes the need for thorough reconnaissance and deeper investigation beyond the main site areas. This means attackers or security testers should explore less obvious parts of the application to discover possible flaws that the WAF may not protect or detect effectively.