This tweet highlights a key principle in web security: reliance on a Web Application Firewall (WAF) alone is insufficient for full protection. The message "In WAF we (should not) trust" suggests that while WAFs do a good job in filtering malicious traffic, attackers often find ways to bypass them. The tweet points to a resource—a detailed analysis or article—exploring various techniques attackers use to bypass WAFs. The post emphasizes that a blocked alert or message from a WAF doesn't guarantee that the underlying web application is completely safe from attacks. It suggests that security practitioners need to implement additional layers of defense and regularly update their security measures beyond just deploying a WAF.