Web application firewalls bypasses collection and testing tools

How to test, evaluate, compare, and bypass web application and API security solutions like WAF, NGWAF, RASP, and WAAP

Comparison of “Kona Site Defender” By Akamai and Cloudflare WAF In Practice

When nearly 45% of cyberattacks involve web applications, it’s not wise to ignore the importance of web application security. WAF is one of the most recommended and preferred ways to protect web applications. The use of WAF in safeguarding web apps has increased so much that the global WAF market is likely to touch the mark of $8.06B in 2026.

While the market is filled with multiple WAF solutions, not everyone has the tendency to protect your web apps with adequate protection. We closely compared the two most common WAF tools, Akamai and Cloudflare WAF, to find out their real-time viability. Interested to know the result? Scroll down. 

Overview 

Akamai is a leading security solution provider, and its feature-rich WAF is Kone Site Defender. As claimed, it’s a next-level WAAP solution with powerful app and API protection. 

With features like dynamic adaptive, self-adaptive, API discovery, actionable insights, and many more, Akamai’s Lone Site Defender claims to offer best-of-breed security features. 

On the other hand, we have Cloudflare WAF. It claims to provide fully managed rules to prevent zero-day vulnerabilities and OWASP Top 10 threats. It asks for the least possible configuration and setup while protecting web applications against the threats like account takeover, SQL injection, and XSS attacks. 

The Reality 

While the claims from both these WAFs sound very promising, the reality is very different. During our Cloudflare test and inspection of Akamai, we learned about bypassing incidents. 

Yes, many notorious threat actions have managed to bypass Cloudflare nearly 392 times. This is a huge number.

Akamai bypass has also happened. Even though the bypassing incidences are not as high as Cloudflare, they do exist. 

We figured out that there are 131 Akamai bypass incidents. These bypassing statistics made one thing very clear: Akamai and Cloudflare are not as effective as they seem or claim. To know more about the efficacy of these WAFs, we carried out an extensive test using GoTestWAF. 

Akamai vs Cloudflare

Akamai v/s Cloudflare – Who Wins The Battle 

Let’s discuss the test results of these two WAFs using GoTestWAF. 

Akamai Test Results

  • GoTestWAF version: v0.3.1-286-g554f4d1
  • Overall Grade: F
  • Score: 55.5/100
  • Total requests sent: 1413
  • Number of blocked requests: 788
  • Number of passed requests: 620

Akamai scored A+ in the True-positive test as it blocked 98.6% of requests. In application security, its score is B-.

Akamai report

API security test of Akamai revealed that it blocked 100% of REST requests. But, only 10% of GraphQL requests are blocked.

akamai api security test report

Cloudflare Test Result

  • GoTestWAF version: v0.3.1-286-g554f4d1
  • Overall Grade: F
  • Score: 52.2 out of 100 
  • Total requests sent: 1413 
  • Number of blocked requests: 605 
  • Number of passed requests: 788 

As we tested Akamai with GoTestWAF, we figured out that it hardly managed to block the true-negative requests at both API security and application security fronts. When true-positive tests were concerned, we were only able to track application security, and the results were outstanding as it blocked 100% of requests. 

Cloudflare test report

We tested the API security of Akamai with GoTestWAF. gRPC APIs were not available for testing. But, we managed to get results for GraphQL, SOAP and REST. The results are here. 

Cloudflare API security test report

In the application security test, we figured out that Akamai blocked 100% of SQL injection and XSS requests.

From the above test results, we figured out that both these WAFs failed to impress us. We also tested Wallarm WAF and its results were amazing. Give it a try.

wallarm test report example

Final Say

GoTestWAF is a great tool to try, as it will help you find out the real-time viability of your WAF. It’s easy to use and provides accurate results. Use it to test other WAFs and make sure that you always have the best help by your side.