Web application firewalls bypasses collection and testing tools

How to test, evaluate, compare, and bypass web application and API security solutions like WAF, NGWAF, RASP, and WAAP

Comparison of WAF by Imperva and F5 In Practice

While one is extensively involved in protecting websites from unwanted hassles and hurdles, WAF is a commonly used application security tool. This layer 7 application defense mechanism is preferred because it can keep hassles like file inclusion, SQL injections, cross-site forgery, and cross-site scripting at bay.  

Imperva and F5 are two well-known WAFs. But are they very effective? What is a better alternative? We conducted extensive tests on both of them, and the results are explained in the post.

Imperva and F5 WAF – A Quick Overview

Imperva WAF is a feature-rich web application security product that organizations and individuals can use to protect web applications against a wide range of threats.  It’s offered as a SaaS and Cloud tool with diverse configurations. It works in every ecosystem, which includes AWS, GCP, Azure, and on-premises. 

Imperva works on active & legacy applications, 3rd party applications, APIs, microservices, containers, VMs, and cloud applications. 

F5 is a leading applications security service provider offering many tools and solutions. It does offer a cutting-edge WAF that you can use in any environment to protect API, data, and applications. It provides powerful in-browser encryption, API protocol security, and proactive bot defense. You can get this WAF as software, public cloud, a service, and as hardware.

From this overview, they both look more or less the same. However, these two have different functionalities that we tested using GoTestWAF.  Have a look at our detailed analysis.

Imperva v/s F5 WAF – Finding The Best With GoTestWAF

Offered by Wallarm end-to-end API security platform, GoTestWAF is a feature-rich and cutting-edge WAF testing tool that you can use to test WAF performance in real-time. We used the tool for the F5 and Imperva WAF test, and here are our findings.

Overall Grade 

Even though both the WAFs secured F as an overall grade, their scores differ. For instance,  F5 scored 43 out of 100.  The results of the test site where WAF by F5 is deployed in the screenshot below

F5 screenshot of report

Imperva’s score was 30.3 out of 100. We also tested Imperva WAF on a site where such protection is deployed.

Imperva screenshot of report


Imperva claims to have over 90% accuracy, but it disappointed us greatly, as it failed to block zero false positive requests. During the test, 216 false positive requests were identified as bypassed by Imperva WAF.

Imperva screenshot of report 2

F5 wasn’t so good, as it also allowed 216 false positive requests. As far as True-positives are concerned, F5 is again disappointed with a 0% success rate. But Imperva was wonderful – with a 100% success rate.

F5 screenshot of report 2

Application Security 

Imperva WAF managed to score a D+ grade on this front as it managed to block nearly 60% of applications’ security threats. Sadly, F5’s performance was way below the standard as it only blocked 29% AppSec threats and scored an F grade.

Imperva API protection was not available at the time of testing. F5 could block 100% of SQL Injection requests, CTRL Injection requests, 64KB SQL Injection requests, and many other requests.

Imperva screenshot of report 3

Comparing Imperva & F5 with Wallarm’s WAF

Considering the analysis, we were able to figure out that Imperva WAF is great for its accuracy. Still, we were not able to track its API security viability. On the contrary, F5 WAF offered everything for testing, which is a sign that all of its features work.  

To conclude, they both are of moderate quality only.

You need to have an advanced WAF for dependable application security like Wallarm WAF. 

We used GoTestWAF to check the efficacy of this tool on a site with deployed Wallarm protection. The results were amazing, as the overall score of Wallarm WAF was A-.

Wallarm screenshot of report

Its performance in protecting APIs is wonderful.

Wallarm screenshot of report 2

The tool, GoTestWAF, was amazing as it helped us to test every key aspect concerning WAF. Try it for every web application firewall you’re going to use and check its real-time viability. 

%d bloggers like this: