Scribd
Upload
71 views

IDC MarketScape: Worldwide Web Application and API - Akamai

Uploaded by

Daniel L
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
71 views

IDC MarketScape: Worldwide Web Application and API - Akamai

Uploaded by

Daniel L
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

IDC MarketScape

IDC MarketScape: Worldwide Web Application and API


Protection Enterprise Platforms 2024 Vendor Assessment
Christopher Rodriguez

THIS IDC MARKETSCAPE EXCERPT FEATURES AKAMAI

IDC MARKETSCAPE FIGURE

FIGURE 1

IDC MarketScape Worldwide Web Application and API Protection Enterprise


Platforms Vendor Assessment

Source: IDC, 2024

September 2024, IDC #US51795524e


See the Appendix for detailed methodology, market definition, and scoring criteria.

IN THIS EXCERPT

The content for this excerpt was taken directly from IDC MarketScape: Worldwide Web
Application and API Protection Enterprise Platforms 2024 Vendor Assessment (Doc #
US51795524). All or parts of the following sections are included in this excerpt: IDC
Opinion, IDC MarketScape Vendor Inclusion Criteria, Essential Guidance, Vendor
Summary Profile, Appendix and Learn More. Also included is Figure 1 and 2.

IDC OPINION
Web applications are foundational components of the modern digital business,
providing the functionality required to interact with customers and prospects, partners
and guests, and employees and contractors. Attackers continually probe these
applications and related application programming interfaces (APIs) for opportunities to
steal data, gain illicit access, or defraud businesses for personal illicit gain. Attacks
targeting web applications and APIs have led to high-profile data breaches, costly
downtime, and real-world impacts including theft. End users and customers often bear
the brunt of the impact through financial losses. Eventually, this can result in a loss of
customer trust and less willingness to conduct business online.

Online cybercrime is more than a mere nuisance. It has the potential to degrade and
disrupt business results. Over the years, businesses have adopted numerous security
tools to address the steady stream of new threat tactics and expanding attack surfaces.
Web application firewall (WAF) offers a foundational level of protection against known
and emerging application layer exploits. Enterprises have layered in numerous
specialized solutions such as DDoS mitigation, bot management, and more recently, API
security.

Web application and API protection (WAAP) combines these essential security
technologies into an integrated, coherent platform to ensure a reliable level of
protection against vast online threats. Consolidated, integrated platforms help reduce
security gaps, reduce management complexity, and provide streamlined inspections.
IDC research shows that 77% of businesses rate integration between security solutions
as "important" or of "critical importance." Applications face an array of threats each
day, and attackers intentionally leverage multiple tactics to identify weaknesses in the
defenses. As a result, application security strategies that focus on specialized security
silos are set up for eventual failure. Security convergence and consolidation are a
critical step for enabling a stronger security posture, whether through improved

©2024 IDC #US51795524e 2


detection accuracy or decreased false positives or reliable detection of advanced and
zero-day threats.

However, convergence yields many business benefits as well, such as reduced time and
resources required for deployment and management, improved user experience, and
improved analytics. In addition, performing all security functionalities in one service
reduces the latency introduced by routing traffic to multiple security inspection points.

Simultaneously, businesses must take a measured approach in adopting the full


breadth of application protection technologies gradually, as needed, or as time and
resources permit. For customers, a modular, integrated platform for implementing
WAAP easily over time is essential. For vendors, the challenge is to identify the precise
mixture of integrated capabilities across core security functional areas that should be
included at various product tiers.

While WAF is a foundational component, modern application protection is impossible


without a coherent API strategy. APIs now play a major role in the modern digital
business era, providing a streamlined and efficient process for integrating applications
to deliver powerful, net-new functionality. However, APIs change the attack surface in
new ways. APIs are vulnerable to misconfigurations, sensitive data exposure, and
denial-of-service attacks. Importantly, while APIs are vulnerable to many of the same
attacks that target user interfaces, they also introduce API-specific threats such as
broken object-level authorization (BOLA). APIs also provide a means for application-to-
application communications that may not cross a perimeter protection solution such as
WAF. This can result in a security blind spot that attackers can exploit to move laterally,
behind network-based defenses.

The combination of WAF and API security is critical to ensure complete coverage of web
applications across all interfaces and attack surfaces. The WAAP value proposition is
rounded out by technologies designed to address specialized threat types such as
DDoS attacks and unwanted bot activities. These threats vary widely in terms of ease of
detection, difficulty of mitigation, frequency of occurrence, and severity of impact.
Ultimately, a complete application protection stack requires WAF and API security,
DDoS mitigation, and bot management. However, the unique technical requirements of
APIs and specialized requirements of DDoS attacks and bot activities mean that the
evolution toward WAAP is a long winding journey.

©2024 IDC #US51795524e 3


IDC MARKETSCAPE VENDOR INCLUSION CRITERIA
WAAP is a converged security solution for active application protection with WAF at its
core. IDC has identified key attributes discussed in this section that must be present in
the solution considered to qualify for inclusion in this IDC MarketScape analysis for
WAAP enterprise platforms.

Vendors must offer a converged WAAP solution that combines two more of the
following into a unified security platform:

▪ API security
▪ Bot management
▪ DDoS mitigation
▪ Web application firewall
Note that WAF is considered foundational and must be included to be considered as
WAAP. Furthermore, one-off sales of WAAP components as standalone solutions will
not be counted as WAAP.

In addition, this IDC MarketScape analysis includes the following requirements for
market participation and presence:

▪ Market participation: The vendor offered critical WAAP functions as a unified


solution as of 2023. Specific core or extended functionality may be offered as
part of a different bundle or platform, or as standalone solutions, as long as the
functions were not only offered as standalone or separate products. See the
Market Definition section for a full, detailed description of required and optional
functionality.
▪ Market representation: The vendor achieved a minimum established share of
revenue in the WAAP competitive market in 2023, as confirmed in IDC's Security
Products Tracker.
▪ Global presence: The vendor has a minimum distribution of revenue across
each major global region including North America, Latin America, EMEA, and
Asia/Pacific as of 2024 and as confirmed in IDC's Security Products Tracker.
IDC notes that some cloud and security providers that offer components of a WAAP
were not included in the analysis due to a point product focus instead of an integrated
WAAP approach. Similarly, some vendors that offer WAAP did not reach the minimum
market representation or global presence requirements.

©2024 IDC #US51795524e 4


ADVICE FOR TECHNOLOGY BUYERS

Key Considerations for Vendor Capabilities


The IDC MarketScape analysis for WAAP enterprise platforms factors in a common level
of protection required and expected by IT buyers, as well as extent of integration, ease
of use, adjacent professional and managed services, and total cost of ownership. At the
enterprise level, a WAAP must deliver excellent protection, reduce the performance
impact of security, and add minimal friction into the end-user experience. The analysis
also emphasizes the primary goal of WAAP, which is to combine multiple essential
security technologies into a single integrated, coherent platform. Extensibility and
offering of multiple pricing models are also required to enable WAAP adoption in a
manner that best supports the needs for consistent protection against vast online
threats along with the need for business value.

User expectations continue to climb. Businesses continue embracing emerging


technologies to deliver innovative, delightful user experiences. Applications are only
becoming increasingly reliant on complex, distributed infrastructure. DevOps teams are
working faster and smarter to race new functionality to market. Businesses may want
to assign extra consideration to specialized product- and feature-specific capabilities
that may or may not be offered by vendors natively, included in the solution by default,
or through other means such as first-party add-on functionality or separate products or
through third-party OEM or technical integrations. Furthermore:

▪ Client-side WAF: Client-side WAF, also called client-side protection, is an


emerging security technology designed to address a specialized threat vector —
the web application code that runs on end-user devices. This code includes
scripts that execute in the browser to perform various functions on the device
rather than at the web server.
▪ Fraud/abuse prevention: Online fraud and abuse prevention capabilities are
typically rooted in bot management capabilities tuned specifically to address the
unique patterns indicative of specific fraudulent activities such as account
takeover or new account fraud (also called fake account fraud). Insights into user
identity, client- and device-level telemetry, and user behavior are required to fully
detect fraud and other actions that indicate abuse of properly functioning
applications and APIs. As a result, significant variance exists between WAAP
solutions in their ability to detect fraud, as well as how these capabilities are
packaged and marketed to buyers.
▪ Residential proxies: WAAP solutions vary in their ability to detect attackers that
hide behind residential proxies or other obfuscation methods such as IP
rotation.

©2024 IDC #US51795524e 5


▪ WebSockets: It involves support for applications that utilize WebSockets, a
protocol that enables real-time communications over a full duplex connection.
Support for WebSockets is increasingly important as online users expect
interactive, real-time applications.
▪ WebAssembly (WASM): It is a low-level language that provides portable binary
code format. The primary benefit of WASM to date has been the ability to easily
support a wide array of development languages. The importance of WASM
support in WAAP increases as adoption increases.
▪ Runtime application self-protection (RASP): RASP is an advanced security
capability that protects the application runtime environment and monitors data
inputs to identify, detect, and block attacks. RASP may be a useful option for
deep application security, if expectations for deployment complexity and
performance impact are properly understood.
▪ Private access tokens (PATs): Apple and other technology companies have
increased their attention to end-user privacy, offering methods that attest to the
authenticity and trustworthiness of access requesting devices, without exposing
personally identifiable details. WAAP support for Apple PAT may help reduce
reliance on CAPTCHAs or other bot detection techniques that introduce friction
or uncertainty into the user experience. Apple PAT is part of a broader industry
push toward privacy preserving technologies that allow sharing and processing
of user data to select parties without exposure of sensitive PII.
▪ Automation: Automatic implementation of updates improves ease of use and
adds business value.
▪ Simulation testing: It allows for the testing of rule updates prior to
implementation to production. Simulation testing is most effective when it can
be performed on real-world traffic.
▪ eBPF: eBPF is a Linux feature that allows sandboxed programs to run in the
operating system kernel, which has strong implications for improving security
observability, particularly in cloud-native environments.

Strategy Considerations
In addition, given the rapidly evolving nature of web application and API technologies,
shifting business practices, and a constant level of adaptation and innovation by threat
actors, security buyers should be highly aware of the solution's ability to meet their
needs over the next three to five years. Furthermore:

▪ Detection obfuscation: Cybercriminals are increasingly brazen in their efforts to


steal data and products, commit fraud, and harass or extort companies. The
sophisticated tools and clever tactics are typically reserved for the lucrative
targets. When security companies identify and block attacks, cybercriminals then

©2024 IDC #US51795524e 6


begin a process of adaptation. WAAP providers should invest significantly in
concealing the nature of the detections to ensure the longevity of their mitigation
efforts. Furthermore, the most productive strategies prevent attackers from
understanding when they have been detected to drain their resources. Advanced
bot and fraud mitigations have been noted including the usage of deception
technologies to prevent attackers from closing the loop on the cyberweapon
development process.
▪ Platformization: Industries are being reshaped by platforms that reduce
complexity, delivering specialized functionality through a simple user interface
that abstracts away the need for original technical development. For example,
Shopify is an ecommerce platform that simplifies the process of establishing a
new online business. Functions such as customer information, inventory, and
payment processing are offered as a complete, turnkey SaaS. Security, including
basic WAF and DDoS protections, is included as built-in functionality of the
platform. This will change buyer needs and expectations for WAAP solutions, and
for vendors, strategic adaptations will be required.
▪ "Shift left" strategies: The need to implement security testing and practices
earlier in the software development life cycle is not new. Detection of
vulnerabilities prior to release in production prevents attackers from ever having
an opportunity to discover and exploit the vulnerability. Early detection and
correction are also more efficient and cost-effective. However, in recent years,
the concept of shift left has emerged, which achieves these ideals through
integration of traditional post-production tools into developer tooling and
workflows. For example, the usage of APIs to invoke dynamic application security
testing (DAST) enables DevOps to find and correct threats quickly and easily.
Moreover, as DevOps teams work faster and utilize microservices, composable
code, infrastructure as code (IaC), and other means to shorten development
cycles, the need to support "shift left" strategies is becoming unavoidable.
▪ Changing personas: Platformization trends, "shift left" strategies, and a general
increase in security-aware culture (everyone is responsible for security) are
driving a shift in buyers and decision-makers. Developers, cloud and networking
teams, and even line-of-business buyers are involved in the WAAP buying
process. WAAP vendors must increasingly invest in simplification, automation,
strong out-of-the-box protection, and market education to better support a wide
audience of buyers and decision makers.
▪ GenAI: The introduction of GenAI raised concerns about the potential new risks
that the technology may introduce into business environments. IDC buyer
research found that organizations are considering the need to increase
application security budgets as a result. WAAP vendors vary widely in terms of

©2024 IDC #US51795524e 7


their attention and planning for potential GenAI-related risks across multiple
factors such as:
▪ Potential new threats that leverage GenAI to evade defenses more effectively
▪ Possible applications for emerging technologies (e.g., GenAI to mitigate bot
activities, tarpit, slow, or sabotage bot operations)
▪ The possible need to deploy specialized features or products, or the
possibility to rely on existing defenses, as businesses built out LLM
capabilities, or leverage third-party LLMs, in their application strategies
▪ Potential applications for GenAI in improving security operations efficiency
and productivity
▪ Potential applications for AI to improve security detection
Overall, despite the vast breadth of functionality required and implied in the definition
of WAAP, IDC noted a high level of capabilities in the solutions considered in this IDC
MarketScape. The definition of WAAP is expected to continue to change, given
emerging technologies and changing threats. There remains room for improvement in
some functional areas, and vendors have extensive road maps outlined. While
specialized point products may be required in certain use cases, or for exceptional
requirements, WAAP vendors have made great strides on the path toward complete,
powerful platforms with deep functionality required to ensure strong application
protection and performance.

VENDOR SUMMARY PROFILE


This section briefly explains IDC's key observations resulting in a vendor's position in
the IDC MarketScape. While every vendor is evaluated against each of the criteria
outlined in the Appendix, the description here provides a summary of the vendor's
strengths and challenges.

Akamai
Akamai is a Leader in this 2024 IDC MarketScape for worldwide WAAP enterprise
platforms.

Akamai is a worldwide provider of networking and security delivered from the Akamai
Connected Cloud, a distributed edge and cloud platform, that puts applications and
experiences closer to users and keeps threats farther away. Akamai has specialized in
the enterprise market with strong penetration in the Fortune 500. The Akamai security
portfolio includes an integrated WAAP solution called App & API Protector (AAP), as well
as dedicated solutions in the categories of API security, DDoS mitigation, bot
management, account protection, WAF, client-side protection and compliance, DNS,

©2024 IDC #US51795524e 8


and brand protection. Akamai has expanded into enterprise security with solutions for
ZTNA, microsegmentation, DNS firewall, threat hunting, and MFA.

Strengths
Capabilities
▪ Adaptive Security Engine (ASE) provides self-tuning for reliable usage of out-of-
the-box rules. ASE provides better zero-day protection, improves detections (by a
factor of 2x, according to Akamai) and reduces false positives (by a factor of up to
5x, according to Akamai), and enables auto updates for continuous ease of use.
ASE is powered by Akamai security intelligence.
▪ ASE provides false positive flagging for easier/faster remediation of false
positives. Akamai claims over 50% after one day and 75% within a week.
▪ Comprehensive WAAP suite offers a one-stop shopping experience for
simplified/complete security. A single WAAP SKU is available, with add-ons
offered for advanced or specialized functionality.
▪ Extensive add-ons and specialized solutions provide alignment to use case–
specific requirement such as ATO, brand protection, and scraper (hype event)
protection.
▪ Akamai offers a very large-scale edge/CDN infrastructure. Providing protection
near to user ensures performance.
▪ Support for DevOps workflows supports the shift left strategies of enterprise
customers. Support for management and deployment through APIs, CLI, and
Terraform improves security posture without slowing developers.
▪ Existing integrations with related security tooling simplify integration with
broader security architecture for better security outcomes. The solution includes
prebuilt connectors for Splunk, Qradar, and ArcSight.
▪ A multimode approach to API security is offered. The approach delivers
protections for known, on-platform API traffic out of the box and complete API
protection later as needed.
▪ Breadth of additional related capabilities offered along with WAAP ensures
security does not hinder performance. The portfolio includes solutions such as
SiteShield, mPulse Lite, EdgeWorkers, Image & Video Manager, and API
Acceleration.
▪ Akamai recently introduced new capabilities for application layer DDoS
mitigation including short burst detection and customizable rate limiting based
on granular contextual clues. These address the full breadth of DDoS attacks
including the specialized needs of application layer attacks.

©2024 IDC #US51795524e 9


▪ A unified view of security telemetry is included that provides broad security
analysis and visibility, with drilldown capabilities. Web Security Analytics is
included with all application security products.
▪ The evaluation mode provides an opportunity to review effects on rule changes
based on live traffic before implementing changes. This feature allows
implementation of new rules without the risk of an unknown impact on
production traffic.
Strategy
▪ Akamai noted plans for WAAP integration with adjacent security tooling such as
microsegmentation. This will complement security tools and provide defense in
depth.
▪ Akamai is developing strategies for protecting increased LLM usage. The use of
existing tooling for new security practices improves customer value; however,
GenAI-specific protections may still be more specialized.
▪ The company has aggressive plans to expand into edge compute. Options to
secure transactions at the edge may help prevent threats from reaching origin
servers.
▪ Evidence of execution on strategy, especially on API security, was noted. The API
security strategy is nearing completion following the Noname Security and
Neosec acquisitions.
▪ There is strong track record in strategic acquisitions, turning point products such
as Cyberfend, Neosec, Noname Security, and Prolexic into a coherent platform.
Investments are indicators of a dedication to security to customers.
▪ Akamai leverages telemetry to track strategic progress such as usage/acceptance
of policies, auto mode, and mitigation status. This ensures that development
strategies align to customer realities.
▪ Coming origin WAAP addresses limitations of CDN security and secures east–
west traffic, non-CDN traffic, and multicloud environments. This capability is
upcoming with signs of progress being noted.
▪ Multiple paths for customer engagement are offered such as through customer
conferences, regular advisory council meetings, ad hoc processes.

Challenges
Capabilities
▪ AI/ML engines do not allow for easy tuning by customers (i.e., cannot change
order of rules). This may create delays in responding to false positives and
require collaboration with Akamai to resolve. Temporary exceptions and
workarounds are a possible option for navigating rule order complexities.

©2024 IDC #US51795524e 10


▪ Limited form factors such as containers and serverless limit support for
customers that want to control security infrastructure. Currently, support for
Terraform and API-based controls is Akamai's focus for deployment and
automation.
▪ Akamai's WAAP is priced as a premium product, which can be prohibitive to
business decision-makers. However, Akamai pricing options include Zero
Overhead Fixed Fee (ZOFF) protection, request-based pricing, and the DDoS
Protection Fee that includes zero overage for traffic surges due to DDoS
activities.
▪ gRPC is not supported, which may be preferred in specialized use cases or
specific industries.
Strategy
▪ Specialized, optional capabilities and add-ons may present extra costs, which can
increase total cost of ownership (TCO) and prevent full deployments. Traffic that
is off the CDN (e.g., API gateway traffic) is an added cost.
▪ The product development strategy for WAAP currently includes nominal cross-
pollination with the Akamai Enterprise Application Access (EAA) zero trust
solution. Web applications offer a means to enable workplace transformation,
and increased integration between product lines is key to support the full
breadth of secure access use cases.
▪ Multiple solutions (e.g., Account Protector, Brand Protector, and Content
Protector) results in a fragmented fraud strategy, which may increase messaging
complexity.

Consider Akamai When


Akamai offers a robust set of delivery, performance, and security capabilities,
integrated to be implemented as one coherent service. Akamai licenses advanced and
specialized capabilities as optional add-ons. The strategy allows businesses to invest in
the tailored solution that will better meet their security and delivery needs. Overall, the
Akamai WAAP solution addresses the breadth of security, availability, integrity, and
compliance requirements for large-scale, modern digital businesses.

APPENDIX

Reading an IDC MarketScape Graph


For the purposes of this analysis, IDC divided potential key measures for success into
two primary categories: capabilities and strategies.

©2024 IDC #US51795524e 11


Positioning on the y-axis reflects the vendor's current capabilities and menu of services
and how well aligned the vendor is to customer needs. The capabilities category
focuses on the capabilities of the company and product today, here and now. Under
this category, IDC analysts will look at how well a vendor is building/delivering
capabilities that enable it to execute its chosen strategy in the market.

Positioning on the x-axis, or strategies axis, indicates how well the vendor's future
strategy aligns with what customers will require in three to five years. The strategies
category focuses on high-level decisions and underlying assumptions about offerings,
customer segments, and business and go-to-market plans for the next three to five
years.

The size of the individual vendor markers in the IDC MarketScape represents the
market share of each individual vendor within the specific market segment being
assessed.

For each specific criteria, vendors were evaluated on a one to five scale, with three
considered the baseline that indicates an average assessment, five representing the
best and rarest assessment, and one being the lowest and also similarly rare. The
criteria were then weighted based on analyst perspective and understanding of general
market trends to best inform IT buyer decision-making. Evaluations for each criterion
was also weighted between a "quantitative" assessment and a "qualitative" assessment,
as was most appropriate and relevant to the specific criterion.

Figure 1 provides a visual representation of several factors that are translated into a
positioning along each axis. Existing product-specific features and functionality are an
important component of the "capabilities" axis, but many more factors are considered
as well. Similarly, the "strategies" axis heavily considers the vendor's plans for future
product developments. However, several factors are also considered including the
strength of the overall business and go-to-market plans. These factors may have a long-
term impact on the solution, and IDC has adjusted the weights of these criteria
accordingly. Overall, several factors go into each vendor assessment, and readers are
advised to consider Figure 1 in the context provided in the vendor profiles.

IDC MarketScape Methodology


IDC MarketScape criteria selection, weightings, and vendor scores represent well-
researched IDC judgment about the market and specific vendors. IDC analysts tailor the
range of standard characteristics by which vendors are measured through structured
discussions, surveys, and interviews with market leaders, participants, and end users.
Market weightings are based on user interviews, buyer surveys, and the input of IDC
experts in each market. IDC analysts base individual vendor scores, and ultimately
vendor positions on the IDC MarketScape, on detailed surveys and interviews with the

©2024 IDC #US51795524e 12


vendors, publicly available information, and end-user experiences in an effort to
provide an accurate and consistent assessment of each vendor's characteristics,
behavior, and capability.

Market Definition
WAAP is a converged security solution for active application protection with WAF at its
core. WAAP solutions combine multiple functions into a unified security platform
including WAF, bot management, API security, DDoS mitigation, and other security
technologies. However, WAF is considered foundational and must be an integral
component to be considered as WAAP. Furthermore, one-off sales of WAAP
components as standalone solutions will not be counted as WAAP.

Essential WAAP Components


Web Application Firewall
WAF products monitor, filter, or block communications in transit to and from a web
application. A WAF can be either network based or cloud based and is often deployed
through a proxy in front of one or more web applications. WAF is the core component
of a WAAP solution.

API Security
API security solutions are specifically designed to protect API communications against
misuse, abuse, and exploits. These solutions provide essential capabilities, in part or in
whole, such as API schema ingestion, validation, and enforcement; dynamic and
adaptive traffic monitoring and pattern analysis; and detection/prevention of threats
such as malware, exploits, code injection, bots, DDoS attacks, fraud, and abuse.

Some API protection capabilities may be included in a WAAP offering by default, such as
inspections of API traffic that can be completed at the same inspection point as a WAF.
However, a full API security deployment may require additional sensors and
components to ensure visibility and inventory of all API endpoints and ultimately,
protection of all API communications.

Bot Management
Bot management is the practice of ensuring the integrity of online communications by
limiting access to only authentic human users and desirable bot activities under
controlled and approved conditions. Bot management solutions leverage numerous
signals and insights into client, device, browser, user identity, and behavior combined
with advanced analytics to detect the most sophisticated and elusive bots. These
solutions also provide granular categorization and control over the entire bot
ecosystem based on risk profiles, bot types, or for specific bots.

©2024 IDC #US51795524e 13


The broader bot management market is inclusive of purpose-built solutions designed
to address the unique security requirements imposed by unwanted bots. Various levels
of integration exist across WAAP solutions. A minimum level of bot detection and
control is typically offered as part of a WAAP solution, with advanced capabilities
offered as an add-on or upgrade subscription.

DDoS Mitigation
The DDoS mitigation market includes solutions that detect and filter distributed denial-
of-service attacks. While DDoS defense features can exist in firewalls, IPS, and other
security products, purpose-built DDoS mitigation solutions are designed to handle the
largest, most complex, and novel attacks. Such products can be on premises or through
the cloud — or a hybrid of the two.

Depending on the nature of the WAAP solution or deployment, various levels of


protection may be included freely in the solution. Expanded protections in the form of
additional capacity or coverage of specialized attack types may be offered as an add-on
or upgrade subscription.

Extended, Advanced, and Optional Components of WAAP


Client-Side WAF
Client-side WAF (CSWAF) extends application security visibility and control to the scripts
that execute in end users' browsers. CSWAF solutions vary drastically in terms of the
extent of their capabilities. Core capabilities typically include visibility, assessment, and
inventory of scripts and communications. The market is more fragmented in terms of
the advanced security functions offered such as vulnerability detection, encryption,
code obfuscation, anomaly and threat detection, and policy enforcement.

Online Fraud Prevention


Fraud prevention covers a broad range of solutions that work independently or
together to protect digital systems from fraudulent or otherwise unwanted activities.
Online fraud prevention may involve the usage of identity management, strong
authentication, identity proofing solutions, payment fraud protection, transaction fraud
detection, enterprise fraud prevention, and dedicated online fraud prevention
solutions.

As it relates to WAAP, online fraud and abuse prevention capabilities are typically
rooted in bot management capabilities tuned specifically to address the unique
patterns indicative of specific fraudulent activities such as account takeover or new
account fraud (also called fake account fraud). Insights into user identity, client- and
device-level telemetry, and user behavior are required to fully detect fraud and other

©2024 IDC #US51795524e 14


actions that indicate abuse of properly functioning applications and APIs. As a result,
significant variance exists between WAAP solutions in their ability to detect fraud, as
well as how these capabilities are packaged and marketed to buyers.

LEARN MORE

Related Research
▪ Web Application and API Security Survey Presentation, 2024 (IDC #US52509324,
August 2024)
▪ Identifying and Measuring the Costs of Cyberattacks Targeting Web Applications and
APIs (IDC #US52025924, April 2024)
▪ Market Analysis Perspective: Worldwide Active Application Security Market, 2023 (IDC
#US51332023, November 2023)
▪ IDC TechBrief: Client-Side WAF (IDC #US51199423, September 2023)
▪ Worldwide Application Protection and Availability Forecast, 2023–2027: Threat
Escalation and New Frontiers (IDC #US51178423, September 2023)
▪ Worldwide Application Protection and Availability Market Shares, 2022: Platforms
Compete with Emerging Technologies (IDC #US51204923, September 2023)
▪ Tales of the Tape: WAF and API Protection Emerge as Security Essentials (IDC
#US51187923, September 2023)

Synopsis
This IDC study provides an overview of available WAAP solutions on their own merit
while factoring in the advantages of the broader vendor portfolio, strategic and
technical partnerships, intellectual property, acquisitions, total cost of ownership,
customer satisfaction, and competitive differentiators. WAAP is an integrated approach
for enabling secure, performant access to important web applications and related APIs.
The market is rapidly evolving beyond the ability of point products to sufficiently
mitigate risk. As such, there remains a wide range of capabilities and approaches for
security buyers to consider.

"The WAAP market is at a critical juncture as vendors race to protect against the next
generation of online threats while defending against the relentless attacks of the
modern day," according to Christopher Rodriguez, research director for the IDC
Security and Trust team. "At the same time, enterprise buyers are approaching their
WAAP planning in the context of rapidly changing technologies."

©2024 IDC #US51795524e 15


ABOUT IDC
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory
services, and events for the information technology, telecommunications, and consumer technology
markets. With more than 1,300 analysts worldwide, IDC offers global, regional, and local expertise on
technology, IT benchmarking and sourcing, and industry opportunities and trends in over 110 countries.
IDC's analysis and insight helps IT professionals, business executives, and the investment community to
make fact-based technology decisions and to achieve their key business objectives. Founded in 1964, IDC
is a wholly owned subsidiary of International Data Group (IDG, Inc.).

Global Headquarters
140 Kendrick Street
Building B
Needham, MA 02494
USA
508.872.8200
Twitter: @IDC
blogs.idc.com
www.idc.com

Copyright and Trademark Notice

This IDC research document was published as part of an IDC continuous intelligence service, providing
written research, analyst interactions, and web conference and conference event proceedings. Visit
www.idc.com to learn more about IDC subscription and consulting services. To view a list of IDC offices
worldwide, visit www.idc.com/about/worldwideoffices. Please contact IDC report sales at
+1.508.988.7988 or www.idc.com/?modal=contact_repsales for information on applying the price of this
document toward the purchase of an IDC service or for information on additional copies or web rights.

Copyright 2024 IDC. Reproduction is forbidden unless authorized. All rights reserved.

You might also like