Which WAFs Protect the Fortune 500? We Scanned All 500 to Find Out
We scanned every Fortune 500 company's website to detect which Web Application Firewalls they use. Here's the full breakdown by provider, sector, and company size.
We built a WAF detection tool and pointed it at all 500 Fortune 500 companies. The tool checks HTTP response headers, cookies, DNS CNAME chains, and HTML signatures to identify which WAF (or WAFs) protect each domain.
Here's what we found.
Key Findings
- 90.8% of Fortune 500 companies have detectable WAF or CDN-based protection
- Fastly, Akamai, and Cloudflare are the top three WAF providers, protecting over 90% of companies with a detected WAF
- Amazon CloudFront is the most common CDN layer, present on 47 Fortune 500 sites
- 34% of Fortune 500 companies use multiple WAF/CDN layers
- 46 companies (9.2%) showed no detectable WAF, including Walmart (#1), Apple (#4), and Meta (#22)
- PerimeterX (HUMAN Security) bot protection detected on 4 Fortune 500 sites
Overall Market Share
Here's how WAF providers stack up across all 500 companies. Note that companies can appear under multiple providers — 170 companies use more than one WAF or CDN with WAF capabilities.
| Provider | Type | Companies | Share |
|---|---|---|---|
| Fastly | CDN/WAF | 172 | 34.4% |
| Akamai | CDN/WAF | 145 | 29.0% |
| Cloudflare | CDN/WAF | 134 | 26.8% |
| AWS WAF | Cloud WAF | 61 | 12.2% |
| Amazon CloudFront | CDN | 47 | 9.4% |
| NGINX App Protect | WAF | 37 | 7.4% |
| Azure WAF | Cloud WAF | 30 | 6.0% |
| Imperva | WAF | 26 | 5.2% |
| Vercel Firewall | Edge WAF | 11 | 2.2% |
| F5 BIG-IP | WAF | 9 | 1.8% |
| Google Cloud Armor | Cloud WAF | 8 | 1.6% |
| PerimeterX (HUMAN) | Bot Mgmt | 4 | 0.8% |
| Citrix NetScaler | WAF | 3 | 0.6% |
| ZScaler | SASE/WAF | 3 | 0.6% |
| Distil (HUMAN) | Bot Mgmt | 2 | 0.4% |
| Sucuri | WAF | 2 | 0.4% |
| StackPath | CDN/WAF | 1 | 0.2% |
| OpenResty Lua WAF | WAF | 1 | 0.2% |
Fastly, Akamai, and Cloudflare together account for most detectable WAF deployments. All three are CDN providers with integrated WAF capabilities. Amazon CloudFront (CDN without native WAF rules) is the fourth most common infrastructure layer, often paired with AWS WAF for application-level protection.
Who Uses What? Notable Companies per Provider
Akamai (145 companies)
Akamai dominates among the very largest companies. Their top-tier customers include JPMorgan Chase, Costco, Microsoft, General Motors, Ford, ExxonMobil, CVS Health, and Cardinal Health. Akamai is especially strong in financial services and retail — sectors where they've been embedded for decades.
Cloudflare (134 companies)
Cloudflare has significant presence across the Fortune 500, with customers including Alphabet (Google), Fannie Mae, Freddie Mac, Marathon Petroleum, Morgan Stanley, and Archer Daniels Midland. Cloudflare is particularly popular in the real estate, industrials, and energy sectors.
Fastly (172 companies)
Fastly has the widest adoption, present on 172 Fortune 500 sites. Notable names include Amazon, UnitedHealth Group, Cigna, Chevron, Goldman Sachs, and Phillips 66. Fastly's edge compute capabilities make it attractive for companies serving dynamic content at scale.
AWS WAF (61 companies)
AWS WAF is detected on 61 Fortune 500 sites, often alongside other CDN/WAF layers. Customers include Amazon (naturally), Cigna, Goldman Sachs, Walt Disney, Lockheed Martin, and State Farm Insurance.
Imperva (26 companies)
Imperva shows up at companies like McKesson, PepsiCo, Albertsons, Prudential Financial, and Bristol-Myers Squibb. Imperva tends to appear in healthcare and financial services — industries with strict compliance requirements.
WAF Adoption by Sector
Protection rates vary significantly by industry. Here's the full breakdown:
| Sector | Companies | WAF Detected | Adoption Rate | Top Provider |
|---|---|---|---|---|
| Aerospace & Defense | 8 | 8 | 100% | Fastly |
| Automotive | 8 | 8 | 100% | Akamai / Cloudflare |
| Business Services | 9 | 9 | 100% | Fastly |
| Financials | 36 | 35 | 97% | Akamai |
| Industrials | 41 | 39 | 95% | Cloudflare |
| Food & Agriculture | 17 | 16 | 94% | Fastly |
| Healthcare | 53 | 50 | 94% | Fastly |
| Technology | 95 | 88 | 93% | Akamai |
| Consumer Goods | 28 | 26 | 93% | Fastly |
| Insurance | 24 | 22 | 92% | Akamai |
| Materials | 30 | 27 | 90% | Fastly |
| Utilities | 20 | 18 | 90% | Fastly |
| Retail | 29 | 25 | 86% | Akamai |
| Real Estate | 33 | 28 | 85% | Cloudflare |
| Telecommunications | 10 | 8 | 80% | Akamai |
| Energy | 39 | 30 | 77% | Fastly |
| Transportation | 19 | 14 | 74% | Akamai |
Key Observations
- Aerospace & Defense, Automotive, and Business Services have 100% adoption. No company in these sectors left their website without detectable WAF protection.
- Financials strongly favor Akamai (19 of 36 companies). Long-standing enterprise relationships and compliance requirements drive this.
- Real Estate companies prefer Cloudflare (16 of 33). Likely driven by ease of setup and cost-effectiveness for less traffic-heavy corporate sites.
- Transportation has the lowest adoption at 74%. Several logistics and railway companies have minimal external web presence.
- Energy companies show the most diverse WAF choices, with significant adoption of NGINX App Protect and Imperva alongside the big three.
Does Company Size Affect WAF Choice?
We split the Fortune 500 into rank tiers to see if the biggest companies choose differently than smaller ones.
| Rank Tier | WAF Adoption | #1 Provider | #2 Provider | #3 Provider |
|---|---|---|---|---|
| Top 50 | 90% | Akamai (26) | Fastly (12) | Cloudflare (8) |
| 51–100 | 92% | Akamai (25) | Fastly (10) | AWS WAF (7) |
| 101–200 | 97% | Fastly (37) | Akamai (35) | Cloudflare (24) |
| 201–300 | 88% | Fastly (33) | Akamai (32) | Cloudflare (19) |
| 301–400 | 86% | Fastly (36) | Cloudflare (34) | Akamai (19) |
| 401–500 | 90% | Fastly (44) | Cloudflare (42) | Azure WAF (12) |
Akamai dominates the top 100. These are the biggest, most established companies with the largest web infrastructure. Akamai has been serving enterprises since the late 1990s and it shows.
Further down the list, Cloudflare gains share, overtaking Akamai in the 301–500 range. Cloudflare's lower barrier to entry and developer-friendly setup make it the go-to for companies that aren't locked into legacy CDN contracts.
Fastly stays strong across all tiers, which tracks with their edge computing focus that serves both massive and mid-scale enterprises.
The Multi-WAF Pattern
170 of 500 companies (34%) showed signals from more than one WAF or CDN provider. Some notable examples:
- Lockheed Martin: AWS WAF + Fastly + F5 BIG-IP
- Waste Management: Cloudflare + AWS WAF + Fastly + Vercel Firewall
- Bristol-Myers Squibb: Imperva + AWS WAF + Fastly
- KLA: Cloudflare + Fastly + F5 BIG-IP
Multi-WAF setups are common in enterprises for several reasons:
- Defense in depth. A CDN-level WAF (Fastly, Akamai) handles volumetric attacks, while an application-level WAF (Imperva, F5) handles layer-7 threats closer to the origin.
- Different teams, different choices. Large organizations have multiple web properties managed by different teams who each choose their own stack.
- Migration in progress. Companies switching providers often show both old and new WAF signatures during the transition.
The "No WAF Detected" List
46 Fortune 500 companies showed no detectable WAF protection. Some names that stand out:
- Walmart (#1)
- Apple (#4)
- Meta (#22)
- Netflix (#201)
- eBay (#238)
- UPS (#47)
This doesn't mean they're unprotected. Companies like Apple, Meta, and Netflix almost certainly run custom, proprietary WAF solutions that don't leave detectable fingerprints. These are engineering organizations with dedicated security teams building internal tooling.
Others may use WAF products configured to suppress identifying headers, or protect their infrastructure at a network layer that our HTTP-based detection can't observe.
"The absence of WAF fingerprints doesn't mean absence of protection. The largest tech companies typically build custom solutions that are intentionally invisible to external probes."
Methodology
We built an open-source WAF detection tool that checks every domain using four methods:
- HTTP Response Headers. WAF-specific headers like
cf-ray(Cloudflare),x-akamai-transformed(Akamai),x-sucuri-id(Sucuri), andx-azure-ref(Azure WAF). - Cookie Analysis. WAF-specific cookie prefixes like
incap_ses_(Imperva),bm_sz(Akamai Bot Manager), and__cf_bm(Cloudflare). - DNS CNAME Chains. CDN and WAF providers often require CNAME records pointing to their infrastructure. For example,
*.edgekey.net(Akamai),*.azurefd.net(Azure Front Door), and*.cloudflare.com. - HTML Body Signatures. Challenge pages and error pages from WAF providers often contain identifiable strings.
Our detection engine covers 79 WAF, CDN, and bot management fingerprints, including all major providers and many regional/niche solutions.
For each domain, we checked both the apex domain and the www. subdomain. Detections are scored and classified as high, medium, or low confidence based on the strength and number of matching signals.
The detection tool and Fortune 500 domain list are available as open-source tools in our GitHub repository.
What This Means for Your WAF Decision
If you're choosing a WAF for your organization, here's what the Fortune 500 data tells us:
- You can't go wrong with the big three. Fastly, Akamai, and Cloudflare together protect most of America's largest companies. They work at scale.
- Your sector matters. If you're in financial services, Akamai is the de facto standard. Healthcare companies lean toward Fastly and Akamai. Tech companies are split evenly between all three.
- Multi-layer is common. A third of the Fortune 500 uses more than one WAF provider. If you already have a CDN, consider adding an application-level WAF (like Imperva or F5) for defense in depth.
- Cloud-native WAFs are growing. AWS WAF and Azure WAF together are present on 91 Fortune 500 sites (18%). If you're already running on a major cloud, their native WAF is the easiest add.
Need help choosing? Compare WAF providers side-by-side, or explore our best WAF for your use case guides.