Web Application Firewalls Are Broken And Everyone Knows It
A Forbes piece argues what most security teams already know: WAFs are fundamentally broken. Not the firewall itself, but the management layer on top. Most organizations have stopped touching their rules entirely.
A new Forbes piece argues what most security teams already know: web application firewalls are fundamentally broken. Not the enforcement layer itself, but the management layer on top of it. The rules, the tuning, the constant adjustments as applications change and threats evolve. Most organizations have given up trying.
The real problem is not the WAF
The firewall works. What does not work is the process of keeping it properly configured. Security teams across enterprises routinely avoid touching WAF rules because the risk of breaking things outweighs the risk of leaving gaps open. The result is either blocked legitimate traffic or an open door for attackers. Both cost money.
This plays out the same way across vendors. A company running Cloudflare ends up paying extra for managed configuration. Teams using AWS WAF struggle with the complexity of web ACLs and rule groups. Akamai customers face the same pattern. The tool exists, but the organizational capacity to use it does not.
AI as a management layer
The article highlights Huskeys, a startup that emerged from stealth this week with million in seed funding. Rather than building yet another WAF, Huskeys positions itself as a control plane that sits on top of existing WAF infrastructure from Cloudflare, AWS WAF, Akamai, and others. The pitch: organizations already paid for enforcement. What they need is something to actually run it.
The approach uses AI to handle traffic analysis, rule tuning, and orchestration. But the article correctly notes that not all AI is the same. Pattern matching, generative tuning, and agentic orchestration each serve different phases of WAF management. Applying the wrong approach to the wrong phase just makes the marketing deck look better.
Static rules in a dynamic world
The deeper issue is structural. WAFs were designed for a world of predictable HTTP traffic from human users. Today, a significant portion of web traffic comes from APIs, bots, and AI agents that do not behave like humans at all. Rule-based systems struggle to tell the difference between a legitimate automated request and a malicious one.
Organizations using ModSecurity with the Core Rule Set, or managed rule sets from any major provider, face the same challenge. Static rules in a dynamic threat environment create a problem that compounds over time. The organizations doing this well treat WAF management as an ongoing operational discipline, not a one-time deployment.
WAFplanet take
This article says the quiet part out loud: most WAFs are running on autopilot because nobody wants to touch them. That is a real and widespread problem.
The Huskeys approach of layering a management plane on top of existing WAFs makes more sense than asking enterprises to rip and replace. But the claims around AI-powered rule tuning deserve scrutiny. Privacy and compliance concerns around routing real traffic data through third-party AI models are not trivial, especially in regulated industries.
The bigger takeaway is that WAF management needs to be treated as continuous operations, not a checkbox. Whether you run Cloudflare, F5 Advanced WAF, Imperva, or open-appsec, the rules need regular attention. If your team is afraid to touch the configuration, that is the problem to solve first.
