Fastly Next-Gen WAF (Signal Sciences) Review | Your Guide to Web Application Firewalls

Overview

Fastly Next-Gen WAF (formerly Signal Sciences) takes a fundamentally different approach to web application security. Instead of relying solely on pattern matching like traditional WAFs, it uses proprietary SmartParse technology to understand application context, dramatically reducing false positives while maintaining strong protection.

Born from the DevOps movement, Fastly WAF was designed for modern development workflows. It integrates with CI/CD pipelines, provides developer-friendly APIs, and offers deployment options across cloud, container, and serverless environments. Security teams can enable protection without creating friction with development teams.

The acquisition by Fastly in 2020 brought additional benefits: integration with Fastly's edge cloud platform for combined CDN and WAF capabilities, plus the performance benefits of Fastly's global network.

Ratings Breakdown

Ease of Use 4.0/5

Value for Money 3.8/5

Customer Support 4.5/5

Features 4.7/5

Key Features

SmartParse Technology

Intelligent parsing technology that understands application context to reduce false positives by 90%+.

Power Rules

Flexible rule language for creating custom detection and response logic based on any request attribute.

API Discovery

Automatic discovery and cataloging of API endpoints with security assessment.

DevOps Integration

Native integrations with CI/CD tools, infrastructure as code support, and developer-friendly APIs.

Multi-Environment Deployment

Deploy as cloud service, agent, or edge module across diverse infrastructure.

Real-Time Dashboards

Live visibility into attacks, decisions, and application health without sampling.

Pros & Cons

Pros

Extremely low false positives
SmartParse technology reduces false positives by understanding application context, not just pattern matching.
Developer-friendly
Built for DevOps workflows with CI/CD integration, IaC support, and excellent APIs.
Flexible deployment
Deploy as cloud WAF, agent, or edge module to match your infrastructure.
Real-time visibility
100% request inspection with live dashboards - no sampling or delays.
Strong API protection

Cons

Premium pricing
More expensive than traditional WAFs; pricing requires sales engagement.
Learning curve for Power Rules
Advanced customization requires learning their proprietary rule language.
Fastly edge integration still maturing
Full integration with Fastly CDN is improving but not yet seamless.
Less brand recognition
Smaller market presence than Cloudflare or AWS WAF despite technical excellence.

Pricing

Pricing model: Custom pricing based on requests and features

Essential

Custom pricing

Core WAF protection

SmartParse technology
OWASP Top 10 protection
Rate limiting
IP reputation

Professional

Custom pricing

Advanced security features

Everything in Essential
Advanced rate limiting
Account takeover protection
GraphQL inspection

Premier

Custom pricing

Full enterprise platform

Everything in Professional
API discovery
Advanced bot protection
Custom integrations
Dedicated support

Our Verdict

Fastly Next-Gen WAF stands out for its innovative approach to application security. By using intelligent parsing instead of simple pattern matching, it solves the fundamental WAF problem: too many false positives. For teams that have struggled with noisy WAFs, this alone makes it worth considering.

The DevOps-friendly design is the other major differentiator. If your team practices infrastructure as code, runs CI/CD pipelines, and deploys across diverse environments, Fastly WAF fits naturally into your workflow. Traditional WAFs often feel like an obstacle; Fastly WAF feels like a tool.

Our verdict: Best WAF for DevOps teams and modern applications, especially those plagued by false positives from traditional WAFs.

CVE Coverage

Fastly Next-Gen WAF (Signal Sciences) can detect and block attacks matching 87K+ known CVEs based on its supported rule sets.

14K+

Critical

18K+

High

33K+

Medium

441

Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High

36K+ CVEs

SQL Injection High

14K+ CVEs

Improper Input Validation Medium

8.4K+ CVEs

Path Traversal High

6.5K+ CVEs

OS Command Injection High

5.2K+ CVEs

Unrestricted File Upload Medium

3.9K+ CVEs

Code Injection Medium

3.8K+ CVEs

Command Injection High

3K+ CVEs

Insecure Deserialization Medium

2.4K+ CVEs

Server-Side Request Forgery (SSRF) Medium

2.2K+ CVEs

Open Redirect Medium

1.4K+ CVEs

XML External Entity (XXE) High

1.2K+ CVEs

PHP Remote File Inclusion High

1K+ CVEs

Latest Blockable CVEs

CVE	Description	Severity
CVE-2026-4510	A weakness has been identified in PbootCMS up to 3.2.12. This impacts the function alert_location …	MEDIUM
CVE-2026-4161	The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via …	MEDIUM
CVE-2026-4087	The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the …	MEDIUM
CVE-2026-4086	The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …	MEDIUM
CVE-2026-4084	The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …	MEDIUM
CVE-2026-4077	The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via …	MEDIUM
CVE-2026-4072	The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …	MEDIUM
CVE-2026-4069	The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via …	MEDIUM
CVE-2026-4067	The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' …	MEDIUM
CVE-2026-4022	The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable …	MEDIUM

Browse all CVEs →

Frequently Asked Questions

What makes SmartParse different from regular WAF rules?

Traditional WAFs use pattern matching - if a request contains certain patterns, it's blocked. This causes false positives when legitimate data looks suspicious. SmartParse actually parses and understands the request context, knowing whether data is appearing in a dangerous location (like a SQL query) or a safe one (like a blog post about SQL). This context awareness is why false positive rates are so much lower.

Can Fastly WAF work without Fastly CDN?

Yes, Fastly WAF can be deployed independently of Fastly CDN. You can run it as an agent on your servers, as a cloud service, or integrate it with other CDNs. The Fastly CDN integration provides additional benefits but isn't required.

How does pricing compare to Cloudflare or AWS WAF?

Fastly WAF is generally more expensive than Cloudflare's per-domain pricing or AWS WAF's pay-per-request model. However, the reduced operational cost from fewer false positives and better DevOps integration can offset the higher license cost. Organizations should calculate total cost of ownership, not just license fees.

Ready to try Fastly Next-Gen WAF (Signal Sciences)?

Visit the website to learn more or request a demo.

Visit Website View Pricing