Overview
Myra Security is a German cybersecurity company offering a cloud-based WAF, DDoS protection, and CDN platform designed specifically for organizations in regulated industries. Their primary customers are banks, insurance companies, public sector institutions, and critical infrastructure operators in Europe, particularly those with strict data sovereignty requirements.
The Myra WAF sits upstream of your web applications as a reverse proxy, filtering HTTP/S requests before they reach your servers. It protects against the OWASP Top 10 vulnerabilities and blocks an average of 8 million malicious layer 7 requests per customer per year. Rules can be defined using simple comparisons or regular expressions (regex), and the system is described as "almost infinitely scalable."
What differentiates Myra from global WAF providers like Cloudflare or Akamai is its regulatory positioning. Myra is BSI-qualified (German Federal Office for Information Security), NIS-2 compliant, DORA compliant, and processes data exclusively in Germany on request. For organizations that must meet European data sovereignty requirements or operate under German financial regulation, this matters more than raw feature count.
Myra offers an optional Managed WAF Service where their security experts review your specific requirements, create tailored rule sets, and provide ongoing optimization and support. This is valuable for organizations without dedicated WAF expertise, which is common in the public sector and mid-sized enterprises.
Deployment is straightforward: no additional hardware or software needed. Myra works as an upstream protective layer regardless of whether your applications run in your own data center, at a hosting provider, or in public/private cloud instances. Integration is via DNS change (CNAME), similar to Cloudflare.
The trade-off is scope and reach. Myra is a European, compliance-first provider. Its network coverage and PoP density outside Europe are limited compared to global providers. If you need worldwide edge presence or your primary concern is performance rather than compliance, Cloudflare or Akamai will serve you better. But if you need a WAF that is legally and operationally European, Myra is one of the few options that genuinely delivers this.
Ratings Breakdown
Key Features
OWASP Top 10 Protection
Blocks SQL injection, XSS, CSRF, and other OWASP Top 10 attacks. Blocks an average of 8 million malicious layer 7 requests per customer per year.
HTTP/S Request Filtering
Filters all HTTP and HTTPS requests with rules defined via simple comparisons or regular expressions. Near infinite scalability with no capacity constraints.
Managed WAF Service
Optional add-on where Myra security experts create tailored rule sets for your specific applications, provide ongoing optimization, and offer expert support on demand. Ideal for teams without dedicated WAF expertise.
Zero-Day Protection
Responds to newly discovered vulnerabilities with rapid rule updates. Proactive defense against zero-day exploits before patches are available.
Data Sovereignty (Germany)
On request, all data processing occurs exclusively in Germany. Full GDPR compliance and BSI-qualified infrastructure for organizations with strict European data sovereignty requirements.
NIS-2 and DORA Compliance
Designed for compliance with the EU Network and Information Systems Directive (NIS-2) and Digital Operational Resilience Act (DORA). Critical for financial institutions and essential service operators in the EU.
API Protection
Protects APIs against injection attacks, exploits, and data leaks. Detects faulty authentication and missing protection measures that could lead to service interruptions.
Intuitive Rule Management
Web-based UI for creating, editing, and managing WAF rules. Toggle rules on/off with a single click. Rules include parameters like name, log identifier, expiration date, conditions, and actions.
Pros & Cons
Pros
-
European data sovereignty
BSI-qualified, data processing in Germany on request. One of the few WAF providers that genuinely delivers European data sovereignty, not just GDPR checkboxes.
-
Regulatory compliance focus
NIS-2, DORA, PCI DSS, ISO 27001, IT-Grundschutz, SOC 2 Type 2. Built for the compliance requirements of banks, insurance companies, and public sector institutions.
-
Managed WAF service
Security experts create and optimize rule sets for your specific applications. Valuable for organizations without dedicated WAF expertise, common in the public sector and mid-sized enterprises.
-
Simple deployment
DNS-based integration, no hardware or software to install. Works with any origin regardless of hosting environment. Quick setup without disrupting existing infrastructure.
-
Trusted by critical infrastructure
Used by German banks (DKB), financial portals (Sparkassen-Finanzportal), and public sector organizations. Endorsed by Palo Alto Networks CSO on advisory board.
Cons
-
No public pricing
Requires contacting sales for a quote. No self-service pricing calculator that shows actual numbers. Common for enterprise security products but a barrier for smaller organizations wanting to evaluate costs.
-
Limited global presence
Optimized for European customers. Network coverage and PoP density outside Europe are limited compared to Cloudflare, Akamai, or AWS. Not ideal for applications serving primarily non-European audiences.
-
No free tier
No free plan or trial tier. Evaluation requires a demo booking and sales conversation. Competitors like Cloudflare offer free WAF that lets you test before committing.
-
Niche market focus
Designed primarily for regulated industries in Europe. Feature set may be less comprehensive than global WAAP platforms for organizations without strict compliance requirements.
-
Limited public documentation
Technical documentation is less extensive than competitors like Cloudflare or AWS WAF. Most implementation details require engagement with Myra's support team.
-
No open source or CRS compatibility
Proprietary rule engine. Custom rules are regex-based but not compatible with OWASP Core Rule Set. Switching WAF providers requires rebuilding rule sets.
Pricing
Pricing model: Custom (quote-based)
Myra WAF
Cloud WAF with OWASP Top 10 protection, HTTP/S request filtering, custom rules via regex, and scalable architecture. Pricing based on traffic volume and domains. Contact sales for a quote via the pricing calculator.
- OWASP Top 10 protection
- HTTP/S request filtering
- Custom rules (regex-based)
- Scalable architecture
- GDPR compliant
- BSI-qualified infrastructure
- 24/7 premium support
Managed WAF Service
Add-on service where Myra security experts review your requirements, create tailored rule sets, and provide ongoing support and optimization. Available on top of the standard WAF.
- Everything in Myra WAF
- Dedicated security expert review
- Custom tailored rule sets
- Ongoing optimization
- Expert support on demand
Our Verdict
Myra WAF exists in a specific niche: European compliance-first web application security. If your organization is a German bank, a public sector institution, or any EU entity that must demonstrate data sovereignty and NIS-2/DORA compliance, Myra is one of the very few WAF providers that can genuinely deliver this. BSI-qualified infrastructure with data processing exclusively in Germany is not something Cloudflare or Akamai can match.
The managed WAF service is a genuine differentiator for organizations without dedicated security teams. Having Myra experts create and maintain your rule sets reduces the operational burden that makes self-managed WAFs like ModSecurity impractical for many organizations.
The limitations are the flip side of the specialization. No public pricing, limited global network presence, and a feature set optimized for compliance rather than cutting-edge capabilities. If you do not have European compliance requirements, virtually any global WAF provider will offer better value and broader protection.
For its target market, Myra is excellent. For everyone else, look elsewhere.
CVE Coverage
Myra Hyperscale WAF can detect and block attacks matching 81K+ known CVEs based on its supported rule sets.
Coverage by Attack Type
Latest Blockable CVEs
| CVE | Severity |
|---|---|
| CVE-2026-4510 | MEDIUM |
| CVE-2026-4161 | MEDIUM |
| CVE-2026-4087 | MEDIUM |
| CVE-2026-4086 | MEDIUM |
| CVE-2026-4084 | MEDIUM |
| CVE-2026-4077 | MEDIUM |
| CVE-2026-4072 | MEDIUM |
| CVE-2026-4069 | MEDIUM |
| CVE-2026-4067 | MEDIUM |
| CVE-2026-4022 | MEDIUM |
Frequently Asked Questions
Is Myra WAF GDPR compliant?
Yes. Myra Security is fully GDPR compliant. On request, all data processing occurs exclusively in Germany. The infrastructure is BSI-qualified (C5 Type 2), ISO 27001 certified, and SOC 2 Type 2 audited. This level of data sovereignty is rare among WAF providers.
How does Myra WAF compare to Cloudflare?
Cloudflare offers a free tier, a global CDN network with 300+ PoPs, and a broader feature set. Myra focuses on European compliance (NIS-2, DORA, BSI) and data sovereignty. Choose Cloudflare for global performance and self-service simplicity. Choose Myra if you need a WAF provider that processes data exclusively in Germany and meets strict European regulatory requirements.
What is the Managed WAF Service?
An optional add-on where Myra security experts analyze your web applications, create tailored WAF rule sets, and provide ongoing optimization and support. This is valuable for organizations without dedicated WAF expertise, particularly in the public sector and mid-sized enterprises that need protection but lack security engineering staff.
Does Myra WAF support NIS-2 and DORA compliance?
Yes. Myra itself is NIS-2 and DORA compliant and helps customers meet these regulatory requirements. This is critical for financial institutions and essential service operators in the EU who must demonstrate operational resilience and cybersecurity compliance.
How much does Myra WAF cost?
Myra uses custom, quote-based pricing. You need to contact sales or use the pricing calculator on their website to receive a quote based on your traffic volume, domains, and required features. There is no published pricing or self-service purchase option.
Can I use Myra WAF with AWS or Azure?
Yes. Myra WAF works as an upstream reverse proxy via DNS (CNAME) and protects any origin regardless of where it is hosted. This includes AWS, Azure, GCP, on-premises data centers, and other hosting providers. However, the primary value proposition is European data sovereignty, which may not be relevant for all cloud deployments.
What certifications does Myra have?
Myra holds BSI C5 Type 2 qualification, ISO 27001, PCI DSS, SOC 2 Type 2, IT-Grundschutz certification. They are NIS-2 and DORA compliant. This makes them one of the most extensively certified WAF providers in Europe, which is why they are trusted by German banks and critical infrastructure operators.
What is BSI qualification?
BSI stands for Bundesamt fur Sicherheit in der Informationstechnik (German Federal Office for Information Security). BSI C5 (Cloud Computing Compliance Criteria Catalogue) Type 2 qualification means Myra has been audited and certified to meet Germany's cloud security standards. This is required for many German government and financial sector cloud deployments.
Ready to try Myra Hyperscale WAF?
Visit the website to learn more or request a demo.