Most people go shopping for a web application firewall on the worst possible day. Either an app is getting hammered right now, a SOC 2 auditor just flagged the missing control, or the AWS bill spiked and someone traced it back to a WAF rule nobody remembers writing. None of those are good conditions for a calm pricing comparison.
So here’s the calm version. I’ve run AWS WAF in anger, fronted a few origins with Cloudflare, and sat through enough Imperva and Akamai sales calls to know where the “contact us” buttons hide the real numbers. This is the developer-perspective WAF comparison I wish existed before I had to pick one — actual pricing models, where each vendor quietly charges you more, and which one wins for which kind of team.
”WAF” doesn’t mean what it did in 2019
The first thing to get straight: almost nobody sells a plain WAF anymore. The category got rebranded to WAAP — Web Application and API Protection — and in 2026 that bundle means four things stapled together.
You get the classic firewall (OWASP rule sets, custom rules, virtual patching), plus bot management, plus DDoS mitigation, plus API security. The reason this matters for budgeting is that vendors love to advertise the base WAF price and then meter the parts you actually came for. Bot scoring and API discovery are where the money is, and they’re rarely in the headline number.
If your threat model is “someone is scraping our pricing pages and stuffing credentials into our login,” you’re shopping for bot management, not a SQL-injection ruleset. Keep that distinction in your head as the prices roll by, because it changes which vendor is cheap and which is a trap.
The pricing models, decoded
WAF pricing splits into two philosophies: flat-tier (you pay for a plan) and pay-per-request (you pay for what flows through). Cloudflare is the poster child for the first, AWS for the second, and the enterprise crowd refuses to show you either without a call.
Cloudflare — flat tiers, per domain
Cloudflare’s WAF rides on its plan tiers. Free gets you a managed ruleset and basic protection. Pro is $20/month billed annually (or $25 month-to-month) and adds the enhanced WAF with OWASP rules. Business jumps to $200/month annually ($250 monthly) and unlocks custom WAF rules plus the PCI-friendly features. Enterprise is a quote — realistically starting somewhere north of $5,000/month for a small deployment, and climbing fast once you bundle Workers, R2, and Stream commitments.
The catch nobody mentions on the pricing page: Pro and Business bill per domain. Protect ten properties on Business and you’re at $2,000/month, not $200. For a single flagship app it’s the cheapest serious WAF you can buy. For an agency or a company with a sprawl of brand domains, the math turns ugly quietly.
AWS WAF — pay per request, death by add-on
AWS WAF has no tiers. You assemble it: $5.00 per web ACL per month, $1.00 per rule per month, and $0.60 per million requests. A modest setup — one ACL, ten rules, 50 million requests a month — lands around $45/month. That’s the number people quote when they say AWS WAF is cheap.
It’s also the number that’s wrong by the time you’re done. Bot Control is a separate $10/month subscription per web ACL plus tiered request fees — $1 per million for common bots, up to $10 per million for the targeted-bot tier. There’s a $0.20-per-million surcharge for every 500 WCUs (Web ACL Capacity Units) you use beyond the default 1,500, so complex rule sets cost more to evaluate. And inspecting request bodies past the default limit runs $0.30 per million per extra 16KB. The base is genuinely cheap; the protection you’ll actually enable is not.
Azure — bolted onto the gateway
Azure doesn’t sell a standalone WAF so much as a feature of two products. On Application Gateway v2, the WAF rules come at no extra rule cost, but you pay for the gateway itself: roughly $0.0443 per gateway-hour plus $0.0144 per capacity-unit-hour. On Front Door, WAF is billed separately per policy and per rule — unless you’re on Front Door Premium, where it’s folded in.
Azure WAF makes sense when you’re already standing up an Application Gateway or Front Door for other reasons. As a security purchase on its own, the pricing is opaque enough that I’d only reach for it inside an Azure-committed shop.
Fastly — request-based, the Signal Sciences engine
Fastly’s Next-Gen WAF is the old Signal Sciences product, and it’s well regarded by the people who run it. Pricing is request-based, typically $3–8 per million requests depending on volume and which packaged tier (Security Core, Core Plus, or Total) you land on. It’s a quote in practice, but the model is transparent and the detection quality is a genuine differentiator — it leans on behavioral signals rather than just signature matching, which cuts false positives.
Akamai and Imperva — the “contact us” tier
Neither Akamai’s App & API Protector nor Imperva’s WAF has a free tier or a public price. You get a quote, and the quotes are enterprise-shaped — think four to five figures monthly, often with DDoS protection floors in the low thousands per month before you’ve protected anything. You’re paying for a platform, a threat-intelligence team, and a support contract, not a line item.
Bot and API defense — where they actually differ
The base SQL-injection-and-XSS rulesets are commodities now. Every vendor licenses similar OWASP coverage and most will block the obvious stuff out of the box. The real separation is in bots and APIs.
For bot management, the gap is between signature-based blocking (cheap, easy to evade) and ML behavioral scoring (expensive, harder to fool). Cloudflare and Fastly both score traffic on behavior. AWS Bot Control has a “targeted” tier specifically for sophisticated bots, and you pay extra for it — that pricing tier exists precisely because catching good bots is hard. If account takeover and credential stuffing are your actual problem, this is the line item to scrutinize, and it’s where a $45 AWS WAF becomes a $400 one.
API security is the newer battleground. Schema validation, automatic endpoint discovery, and abuse detection on API traffic are increasingly bundled in, but the depth varies a lot. Imperva and Akamai sell this as a serious differentiator; the cloud-native options are catching up but I wouldn’t assume parity. If you’re API-first, demo this specifically rather than trusting the feature matrix.
The DIY angle, and when it’s false economy
You can run a WAF yourself. ModSecurity is the old guard; Coraza is the modern Go rewrite that drops the same OWASP Core Rule Set in front of your app without a per-request bill. Stack it in front of an origin, tune the rules, done. Zero licensing cost.
The cost just moves. Someone has to tune the rules, chase false positives, keep the CRS current, and stay awake during a DDoS that a managed edge network would have absorbed without paging anyone. Self-hosted CRS gives you a firewall but not a globally distributed scrubbing network — the DDoS piece is the part you can’t really DIY at scale. For a side project or an internal tool, Coraza is a perfectly sane choice. For anything revenue-bearing that’s publicly reachable, the engineering hours you’ll sink into tuning usually cost more than a Cloudflare Pro plan, and you still don’t get the DDoS absorption.
If you go this route, the honest move is to put a managed edge in front for DDoS and use the self-hosted WAF for app-specific rules. That hybrid is common and reasonable. Pure DIY all the way to the origin is where teams talk themselves into false economy.
Decision matrix by who you actually are
Pricing comparisons are useless without a “who is this for.” Here’s the version I’d give a colleague.
Solo SaaS or indie on a budget. Start with Cloudflare. The Free tier plus a $20 Pro plan covers more than most early apps need, the per-domain billing doesn’t bite when you have one domain, and you get DDoS absorption for free. If you’re already deep in AWS and run low request volumes, AWS WAF at ~$45/month is fine too — just don’t turn on Bot Control until you need it.
Mid-market, scaling, cost-sensitive. This is where it gets interesting. AWS WAF’s per-request model can either save you money or quietly bleed you depending on traffic shape and how many add-ons you enable — model it with your real numbers, including Bot Control. Cloudflare Business at $200/domain is predictable and easy to reason about, which is worth something. Fastly is the dark-horse pick if false-positive tuning is eating your team’s time; the Signal Sciences detection genuinely reduces that toil.
Regulated enterprise. Akamai or Imperva, and you’ll pay for it. Not because the cloud-native options can’t do compliance — Cloudflare Business and Enterprise handle PCI fine — but because at that scale you’re buying a support contract, a threat-intel team, dedicated tuning help, and someone to call at 3am with a contractual SLA behind it. That’s the actual product. If you don’t need the white-glove layer, Cloudflare Enterprise often does the same job for less.
API-first product. Demo the API security depth directly — Imperva, Akamai, and Fastly all take this seriously, and the cloud platforms vary. Don’t pick on the WAF feature and inherit weak API protection.
The lock-in nobody budgets for
Switching WAFs is more painful than switching most infrastructure, and it’s because of the rules. Every custom rule and every false-positive exception you’ve tuned over months is written in a vendor-specific dialect. None of it ports cleanly. Moving from AWS WAF to Cloudflare means re-authoring your rule logic and re-tuning your exception list from close to scratch.
The tuning effort is the real cost, not the migration mechanics. A WAF that’s been live for a year has accumulated a long tail of “allow this weird-but-legitimate request pattern” exceptions, and rebuilding that knowledge on a new platform takes weeks of watching logs and fielding “the site blocked me” tickets. Budget for that before you switch, and weigh it against whatever you’re trying to save. Sometimes the cheaper WAF isn’t cheaper once you price the move.
If you’re picking your first WAF, this is the argument for starting somewhere you won’t outgrow in eighteen months. And if you’re already running one you tolerate, “the new one is 20% cheaper” rarely survives contact with the re-tuning bill.
One thing worth doing this week regardless of vendor: pull a month of your real request volume and bot percentage, then run it through AWS WAF’s and Cloudflare’s calculators side by side. The flat-tier-versus-per-request answer flips entirely depending on your traffic, and it’s a ten-minute exercise that most teams skip until the invoice forces it.
If edge security is new territory for your team, it pairs naturally with the code-level scanning side of the house — our SAST and SCA tool comparison covers the part of the threat surface a WAF can’t see.