Independent reference. Not affiliated with any vendor on this site.
Add-on cost

WAF API protection add-on cost: API Shield, AWS WAF on API Gateway, Imperva API Security

API protection is the fastest-growing line on a WAF bill and the least transparently priced. Cloudflare API Shield is Enterprise quote-only; AWS WAF on API Gateway just charges standard WAF rates; Imperva, Wallarm, and the specialist vendors (Salt Security, Noname) all sit quote-only. This page maps what is known and what is not.

Last verified June 2026

$0.60/M
AWS WAF rate on API Gateway
Quote
Cloudflare API Shield
Quote
Imperva API Security
Quote
Wallarm Advanced API Security

AWS WAF on API Gateway

AWS WAF attaches directly to API Gateway with the standard rate card: $5/web-ACL/month, $1/rule/month, $0.60 per million requests. No separate “API protection” SKU. Managed rule groups including the SQLi, Linux, Windows, and PHP groups are useful for API-fronted apps; AWS does not publish a separate API-specific managed rule group beyond Bot Control's targeted protections.

Cloudflare API Shield

Enterprise-tier add-on, quote-only. API Shield covers schema-validation against your OpenAPI definition, JWT and mTLS authentication enforcement, sequence-mitigation against API abuse patterns, and discovery of undocumented endpoints. Pricing is bundled into an Enterprise contract; Cloudflare does not publish a per-API or per-endpoint rate.

Imperva API Security

Quote-only. Sold as a separately-priced module on the Imperva Cloud WAF contract. Covers API discovery, sensitive-data classification, and behavioural protection. Pricing depends on number of APIs, call volume, and which underlying WAF tier is on the contract.

Wallarm (API-first WAAP)

Wallarm is positioned as API-first; the WAAP and Advanced API Security tiers are both quote-only. The free Security Edge tier offers capped functionality and is genuinely useful for evaluation. Pricing on the paid tiers is keyed off API call volume and protected-app count.

Specialist API-security vendors

Salt Security and Noname Security (Akamai acquisition closed 2024) are the named specialist API-security vendors. Both are quote-only. They typically sit alongside a WAF rather than replacing one; pricing is keyed off API call volume and the number of business-logic flows protected. We do not list either as a WAF vendor on this site because they do not market themselves as WAFs.

The OWASP API Security Top 10 2023 catalogues the recurring weakness classes (BOLA, broken authentication, BOPLA, unrestricted resource consumption, broken function level authorisation) that plain WAF rule sets do not catch on their own. Treat API-specific protection as a separate add-on rather than assuming the WAF SKU covers it.
OWASP API Security Top 10, 2023 edition
The shape of the API protection bill
Standard WAF rates cover the OWASP Top 10 attack surface that maps to APIs. The API-specific add-on covers what plain WAF misses: business-logic abuse, schema-violation attacks, BOLA/BOPLA, credential-stuffing aimed at API endpoints, and discovery of undocumented endpoints. The decision is rarely whether to add API protection; it is which vendor's implementation best fits the API surface you are protecting.

Related reading

See the bot management cost page for the closest adjacent add-on, Wallarm deep-dive for the API-first WAAP option, and the hidden costs page for the full bill-beyond-list-rate analysis.

Adjacent pricing references

Same author, same methodology. No affiliate relationship with any vendor mentioned.

XDR pricing
xdrcost.com
XDR can ingest WAF telemetry.
SIEM cost
siemcostcalculator.com
SIEM ingestion of WAF logs is a hidden cost line.
SSO pricing
ssopricing.com
Adjacent identity-and-security pricing reference.
Last verified June 2026