WAF pricing FAQ

The cheapest published entry point is Cloudflare's Free plan at $0 per month, which includes basic managed WAF rules. AWS WAF starts at $5 per web-ACL per month plus $0.60 per million requests. Google Cloud Armor starts at $5 per policy per month on the Standard tier. Mid-market deployments with bot management on typically run $500 to $5,000 per month across published-rate vendors. Quote-only vendors (Akamai, Imperva, F5, Fastly, Barracuda, Radware, Wallarm) publish no list rate. See the quote-only-vendors page for the discovery-call framework rather than a fabricated number.

Cloudflare's Free plan at $0 per month is the cheapest legitimate entry point and includes basic managed WAF rules, basic DDoS, and CDN. For sites needing custom rules, custom rate limits, or higher SLAs, AWS WAF at $5 per web-ACL per month plus $0.60 per million requests is typically the cheapest published rate at small to mid traffic volume. Sucuri WAF at $9.99 per month is the cheapest dedicated WAF-and-CDN bundle for a single small site.

Imperva, like Akamai, F5, and Radware, sells through a sales-led enterprise motion. Quotes are scoped to per-site or per-application bandwidth tiers with a separate Advanced Bot Protection line and optional API Security and DDoS modules. Publishing list pricing would expose the spread between accounts and remove the sales rep's negotiating room. We document anonymised buyer-shared quote bands on the quote-only vendors page rather than inventing a list rate.

At low traffic and only basic WAF needs, Cloudflare Free at $0 per month is cheaper than AWS WAF at $5 per web-ACL plus $0.60 per million requests. At mid traffic with bot management, AWS WAF often comes in cheaper than Cloudflare because Cloudflare Bot Management is a quote-only Enterprise add-on while AWS publishes the Bot Control rate card. At enterprise volume with Cloudflare's Enterprise plan and Bot Management Enterprise add-on, Cloudflare contracts are quote-only and direct comparison is not possible without both quotes in hand.

Bot Control is an AWS-managed rule group billed at $10 per web-ACL per month plus a per-request fee charged in addition to the standard $0.60 per million request fee. At 100 million requests per month with Bot Control on, the rule-group request fee alone can run an order of magnitude above the $5 web-ACL line. Read the AWS WAF deep-dive page for the worked example with sourced math.

PCI DSS v4 Requirement 6.4.2 mandates an automated technical solution to detect and prevent web-based attacks for in-scope public-facing web applications. A WAF is the standard control that satisfies this requirement. The requirement became effective from 31 March 2025 (the end of the v4 transition window). See the PCI DSS WAF cost page for minimum compliant configurations across each vendor.

Yes. Cloudflare Free at $0 per month includes basic managed WAF rules and is in production use at many small sites. Open-source ModSecurity with the OWASP Core Rule Set is also a real production option but carries hidden infrastructure and engineer-time cost (see the open-source WAF page). Free does not equal compliant: PCI DSS, SOC 2, and FedRAMP-aligned environments typically need a paid tier with logging, tuning, and bot management.

Three legitimate options. Cloudflare Free at $0 per month covers a single site with basic managed rules and CDN. Sucuri WAF at $9.99 per month is the cheapest dedicated WAF + CDN + malware-scan bundle, popular with WordPress. AWS WAF at $5 per web-ACL plus $0.60 per million requests is the cheapest if you are already on AWS and want custom rule control. All three are documented with sources on their respective vendor pages.

Bot Fight Mode ships with the Pro plan ($25/mo monthly or $20/mo annual) and applies basic challenges to obvious bot signatures. Super Bot Fight Mode ships with the Business plan ($250/mo monthly or $200/mo annual) and adds category-based bot control. Bot Management is an Enterprise-tier add-on with machine-learning detection and is quote only. These are three distinct products with different detection capabilities; do not assume Pro covers what Enterprise Bot Management covers.

StackPath exited the CDN business in November 2023 (Akamai acquired a portion of the enterprise contract base at that point) and fully shut down the platform in June 2024. There is no 2026 StackPath WAF to buy. Former customers should have migrated to Cloudflare, AWS, Fastly, or another active vendor. We keep the StackPath page live as a redirect destination for anyone still searching for it.