Hidden WAF costs: the add-ons beyond the list rate

1. Bot management overage

The largest single line on most WAF bills past a small site. AWS Bot Control is $10/web-ACL + per-request rule-group fee. Cloudflare Bot Management Enterprise is quote-only. Imperva ABP and Akamai Bot Manager Premier are quote-only. Cross-vendor cost at 100M req/mo runs from low three figures (AWS Bot Control) to high four figures (Imperva or Akamai). See bot management cost for the cross-vendor math.

2. Log ingestion to SIEM

WAF events going to your SIEM (Splunk, Sentinel, Elastic, Sumo Logic, Datadog) are billed by the SIEM, not the WAF. At 100M req/mo with even 0.5% logged, that is 500K events/mo at typical SIEM per-event rates. The math compounds as you tune rules to log more for incident-response purposes.

3. Managed rule group request fees

AWS WAF managed rule groups from third-party Marketplace sellers (Fortinet, F5, Trustwave, Imperva, Cyber Security Cloud) all charge a per-request fee on top of the standard AWS WAF request fee. Stacking three Marketplace rule groups at $0.50/M each adds $1.50/M to the AWS WAF bill. Worth modelling before adding rule groups indiscriminately.

4. SSL/TLS termination overage

Cloud WAFs that terminate TLS for you generally include certificate issuance and renewal at the published rate. Custom certificate workflows (private CA, EV certificates, HSM-bound keys) and high-cardinality SNI deployments can move into add-on territory. Cloudflare Advanced Certificate Manager, AWS Certificate Manager Private CA, and Azure Front Door custom certificates all have their own pricing pages.

5. Egress bandwidth from cloud WAFs

Cloudflare, Fastly, and the hyperscaler-edge WAFs (AWS Front Door, Azure Front Door) all charge egress bandwidth from the edge to the origin separately. FortiWeb Cloud explicitly publishes a $0.40/GB bandwidth line on AWS Marketplace. At 1 TB/mo egress, that is a $400 line on a $21.90 base.

6. Professional services for tuning

The first-30-days of any WAF deployment is dominated by false-positive triage and rule tuning. Vendor professional services (Imperva, Akamai, Radware, F5) bill by the day or by the engagement; partner-led tuning (MSSPs, security consultancies) tends to bill by retainer. Neither is on the WAF SKU pricing page. See implementation cost for the standalone analysis.

7. Cross-region and cross-cloud data movement

Pointing a Cloudflare WAF at an AWS-origin app means CloudFront or ALB egress from AWS to Cloudflare is billed by AWS. The reverse (AWS WAF at the edge in front of a non-AWS origin) means data movement from AWS edge to the origin cloud. Cross-cloud WAF deployments multiply the egress lines.

• Rule: when comparing vendors, price the full add-on stack at the real workload, not the published web-ACL or policy line.
• Rule: include SIEM ingestion in the WAF business case, especially for high-traffic apps where logging discipline pays back.
• Rule: ask for a quote that pins year-2 and year-3 rates, not just year-1, to avoid the renewal step.
• Rule: negotiate the egress and bandwidth lines explicitly; they are often more discountable than the headline rate.