Open-source WAF: ModSecurity and OWASP Core Rule Set true cost
The open-source WAF stack is real and in production at scale. The line items are different from a commercial vendor: no licence fee, but real infrastructure cost, real engineer time to tune and maintain, and a real decision to make about Trustwave ModSecurity's end-of-life status.
Last verified June 2026
ModSecurity status
Trustwave announced end-of-life for the commercial ModSecurity product effective 1 July 2024. The community fork libmodsecurity (v3) continues; the OWASP Foundation took stewardship of the broader ModSecurity ecosystem. ModSecurity remains in production on nginx, Apache, and IIS via the connector modules. Anyone deploying open-source WAF in 2026 should evaluate libmodsecurity v3 plus OWASP CRS, or move to Coraza.
OWASP Core Rule Set
OWASP CRS is the canonical free rule library, covering SQL injection, cross-site scripting, local-file-inclusion, remote-file-inclusion, command injection, and the broader OWASP Top 10 categories. CRS v4 is the current major version as of 2026. It plugs into ModSecurity, libmodsecurity, Coraza, and several commercial WAFs (Cloudflare and Azure both ship managed rule sets sourced from OWASP CRS).
Coraza (the Go-based replacement)
Coraza is the OWASP Foundation's Go-language re-implementation of the ModSecurity engine. Compatible with the OWASP CRS rule format and the SecLang configuration language. Designed for embedding directly into modern reverse proxies (Caddy, Traefik, Envoy) and into application sidecars. Active development through 2026.
Infrastructure cost
Self-hosted WAF infrastructure is real. The cost line is the compute, memory, and network capacity required to terminate TLS and inspect traffic at request volume. At low traffic (under 10M req/mo) a single small VM is sufficient. At 1B req/mo you are running multiple instances behind a load balancer with autoscaling. The infrastructure spend matches a comparable per-request commercial WAF bill at the high end.
Engineer time
This is the big one. An open-source WAF in production needs a security engineer who can read SecLang, debug false positives, write custom rules, and respond to vulnerability advisories that affect the WAF engine itself. At single-property scale this is a fractional role. At multi-property scale it is a real headcount line. The hidden cost on the open-source side is exactly the labour line a commercial vendor manages for you.
- Open-source wins when: you have a security engineer comfortable in SecLang or Go, latency is critical, and you need the WAF embedded in your existing reverse proxy.
- Open-source loses when: there is no in-house engineer to tune the rule set, you need vendor-recognised reporting for an auditor, or you need bot management beyond OWASP CRS.
- Hybrid wins when: Coraza or libmodsecurity sits at the application edge with OWASP CRS, with a commercial CDN+WAF (Cloudflare Free or Pro) in front for DDoS absorption.
Related reading
See the managed WAF cost page for the opposite-end-of-spectrum option, cost by organisation size for where open-source typically wins, and the implementation cost page for the labour-line analysis.