Decision framework

WAF pricing models: per-request vs per-rule vs flat-plan vs per-app

There are five pricing models in this category. Four publish a rate card you can actually do math with. The fifth (quote-only) is the largest by vendor count. Picking the wrong model for your traffic profile can double the monthly bill before you have done any negotiating.

Last verified June 2026

Pricing models in the market

Publish a rate card

Vendors that are quote-only

Bill swing from wrong model

1. Per-request + per-rule (AWS WAF, GCP Cloud Armor, Azure WAF)

The cloud-native default. A small base fee per protection object (web-ACL or policy), a small per-rule fee, and a per-million-request rate that scales linearly with traffic. Predictable at steady-state, painful when traffic spikes during an attack. Bot management add-ons typically charge an additional per-request rate group fee on top of the standard request fee.

2. Flat-plan tiered (Cloudflare, Sucuri)

Fixed monthly plan with WAF, CDN, and basic rules included. Cloudflare Free at $0, Pro at $20-25, Business at $200-250, Enterprise quote-only. Sucuri at $9.99-$19.98/mo per site. The bill is flat at the tier you buy; the trade is that the highest-value add-ons (Cloudflare Bot Management Enterprise) sit above the published tiers and are quote-only.

3. Per-app subscription (FortiWeb Cloud)

Per-application monthly rate, often listed on a cloud marketplace. FortiWeb Cloud at $0.03/hour per app (~$21.90/mo base) plus $0.40/GB traffic. Predictable per-app; the bandwidth line is the variable cost. Barracuda WAF-as-a-Service is also per-app in shape but is configurator-quoted with no published rate card, so we classify it under model 5 (quote-only) below.

4. Per-hour + per-CU (Azure Application Gateway WAF v2)

The outlier. Azure Application Gateway WAF v2 bills by gateway-hour ($0.443) and capacity-unit-hour ($0.0144). Not per-request. Suits per-VNet ingress workloads where the gateway is always-on; can run materially more expensive than per-request at low traffic.

5. Quote-only (Akamai, Imperva, F5, Fastly, Barracuda, Radware, Wallarm)

Seven of fourteen vendors. Named-account sales motion, custom contract, no published rate. See the quote-only vendors page for the discovery-call framework.

Decision tree: which model wins for which traffic profile

Single small site (under 10M req/mo): flat-plan wins. Cloudflare Free or Sucuri at $9.99/mo.
Mid traffic, AWS-hosted (10-200M req/mo): per-request wins. AWS WAF $5 + $0.60/M scales cleanly.
Mid traffic, multi-cloud (10-200M req/mo): flat-plan wins. Cloudflare Business $200-250/mo flat.
High traffic (1B+ req/mo): per-request math dominates; AWS WAF or Cloud Armor with reserved-volume negotiation.
Fixed app count, predictable bandwidth: per-app wins. FortiWeb Cloud at ~$21.90/app + $0.40/GB.
Enterprise with bot-management depth required: quote-only wins. Imperva or Akamai or Cloudflare Enterprise.

The trap to avoid

Comparing per-request vendors against flat-plan vendors at the wrong traffic level. Cloudflare Pro at $20/mo “looks cheaper” than AWS WAF at low traffic, until you add Bot Management Enterprise (quote-only). AWS WAF at $5 + $0.60/M “looks cheaper” than Cloudflare Business until you add Bot Control at $10 + per-request fee. Always price the full add-on stack at your real traffic profile.