Buying guide

WAF cost by organisation size: startup to enterprise

Buyer size predicts the right WAF tier more reliably than traffic volume. A 10-person startup with 200M req/mo of cached static content needs less WAF than a 50-person SaaS with 20M req/mo of authenticated API. Size bands and vendor mapping below.

Last verified June 2026

Size bands

$0-$50K+

Monthly cost range

Traffic + risk

Actual drivers

Vendors mapped

Startup: $0-$50 per month

One to five sites, single-region, low-to-no compliance load. Cloudflare Free covers WAF + CDN + DNS at $0 with basic managed rules. Sucuri Basic Firewall at $9.99/mo per site adds CDN, malware scan, and the malware-cleanup safety net. Skip enterprise vendors entirely; they will not engage at this size and the contract overhead is not justified.

SMB: $50-$500 per month

Five to fifty sites or apps, single-region or limited multi-region, light compliance (PCI DSS SAQ-A or similar). Cloudflare Pro ($20-25/mo per zone) or Business ($200-250/mo) for the bundle; AWS WAF at $5/web-ACL + $0.60/M for AWS-hosted apps. Sucuri Pro Firewall ($19.98/mo per site) for WordPress estates. Cloud Armor Standard for GCP-hosted apps.

Mid-market: $500-$5,000 per month

50-500 employees, regulated industry adjacency, multi-region traffic, real bot-management need. AWS WAF at scale with Bot Control. Cloudflare Business at scale or entry-Enterprise. Azure WAF Front Door Premium. Cloud Armor Enterprise Paygo or Annual. Imperva and Akamai begin to appear in the shortlist but typically lose to the cloud-native option on price.

Enterprise band (quote-only vendors)

500-5,000 employees, regulated (financial, healthcare, retail), multi-region, multi-property, dedicated security team. Cloudflare Enterprise, Imperva Cloud WAF, F5 Distributed Cloud WAAP, Akamai App & API Protector, Fastly Next-Gen WAF. All quote-only at this tier; expect 4-12 weeks of RFP-to-cutover. The decision is rarely about the WAF SKU price; it is about the bundle (bot, API, DDoS) and the support model. We do not attach a dollar band to these vendor names; see the quote-only vendors page for why and for the discovery-call framework.

Large enterprise band (multi-vendor, quote-only)

5,000+ employees, multi-vendor by design, often multi-cloud. Typically running two WAF vendors in different layers: one at the edge (Cloudflare Enterprise or Akamai) and one at per-VNet or per-app (Imperva or F5 or per-cloud-native). At this tier the WAF line item sits below the bot management and API protection lines on the contract. All deployments at this size are quote-only; we do not publish a combined-spend figure.

1Step 1

Map the workload

Sites, apps, APIs, request volume, geographic spread, compliance load.

2Step 2

Pick the band

Match the size profile above to one of the five bands. Do not over-buy.

3Step 3

Shortlist 2-3 vendors

From the band, not from the next band up. Enterprise vendors do not engage at SMB scale and SMB vendors do not scale to enterprise.

4Step 4

Run a real RFP

Same workload, same scoping, same add-on list at every vendor. Especially important for the quote-only tier.

Trap: a startup buying an enterprise SKU because the founder previously worked at an enterprise. Pays for capability never used.
Trap: mid-market sticking with a startup SKU because it “works.” The first bot-management incident exposes the gap.
Trap: enterprise running every SKU from a single vendor for procurement simplicity. Two-vendor strategy is usually better security and often cheaper.

Startup: $0-$50 per month

SMB: $50-$500 per month

Mid-market: $500-$5,000 per month

Enterprise band (quote-only vendors)

Large enterprise band (multi-vendor, quote-only)

Related reading