Business case

WAF ROI: business case framework

The WAF business case is straightforward when it is grounded in a named dataset. Apply ROSI - Return on Security Investment - using the IBM 2025 Cost of a Data Breach Report's global average and the WAF's reduction in web-application-attack incident frequency. This page walks the framework.

Last verified June 2026

$4.44M

Global avg breach cost (IBM 2025)

$7.42M

Healthcare avg breach (IBM 2025)

$4.80M

Phishing-vector avg (IBM 2025)

$160

Per-record PII cost (IBM 2025)

The ROSI formula

Return on Security Investment is the standard framework for security spend that is preventative rather than revenue-generating. Conceptually:

ROSI

ROSI = ((ALE x Mitigation %) - Cost of control) / Cost of control

ALE = Annualised Loss Expectancy (probability of a breach x cost of a breach).
Mitigation % = the fraction of that ALE the control removes.
Cost of control = the all-in WAF cost (subscription + implementation + tuning labour).

Anchor 1: cost of a breach

Use a named dataset. IBM's 2025 Cost of a Data Breach Report (the canonical industry reference, published annually since 2005) puts global average breach cost at $4.44 million, down from $4.88 million the year prior. Healthcare-sector breaches average $7.42 million. Phishing-vector breaches average $4.80 million. Per-record PII cost averages $160. These are the figures we cite; we do not invent ranges.

“The global average cost of a data breach in 2025 declined to USD 4.44 million, marking the first decrease in five years.”

IBM Cost of a Data Breach Report 2025, in collaboration with Ponemon Institute

Anchor 2: WAF impact on web-application-attack frequency

WAFs measurably reduce the frequency of successful web-application attacks. The honest position: we do not publish a fixed mitigation percentage because (a) it varies sharply by attack vector and rule tuning maturity, and (b) anyone claiming a clean “X percent of breaches prevented” figure is over-claiming. Use a band you can defend in front of a CFO; we recommend 10-30% reduction in web-application-attack-vector ALE for a properly tuned WAF, with the wider band for less-mature tuning.

Anchor 3: cost of control

Use the all-in number from the hidden costs page: subscription plus implementation plus year-one tuning labour. For a mid-market property using AWS WAF with Bot Control, this is roughly the $185/mo subscription + ~$15-50K year-one implementation + ~0.2 FTE tuning labour. For an enterprise property on Imperva or Akamai, it is a quote-only annual contract plus professional services plus internal labour.

Worked example (illustrative, not a real company)

Mid-market SaaS, illustrative ROSI

1.Annualised Loss Expectancy (ALE)$444,000
2. (10% probability of a breach in any year)
3. (x $4.44M IBM global average)
4.Mitigation fraction attributable to WAF (mid)20%
5.Loss avoided per year$88,800
6.All-in WAF cost per year (AWS WAF + Bot Control + tuning)$25,000
7.Net benefit per year$63,800

ROSI (illustrative)~255%

(illustrative example, not a real company). Inputs - probability, mitigation fraction, all-in cost - are scenario-dependent. The point is the framework, not the percentage.

Honesty rule

ROSI calculations are model-driven, not measured. They are useful for framing the spend, not for justifying a number to the dollar. Anyone presenting a ROSI calculation should be ready to talk about which inputs they chose and why, and what happens to the answer when the probability or mitigation assumption moves by half.