App and API protection

App and API protection you’ll want to use

Talk to an expert

Traditional web application firewalls (WAF) rely on regular expression pattern matching rules. They’re difficult to manage and require never-ending rules tuning to eliminate false positives that can block legitimate traffic. Fastly’s next-gen WAF (formerly Signal Sciences) leverages a fundamentally different approach that effectively detects and blocks malicious traffic without rules tuning.

Effective protection for any environment

Our web app and API protection solution deploys quickly and provides visibility everywhere your apps operate. Our protection is so reliable 90%+ of customers use it in full blocking mode. It’s easy to set up and integrates with the DevOps and security tooling your team is already using.


customers in full blocking mode


app deployments protected


Cloud native and datacenter platforms

Seriously useful security

Defeat advanced threats

Get protection that goes beyond OWASP Top 10 injection-style web attacks. Gain coverage against advanced threats including account takeover (ATO) via credential stuffing, malicious bots, API abuse and more—all in one solution.

Fast time-to-value

Unlike traditional web application firewalls, our next-gen WAF deploys rapidly in hours —not weeks or months— and you won’t pay extra managed services fees for rules tuning or ongoing maintenance.  

Protection everywhere your apps operate

Designed to offer maximum deployment flexibility, our WAF installs via an agent-module software pair or Cloud WAF that requires no software installation. And, our flexible architecture means you get protection anywhere in your technology stack, whether in cloud (including containers), on-prem, or hybrid environments.

Visibility for faster remediation  

Reporting and alerting feedback loops provide Layer 7 visibility across your entire app and API footprint. Integrations with DevOps and security toolchains empower teams to make decisions from the same baseline of security data provided via alerts, our API or management console.


Trusted by security and DevOps teams

Watch our video to learn more about why companies are leaving their outdated security tools behind and are relying on the Fastly Next-Gen WAF to protect their website, apps, and APIs.

Product demo2:54

Fastly Next-Gen WAF

Security problems we solve

Account Takeover (ATO)

We block account takeover attacks by inspecting web requests and correlating anomalous activity with malicious intent.

API Abuse

We stop API abuse by monitoring for unexpected values and parameters submitted by endpoints and blocking unauthorized requests.

Malicious Bots

Our platform leverages signals that detect malicious behavior patterns to classify bot traffic and separate the bad bots from the benign.

Partner API Misuse

We prevent partners from overwhelming your critical API endpoints by monitoring and thresholding API request volumes on our console. 

Abusive, Disallowed Traffic Sources

Our web app protection platform enables customers to block requests from IP addresses identified with malicious traffic, such as sanctioned nations or regulated countries.

Application Denial of Service

Our advanced rate limiting features allow you to block app and API-based DoS attacks with app-specific custom rules.

Don’t take our word for it

Our customers repeatedly point to our superior technical efficacy and customer support. That’s why we’ve received the Gartner Peer Insights Customer’s Choice distinction three years in a row.

Read the reviews

2019 + 2020 + 2021

DDoS Protection
Rate Limiting
API Protection
Next-gen WAF
Bot Mitigation
ATO Protection

Comprehensive protection

Our unified security solution detects and prevents OWASP injection and advanced attacks targeting your apps and APIs. 

Built for rapid deployment in any infrastructure

Our SaaS solution can be deployed in cloud, on premise or in hybrid environments. Key components of our technical solution include:

Flexible agent-module deployment

Agent and optional module software installs on your infrastructure where traffic needs to be inspected prior to reaching app and API origins.

No agent-install with Cloud WAF

Instead of deploying software, we can host the agent for you: all web requests are redirected to our Cloud Engine for detection and blocking.

Cloud Engine

The agent collects metadata about the malicious requests it has processed and shares that metadata with our Cloud Engine which performs additional analysis for more aggressive blocking.

Kubernetes and service mesh deployment

Our native integrations with Kubernetes, Envoy Proxy and Istio provide visibility into both north-south (client-server) and east-west (service to service) requests.

Application and API Security Features

Unified management console
API Dashboards
ATO Dashboards
Alerts, reports and metrics
Advanced Protection
Bot Protection
Advanced Rate Limiting
Application Layer DDoS
Network Learning Exchange (NLX)
Easy-to-use Rule Builder
Flexible deployment
100+ Cloud Native and Datacenter Integrations
Deploy in cloud, on-prem, or hybrid
Terraform integration

Professional services

From initial deployment to 24/7 expert response, our Customer Security Operations Center (CSOC) and team of application security experts—technical account managers (TAM)—are here to help at every step. We offer:

Looking for more?

Data sheet

Web App and API Protection Product Brief

Data sheet

Next-Gen WAF data sheet

Analyst report

Gartner Magic Quadrant for Web Application Firewalls (WAF) in 2020


The New Rules for Web App and API Security