Comparing prices for Web Application and API Protection (WAAP) solutions often feels like comparing apples to oranges… to Cybertrucks. Vendors often offer public pricing for their lower-tier offerings, but enterprise-class WAAP solutions involve complex, varied pricing models that make straightforward comparisons challenging.
This was evident to SecureIQLab this year in our attempts to create normalized pricing for the vendors tested in 2024 WAAP 3.0 Public CyberRisk Validation to calculate their Return on Security Investment (ROSI).
On more than one occasion, I spent hours on calls where the specifically stated agenda was to determine the pricing, only to end the call with no better understanding of the actual cost. Equally interesting occurrences were responses to pricing inquiries that were no more detailed than “pricing numbers from the last test were close enough.” But which numbers? Were the normalization criteria still accurate? Silence.
More interestingly, on one occasion, I met with the WAAP vendor’s CEO in person to request pricing information. At the end of the meeting, he shook my hand, looked me in the eyes, and told me he would provide me with pricing that evening. Nothing.
This guide will help navigate these complexities while pricing out WAAP solutions. Enterprise feedback is welcome.
Key Pricing Models to Consider
When evaluating WAAP vendors, consider the following pricing models and watch for associated factors:
- SaaS vs. VM-Based Pricing
- SaaS-Based: Typically involves a subscription fee that covers the use of the software as a service.
- VM-Based: Requires CAPEX and additional infrastructure costs for hosting the virtual machines. Ensure these costs are included in your pricing assessment.
- Traffic Dependent
- Pricing can vary based on the amount of traffic your application receives or generates, cached traffic, CDN to origin, or client to CDN traffic. Higher traffic may lead to increased costs.
- Number of Authenticated Users
- Some vendors charge based on the number of authenticated users accessing your application.
- Load Balancers
- Costs may also depend on the number of load balancers utilized within your infrastructure.
- Good Requests per Month
- The number of legitimate, non-malicious requests processed per month can impact pricing.
- Total Data per Month
- Monthly data usage is another factor particularly relevant for data-intensive applications.
- One popular model is based on calculating the 95th percentile of bandwidth usage. This allows for usage spikes that exceed the limits of the subscription for brief periods of time. This model is common with transit providers and with some CDNs, although many CDNs use an alternative cumulative model
- Applications and Sites Protected
- The number of applications and sites that need protection can influence the cost. More sites or applications typically mean higher costs.
- Hosts Protected
- The number of hosts i.e. computing machines participating in network communication associated with a unique identifier such as underlying IP address can influence cost. More hosts may mean higher costs.
- Instances Deployed
- The number of instances of the WAAP solution deployed within your environment can also be a pricing factor.
- API Call Limits
- Some WAAP solutions may have pricing based on the number of API calls, which is particularly relevant for API-heavy applications.
- CDN Costs
- Additional/hidden CDN costs may apply if not part of the WAAP provider default offer.
- Intra-region data transfer between cloud provider costs may apply. If your application server is deployed on AWS, Azure, OCI, or Google Cloud, you may be charged for the intra-region data transfer from these Cloud Service Providers if CDN is enabled.
- Online Retention
- Make sure to understand the default online log retention period, volume, and the options available for extension.
- Cost of Renewal
- What does the anticipated renewal look like? How long has the current pricing model been in place? How often does the vendor change its pricing model? Changes in prices due to improvements in cybersecurity are justifiable. Does the vendor provide pricing that is predictable enough to use for practical budgeting purposes? This is a must-have conversation with the sales representative. Vague answers are telling.
- Paid Rule Groups
- Some vendors may have free managed rule groups and additional paid rule groups that cost additional when enabled.
Important Considerations for Pricing Comparisons
When comparing WAAP solutions, it’s crucial to look beyond the base pricing models and consider additional factors:
- Add-Ons and Compliance Requirements
- Identify any add-ons required to meet your security, regulatory, and risk requirements. These can significantly affect the overall cost.
- Handling Traffic Spikes
- Understand how the vendor handles sudden spikes in traffic. Does the pricing model accommodate these without exorbitant fees?
- Traffic Sanitization
- Ensure that traffic is sanitized from attacks, including DDoS attacks, before data or bandwidth rates are applied. This can help prevent unexpected charges due to malicious traffic.
- PAYG Pricing Models
- If using a Pay-As-You-Go (PAYG) pricing model, check if you can set spending limits to avoid unexpected costs.
- Service Level Agreements (SLAs)
- Review the vendor’s SLAs and ensure they meet your performance and uptime requirements. This can affect the overall value of the pricing model.
- Check that the SLA is binding with financial penalties for mitigating attacks. A DDoS attack that requires 20 min to mitigate, where you are charged by volume per month, can greatly increase the monthly bill vs a solution that can mitigate the same attack within only a few seconds.
- Support and help desk. Are there different tiers, response times, and prices associated with the different levels of support.
- Scalability
- Assess the scalability options of the WAAP solution. Ensure that the pricing model allows for growth in your application’s user base and traffic without disproportionate cost increases.
- Availability
- What is the availability in terms of resiliency and uptime for the WAAP solution?
- Custom Tuning Limits
- The number of custom rules that can be used at no extra cost may be limited. If fine-tuning is required using custom rules to achieve the desired security requirements, this may incur additional costs.
- Contracts
- Moving from an annual to a multi-year, multi-year contract annual payment (MYCAP) may provide savings. For short-term projects, are multi-month contracts or no-contract pay-by-month options available?
Conclusion
While comparing WAAP pricing based on the same models can be challenging, focusing on the desired outcome of protection is crucial. Ensure that the chosen solution meets your security needs, handles traffic spikes effectively, includes all necessary add-ons, and meets your organization’s SLA requirements. By concentrating on the overall protection and compliance requirements, you can make a more informed and effective decision for your organization’s WAAP solution. The annual price of a Solution is only one component of the Total Cost of Ownership (TCO) of that solution. Organizations must also consider the costs associated with integrating the WAAP solution into their existing infrastructure and workflows. These can include setup fees, customization, and support costs. These are in addition to the operational costs that are associated with the operational efficiency of the solution, uniquely validated by SecureIQLab. Lastly, the false positive rate and security efficacy of the solution are crucial in determining the WAAP solution’s TOC.
Challenges aside, there were vendors that had transparent pricing models. Others, while pricing was not publicly available, were still quick to provide and open about how pricing was determined. Some of these models were surprisingly simple. Consider this list of Key Pricing Models as a starting point.
For organizations that want to calculate the relative ROSI of WAAP solutions they have priced out, please use SecureIQLab’s ROSI calculator report here. Use of the calculator is complimentary. No data from the calculator is collected or stored by SecureIQLab.
David Ellis
VP of Research and Corporate Relations