Wallarm is a Next Gen WAF with hybrid architecture uniquely suited for cloud applications. It applies machine learning to traffic to adaptively generate security rules and verifies the impact of malicious payloads in real time. Wallarm is ideal for DevOps and security professionals looking for a security solution to protect their modern web applications and APIs from OWASP Top 10 attacks and malicious bots.

Wallarm products have many deployment options for a simple installation process. Wallarm hybrid architecture makes it easily installable in either on-premises or cloud environments.


Signature-free WAF
Use machine-learning to derive API and app logic from HTTP traffic.
Statistical analysis to find abnormalities in data and user behavior instead of signatures.
Use “hacker-intelligence”. Generate security rules from malicious activities seen anywhere by Wallarm Cloud.

Low false positives
Blocking rules are customized for every protected application and API
Automatic security rules are updated after every application release.

Keeps traffic inside customer’s infrastructure.
Operates at the speed of load-balancer.
Automatically discovers cloud-facing services (discover phase).

Selective blocking
Block a single compromised API call/request – not the entire IP address.

Threat verification
Active vulnerability detection:
Detected attacks are replayed against the application to validate potential vulnerabilities that might result in exploits.
Passive vulnerability detection: Application responses are monitored for abnormalities.


Enterprise-Grade Web Application Firewall

Instant protection against SQL injection, cross-site scripting, illegal resource access, remote code execution, remote file inclusion and other OWASP Top-10 threats. Granular blocking on API level minimizes impact on legitimate traffic.

Adaptive Security Rules defined by Machine Learning

Wallarm continuously analyzes stateless web application and API traffic to profile application protocols, API logic, data boundaries and user behavior. These profiles allow Wallarm to detect anomalies in application requests or payloads and automatically flag them. Applications evolve over time, so do the profiles. Wallarm security rules evolve with the applications.

Minimal False Positives

Unlike signature-based WAFs, security rules used by Wallarm are derived specifically for the application under protection and supplemented from the Wallarm knowledge base of applications with similar profiles. Wallarm continuously updates security rules, thus minimizing false-positives and insuring your application is protected even when the environment or the application itself changes.


Protecting from botnets and password reuse

Bots are tiny automated agents that run on other people’s computers and devices without the owner knowing it is happening. A typical botnet credentials attack can include as many as 25K-100K agents or bots.

A successful attack can inflict material damage on the affected company or service. One of the more frequent targets of botnet attacks is credentials stuffing – attempting to re-use credentials stolen from other services to access the application.

While the fundamentals of credentials stuffing are well known to security and operational professionals, stopping it is not an easy matter.

  • In many cases (as much as 90%) attackers tend to run credential stuffing attacks against APIs for mobile clients, where common prevention methods such as CAPTCHA are difficult to implement
  • Botnet driven attacks are so massive (it can take as many as 100k IPs botnet network proxies) they often result in DoS, Especially if company user authentication is somehow connected to additional software (e.g. CRM).
  • Unlike traditional password bruteforce, credentials stuffing attacks are fast: even one or two seconds window is enough to make dozens of attempts. This speed of attack is no match to typical home-grown methods of defense such as limiting request-rate, fail2ban scripts and such.

Wallarm tracks attempts and exports usernames likely to be compromised to customer’s anti-fraud team. To achieve almost instant protection, Wallarm also exports suspicious IP addresses to the perimeter firewall. Beyond immediate credentials security, Wallarm’s ability to distinguish a human actor from a bot without CAPTCHA dramatically improves user sign-in experience and user retention.


What’s a vulnerability

Security vulnerability is a flaw in one of the software components or infrastructure configurations which can be exploited by an attacker to get access to sensitive data, obtain unauthorized service or corrupt the system. The process of discovering, classifying and mitigating vulnerabilities is called vulnerability management. There are many dedicated tools, whose purpose it is to periodically scan for vulnerabilities, for example, as part of penetration testing. However, very few of these tools implement on-going vulnerability management.

Wallarm Active Vulnerability Detection

Active scanning for vulnerabilities is what allows Wallarm to provide the level of application security above and beyond most WAF solutions.

Wallarm active vulnerability scanner relies on the application profile and structure that is derived by machine learning / AI from the analysis of the application traffic. This approach allows Wallarm to forgo crawling. It provides broader coverage and is lighter weight than simulating a browser and attempting to discover every part of the application logic.

Wallarm Passive Vulnerability Detection

In many cases, understanding of traffic patterns and application profiles is sufficient to detect a possible vulnerability. A good example is a path traversal attack attempting to read /etc/passwd file and actually getting access to this file’s content. Wallarm compares attack vectors in http requests with notable features of http responses while monitoring application http traffic.


Network discovery

Understanding network perimeter and assets that are visible to the outside world is critical to strong security practices. As companies develop, new deployments arise, driven by M&A processes or shadow IT. A number of exposed assets keep growing while management of these assets is not always adequate. These assets can be both internal within multiple company datacenters and external located at an external hosting providers or just an application service used by marketing.

Attackers look for the “weakest link” – least protected resource on the corporate perimeter, thus finding a foothold to start an attack on the entire domain, particularly if they are able to intercept a domain authentication cookie or a certificate.

Wallarm utilizes many techniques commonly used by experienced auditors and pen testers, including dictionary domain scanning, regular and reverse DNS lookup, search engines indexes and search across various public sources. Once the IP address are determined, Wallarm continues the discovery process with port scanning and detecting services that are accessible on those ports.

As a result of perimeter scanning, Wallarm generates a map of domains and IP addresses of all the assets, including on-line services under the same domain accessible from the internet.


Aggressive Internet Environment

Detecting attacks is only the first phase of Wallarm’s security service. To figure out which attacks can result in actual exploits, Wallarm actively replays attacks against the application.

The effect is that the attacker’s own “hacker intelligence” provides the needed “know how” to find the vulnerability in the application and understand which attacks can in fact result in security incidents.

When replaying attacks, Wallarm always uses anonymous sessions, making sure to negate Cookie, Basic auth and API keys to avoid negatively affecting the application. Attack vectors are sanitized to remove potentially dangerous instructions and exploits, to ensure the application function is not compromised.

To further characterize the attack, Wallarm analyzes attack’s nature and character, not just their sources. We detect if the attacker has changed his IP addresses but continues the same attack. We see if a scanner uses a distributed network with multiple external addresses. To account for this, we have developed an aggregated metric, which helps to correlate attacks with the respective business risks. To quantify this risk, Wallarm uses “cost of attack” metrics. Attacks with a higher ‘cost of attack’ need to be addressed first.


Payment, Financial, Health and other industry requirements

Many of the industry compliance standards such as HIPAA, SOX, NIST, GDPR and others call for best practices in securing the application stack, including transmitted data and the application logic. Run-time application security is key to complying with such requirements.

Some of the compliance requirements are more general and require interpretation by security auditors. In the case of web application firewalls, the compliance requirement is best articulated in PCI 3.0 6.6:

“Inspect any protocol (proprietary or standardized) or data construct (proprietary or standardized) that is used to transmit data to or from a web application, when such protocols or data are not otherwise inspected at another point in the message flow.”

Wallarm’s ability to inspect nested protocols and understand underlying data structure makes Wallarm a natural choice to satisfy this requirement in payment, eCommerce and financial applications without additional compensating controls.