Gartner Blog Network


Gartner’s First Ever Web App Firewall Magic Quadrant Just Published

by Adam Hils  |  June 17, 2014  |  4 Comments

Color me excited.

Jeremy D’Hoinne, with co-authors Greg Young, Joseph Feiman (and me), has just put out Gartner’s first MQ for WAF.

It was a gargantuan effort to describe a space with several different delivery models: Standalone appliance/software, cloud-delivered, public cloud-resident, managed security service, and ADC-based. It’s a dynamic, fast-growing market (30%+ this year, 20% five year CAGR) that does much more these days for customers than merely supply a PCI DSS check mark.

This note follows one Jeremy and I authored earlier this year, entitled “Web Application Firewalls Are Worth the Investment for Enterprises”. In it we make the case that WAFs provide an important layer of protection – especially for public-facing web apps – that NGFWs and IPSs absolutely do not.

Look for more from Gartner on the subject of WAF in the coming months.

Category: network-security  

Tags: application-security  csrf  pc  sqli  waf  xsrf  xss  

Adam Hils
Research Director
9 years at Gartner
22 years IT Industry

Adam Hils is a Research Director with Gartner Research. He covers network security, including intrusion prevention systems (IPS), enterprise firewalls and UTMs. In addition, Mr. Hils provides advice to budget-constrained midsize enterprises about prioritizing security investments. Read Full Bio


Thoughts on Gartner’s First Ever Web App Firewall Magic Quadrant Just Published


  1. […] Source: Gartner's First Ever Web App Firewall Magic Quadrant Just Published […]

  2. Arian Evans says:

    Awesome. Really looking forward to getting my hands on this. More questions after I get to read it!

  3. Adam Hils says:

    Ask away, Arian. WAF is an extremely dynamic area these days – generating growing amounts of questions from Gartner’s clients.

  4. Colin Watson says:

    WAFs can also be used as externalised detection points for application-specific attack detection, or to perform some of the responses once an attack has been determined by the application. See OWASP AppSensor.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.