waf pricing 2026: list rates, quote-only vendors, and real bills
Side-by-side WAF pricing taken straight from each vendor's own pricing page. AWS WAF starts at $5/web-ACL, Cloudflare WAF is free on the entry plan, Cloud Armor charges $5/policy. Seven of the fourteen named vendors refuse to publish list pricing and are honestly labelled quote-only, not guessed at.
Last verified June 2026
Vendor matrix
Fourteen vendors compared. Six publish a list rate that lets you assemble a real bill: AWS WAF, Cloudflare WAF, Azure WAF, Google Cloud Armor, Sucuri, and Fortinet FortiWeb Cloud (per-hour-per-app via AWS Marketplace). The remaining seven are quote-only. StackPath shut down in June 2024 and is included as a retired entry for buyers still searching for it.
| Vendor | Model | Cheapest published rate | Bot mgmt | Status |
|---|---|---|---|---|
| AWS WAF | Per web-ACL + per rule + per million requests | $5.00 per web-ACL per month | Add-on | Active |
| Cloudflare WAF | Flat monthly plan, WAF included on every paid tier | Free plan, WAF rules included | Add-on | Active |
| Akamai App & API Protector | Quote only, annual contract | Quote only | Add-on | Quote only |
| Imperva Cloud WAF | Quote only, per-site or per-application | Quote only | Add-on | Quote only |
| F5 Distributed Cloud WAAP | Quote only, per-app or per-bandwidth subscription | Quote only | Add-on | Quote only |
| Fastly Next-Gen WAF | Three security packages, all priced quote-only | Quote only | Add-on | Quote only |
| Azure WAF (Front Door) | Per policy + per rule + per million requests | $5.00 per policy per month (Front Door Premium managed rules) | Add-on | Active |
| Google Cloud Armor | Standard (per policy + per rule + per request) or Enterprise subscription | $5.00 per policy per month (Standard) | Add-on | Active |
| Barracuda WAF-as-a-Service | Per-app subscription, quoted via Build and Price | Quote only | Add-on | Quote only |
| Radware Cloud WAF | Quote only, per-application subscription | Quote only | Add-on | Quote only |
| Wallarm API & App Security | Quote only, subscription tied to API calls + applications | Quote only | Add-on | Quote only |
| Sucuri WAF | Annual plan, WAF + CDN bundled | $9.99 per month (Basic Firewall + CDN) | No | Active |
| StackPath WAF | Discontinued, all services shut down June 2024 | Quote only | No | Retired |
| Fortinet FortiWeb Cloud | AWS Marketplace per-hour per app + per-GB traffic | $0.03 per hour per app, approx $21.90 per app per month | Add-on | Active |
Realistic-workload cost comparison
Below: estimated monthly WAF cost across the published-rate vendors for a fixed workload (illustrative example, not a real company). Move the sliders to fit your own profile. Quote-only vendors return Quote only, never an invented number.
Inputs feed each vendor's published rate card. Quote-only vendors return Quote only, never an invented number.
| Vendor | Estimated monthly cost | Breakdown |
|---|---|---|
| Sucuri WAF | $19.98 | Pro Firewall $19.98/mo per site x 1 |
| Fortinet FortiWeb Cloud | $21.90 | $0.03/hr x 730hr x 1 app(s) = $21.90. Add $0.40/GB traffic on top, depends on workload. |
| Google Cloud Armor | $90.00 | Standard global: $5/policy + 10 rules x $1 + 100M x $0.75, x 1 policy(ies) |
| Azure WAF (Front Door) | $125 | Front Door Premium managed: $5/policy + $20/mo + 100M x $1, x 1 app(s) |
| AWS WAF | $185 | $5/web-ACL + 10 rules x $1 + 100M x $0.60 + Bot Control $10/web-ACL + per-request rule-group fee, x 1 app(s) |
| Cloudflare WAF | Quote only | Bot Management is an Enterprise add-on, quote only. Refusing to invent a rate. |
| Akamai App & API Protector | Quote only | Quote only, contact vendor |
| Imperva Cloud WAF | Quote only | Quote only, contact vendor |
| F5 Distributed Cloud WAAP | Quote only | Quote only, contact vendor |
| Fastly Next-Gen WAF | Quote only | Quote only, contact vendor |
| Barracuda WAF-as-a-Service | Quote only | Quote only, contact vendor |
| Radware Cloud WAF | Quote only | Quote only, contact vendor |
| Wallarm API & App Security | Quote only | Quote only, contact vendor |
| StackPath WAF | Quote only | Quote only, contact vendor |
Illustrative estimate, not a quote. Real bills include log ingestion, egress, professional services and contract discounts. See /hidden-costs.
What this site does differently
- Every numeric claim links back to a dated vendor pricing page, marketplace listing, or anonymised buyer-shared quote.
- Quote-only vendors flagged on every page they appear on. We never compute a per-request rate by dividing a leaked enterprise total.
- Add-on pricing (bot management, API protection, log ingestion) treated as separate line items, not buried in the headline.
- No affiliate links. No sponsored placements. No reseller relationships with any vendor listed.
- Every page footer carries the verified-on date. Re-verification cadence is quarterly minimum.
Why we built this
WAF is one of the most opaque pricing categories in security software. AWS and Cloudflare publish per-request and per-rule pricing but bury the real bill behind bot-management add-ons and Enterprise tiers. Imperva and F5 are quote-only with no list pricing. Akamai routes everything through sales. Fortinet FortiWeb Cloud changes its per-app price depending on which marketplace listing you land on. Buyers comparing three or four vendors have to assemble pricing from PDFs, partner forums, Reddit threads, and account-rep emails. This site does that assembly once, in public, with sources.
Common questions
Related independent pricing references
wafpricing.com is part of a network of independent pricing sites for security and infrastructure products. Same methodology, no cross-vendor revenue.
Related independent pricing sites
Same author, same methodology. No affiliate relationship with any vendor mentioned.