Imperva Incapsula WAF & CDN Review

by Sunny Hoi

What Is Imperva Incapsula?

Imperva Incapsula is a security-oriented CDN that provides industry-leading web application security and DDoS mitigation to assist customers in protecting their data, preventing exploitation of application vulnerabilities, mitigating DDoS attacks, and thwarting stealthy employee account takeovers using multi-layered security measures like two-factor authentication and whitelisting/blacklisting.

The Incapsula service is deployed globally by the world’s most security-vigilant enterprises, notably government organizations and financial institutions.

NOTE: This is an affiliated review. I have personally deployed, setup, and managed the Incapsula service on my website. Incapsula is one of the many WAFs I have used and one of the few that meets my stringent standards. It’s a product I genuinely enjoy using because of it primarily provides strong protection against web application attacks and DDoS attacks while also boosting the site’s performance. I did not get paid by Imperva to write this review. I only recommend products that not only have I used but also believe will add value to my readers and have met my exceedingly high standards. Yes, I can be hard to be satisfied at times. If you click on the affiliate links in this review and purchase one of the plans offered by Imperva, I will gain a small commission.

Imperva Incapsula is deployed predominantly in blocking mode while simultaneously holding the capability of excluding false positives thanks to dynamic profiling and application-conscious mechanics. Accessing the Incapsula GUI is done via the online Management Console accessible from a web browser. Incapsula’s WAF security service is packaged with a speedy CDN and DDoS mitigation capabilities.

In this WAF review, I will go through the following:

  • Briefly state the features of Imperva Incapsula
  • Elaborate on what the highlights of Incapsula are from my perspective.
  • Whether there were any issues with the Incapsula service
  • Potential Limitations
  • Modifying Incapsula WAF default threat responses to better align with the customer’s security agenda.
  • Security Advantage When Incapsula Is Implemented And Properly Configured
  • Recommendations

At the end of this review, you’ll recognize that Incapsula provides:

  1. Convenience
  2. Market-leading Application Security Protection
  3. Scalability
  4. Low Cost


  • Cloud-based managed security CDN solution permits quick deployment without any hardware or software changes.
  • Protects against every OWASP Top 10 threat such as SQLi, XSS, RFI, and Illegal Resource Access.
  • Shields web properties from millions of application layer attacks a day.
  • Gartner Magic Quadrant Leader Quality WAF.
  • WAF is PCI-certified, providing PCI-DSS compliance (PCI DSS 6.6).
  • Provides PCI compliance reports which examine security rule configuration alterations and sporadically delineates a website’s compliance with PCI 6.6 requirements.
  • Virtual Patching. Incapsula applies patches in the cloud, hence provides time to update applications.
  • Exerts effective security rules to actively rectify recognized vulnerabilities of all prevalent content management systems and website stacks using a unique database.
  • Advanced Bad Bot Mitigation.
  • DDoS Mitigation.
  • Load balancing.
  • Can be used as part of a Hybrid Cloud/On-Premise WAF setup. Complements Imperva SecureSphere (On-premise solution).
  • Flexibility in customizing settings, easy to use GUI and API.
  • Permits Two-Factor Authentication (2FA) via email, SMS, or Google Authenticator on sites/web applications without the need to code.
  • IP whitelisting / blacklisting.
  • Significant performance boost from CDN caching and global proxy.
  • WAF policies are managed and tuned by expert Incapsula security engineers.
  • Provides ability to detect backdoor web shells.
  • Defeats Advanced Persistent Threats (APT).
  • Supports SIEM Integration.
  • Ability to craft custom security rules with IncapRules. Can employ an enterprise’s security policy within Incapsula’s WAF via configuration of a diversity of rule triggers and implementing distinctive rule actions.
  • Provides option to supersede all default security rules with custom whitelisting policies.

Highlights Of Imperva Incapsula

This section is separated into key areas that Incapsula shine in:

  • Low Cost Of Ownership / Gartner Magic Quadrant Leader
  • Advanced Bad Bot Mitigation
  • Always Up-To-Date Signatures Protects Against Recent, New, And Emergent Threats
  • Unique Data Collected From Wide Range Of Customers To Enhance Incapsula Service
  • Advanced Persistent Threat Protection
  • Ability To Use Incapsula With Other CDNs
  • Performance Boost
  • Activation Only Requires DNS Change

Low Cost Of Ownership / Gartner Magic Quadrant Leader

Compared to other cloud-based WAFs, Imperva Incapsula is significantly cheaper than big competitors in the WAF market today, notably the two newcomers in Leaders of Gartner Magic Quadrant for Web Application Firewalls: Akamai and F5.

For instance, a 1-year subscription for the F5 Silverline cloud-based security platform is drastically more expensive where the cost is approximately $12,000. (Price will likely differ on the quantity of clean traffic a client uses.) Akamai Kona DDOS service could cost approximately $7000 annually. Unsurprisingly, the two vendors’ emphasis on the enterprise market yield significantly higher costs, excluding affordability for smaller to medium businesses.

Whereas Incapsula’s affordability and flexibility in costs and features allow smaller businesses to benefit from enterprise-level security and be PCI-compliant without requiring to be subject to significant costs of ownership or sacrificing the quality of service. There are currently 4 Incapsula plans: Free, Pro ($59 per site / month), Business ($299 per site / month), and Enterprise (Contact Incapsula for a quote and free trial). Incapsula paid plans all come with free trials which are not merely risk-free, but also provide you enough time to determine whether their services meet your criteria and expectations. Check out their plans here.

The big advantage of the low total cost of ownership for Incapsula is that it offers stellar WAF protection for your public-facing web applications and web servers. Imperva has been a leader in Gartner Magic Quadrant for four consecutive years.

Only the latest 2017 Gartner report promotes F5 and Akamai to the Leaders Quadrant that Imperva has been sitting alone for a long time.


Incapsula’s Web Application Firewall threat discovery patterns supplement Imperva’s immense experience and top-notch cybersecurity capabilities. Being the market leader in the WAF market for many years certainly helped. Hence, Imperva has always been and continues to be regarded as the leader for WAFs, including cloud security.

Advanced Bad Bot Mitigation

Incapsula possesses a unique database that has millions of browser and bot signature variants, and the service comprises client classification technology, permitting precise identification of the majority of bots while also restricting malicious bots from going to the customer’s site.

When a bot exhibits dubious behavior, a sequence of clear-cut challenges like parsing JavaScript is sent out to verify authenticity.

Imperva Incapsula refrains from periodic use of CAPTCHA to make sure that legitimate site visitors are not obstructed by CAPTCHA challenges or other inconvenient ‘block’ pages.

Incapsula provides the ability via the Management Console GUI to generate your own security rules which are propagated instantly. This feature grants uncomplicated whitelisting and blacklisting of particular bots and site visitors exhibiting diverse traits. Therefore, custom tuning of policies allows you to control bot traffic to correspond your precise requirements.

Incapsula’s detailed dashboards provide a quick, accurate live glimpse of all incoming traffic flowing through. Hence, customers can make informed decisions in regards to the type of entities that may access their web properties.

Always Up-To-Date Signatures Protects Against Recent, New, And Emergent Threats

Threats are rapidly recognized by numerous tiers of security rules, managed and updated by a devoted security team. Incapsula’s team of security experts gather traffic data from their comprehensive and worldwide network, allowing the service to rapidly uncover new bot variants and provide patches for bot signatures.

Unique Data Collected From Wide Range Of Customers To Enhance Incapsula Service

Incapsula’s service hinders disturbance to your web application and enhances your site’s performance. Incapsula utilizes crowdsourcing which leads to new threats being detected by mobilizing current data from customers around the globe to better grasp the modern attack landscape which undoubtedly enhances Incapsula’s security. Current threat and intrusion information are drawn on to determine new attack vectors and new attack origins. Imperva’s long-running prominence and dominance in the Web Application Firewall global market is undeniable. Imperva’s reputation for providing best-in-class PCI-compliant WAFs in its wide range of cybersecurity products such as SecureSphere appliances and cloud-based Incapsula entices a broad customer base. Customers range from individuals, small businesses, medium businesses, and large enterprises which all contribute to providing significant data to the Imperva network for combatting sophisticated adversaries.

An analogy can be made to an Anti-virus enterprise solution like Symantec Endpoint Protection where millions of data are collected from endpoint customers like financial institutions and governments that contribute to enhancing the AV product. The ability to obtain data from important industries that are frequently targeted by cybercriminals such as the banking sector and federal governments provide security vendors such as Gartner Leader Imperva exclusive information to develop better defensive mechanisms to defeat attempts of data theft. This is what separates Symantec endpoint products from Norton consumer products where Norton AV primarily collects data from ‘ordinary’ everyday consumers. Thus, Imperva’s enterprise consumers and the broad customers it has strengthens all of its products as the information it collects from the network leads to a deeper understanding of imminent cyber threats. Of course, the key differentiation for Imperva Incapsula would be an emphasis on web application security.

Verizon’s 2017 Data Breach Investigation Report stated that web applications persisted as the most pervasive vector for data breaches. Thus, application security is imperative since web applications are increasingly being recognized as a common vector and asset affected in a data breach.

Ultimately, Imperva uses the valuable information to establish new signatures that are put into effect across Incapsula’s network. Thus, Incapsula customers are instantly protected by an expeditious and market-leading cloud-based security/CDN service without needing to constantly worry about the evolving attack landscape lurking or having to patch right away during a conflicting time.

Incapsula’s ability to provide protection against freshly detected vulnerabilities is crucial in a global cyber environment that is constantly evolving with new attack vectors being discovered and invented by hackers. At the same time, Incapsula’s service hinders disturbance to your web application and enhances your site’s performance which is always welcomed.

Advanced Persistent Threat Protection

What is an Advanced Persistent Threat? (APT)

Advanced Persistent Threats are essentially complex attack campaigns where an adversary or team of adversaries stealthily enter a network with the goal of extracting highly desired sensitive data.

APTs include successfully compromising your web applications by exploiting its vulnerabilities and launching Distributed Denial of Service (DDoS) smoke screens to divert and leave the network undiscovered.

How Incapsula Protects You From APTs

Imperva Incapsula’s multi-layered security solutions assist you to mitigate the most complex and malicious advanced persistent threat attack campaigns. Incapsula provides a PCI DSS certified Web Application Firewall, Two-Factor Authentication (2FA), and DDoS protection to guard your web servers and web applications against APTs. Incapsula’s security solution fulfills the most demanding enterprise-grade security standards.

Incapsula’s Enterprise-Grade WAF defends against the Open Web Application Security Project (OWASP) most perilous Web Application Security vulnerabilities such as SQLi, XSS, RFI, LFI, and Illegal Resource Access.

Incapsula can block all types of DDoSes from being passed on to customer origin servers which ensure that legitimate web traffic continues flowing through. More information on Incapsula’s DDoS capabilities and offerings can be found here.

Straightforward Implementation Of Two-Factor Authentication For Web Applications

Incapsula recognizes that humans are extremely vulnerable to providing the intruder access to an enterprise’s production environment. Therefore, Incapsula provides Two-Factor Authentication (2FA) for your production environment without having to make any alterations to your code. The GUI permits effortless management of user’s access privileges.

Backdoor Shell Protection

Incapsula’s WAF stops attempts of hackers interacting with the backdoor web shell leads to its location being disclosed. Furthermore, the WAF is able to discover and halt backdoor install attempts and isolate backdoors which could already be installed before deploying Incapsula which makes the shells futile.

Eliminating the use of backdoor shells is crucial when it comes to preventing advanced persistent threats since they are frequently utilized to establish a tenacious presence within the targeted network.

Ability To Use Incapsula With Other CDNs

The customer has the option to use Incapsula’s security service while continuing to use their current CDN. Incapsula may be deployed in front of your CDN, parallel to your CDN, or in back of your CDN. For instance, Incapsula may be placed in front of Sucuri for double application security as I’ve discussed here.

Performance Boost

Clearly, Incapsula’s CDN provides a significant performance boost to the customer’s website as it offers content caching which shouldn’t come as a surprise.

Activation Only Requires DNS Change

Unlike other competitors like Cloudflare or Sucuri, Incapsula doesn’t require you to change your nameservers to use their enterprise-grade service. A mere DNS change is all that is needed to start protecting your applications. No hardware or software alterations are required. Hence, you’ll get to decide which nameservers you want to use without being forced to have another cloud vendor manage the nameservers for you.

Personal Experience

Issues / Potential Limitations

There aren’t any issues, at least for me. However, there are a few things to keep in mind when using Incapsula.

The customer has to take protective measures to block all non-Incapsula IP addresses from accessing their website directly via the web server’s origin IP. If the customer does not do this, Incapsula’s excellent security services can be completely bypassed by a hacker if they discover the server’s public IP address which would permit them to access and exploit the customer’s web applications directly. This isn’t a potential issue with Incapsula, but with Web Application Firewalls in general. Thus, properly configuring your server is necessary to fully benefit from Incapsula’s cloud-based service.

Whitelisting Incapsula IP addresses could be confusing or inconvenient since a non-technical person may not possess the knowledge of correctly doing so and new IPs can be introduced to the Incapsula network at a later time. Nevertheless, Imperva provides a list of updated Incapsula IPs for whitelisting purposes here. Technical people and enterprises with IT staff shouldn’t have any issues concerning the deployment of Incapsula. If deployment and managing are concerns, Imperva provides professional services for the Incapsula WAF.

Default WAF Threat Response Rules

Incapsula provides you the flexibility of establishing how you want their WAF to respond to each type of OWASP threat. Incapsula default threat response rules in settings of the Management Console should be changed to prevent an adversary from repeatedly crafting and sending malicious web requests. Incapsula needs to be properly configured via the GUI, notably the WAF threat response rules.

Default Incapsula WAF settings are merely set to “Block Request” with the Cross-site Scripting rule set to “Alert Only.” To me, this is a security concern and risk. Having malicious requests blocked alone is insufficient from a security perspective since it allows a hacker to send subsequent requests. If the hacker is skilled and sophisticated, he can repeatedly craft and send unlimited attempts of malicious 0-day HTTP/HTTPS requests in an effort to bypass Incapsula’s security protection.

If Incapsula’s WAF approves the hacker’s malicious 0-day request, then the attack is forwarded to your web server which could be potentially dangerous depending on the severity of the attack vector. But a severe attack vector bypassing Incapsula is difficult to conceive as Incapsula has 0-day protection built in like their on-premises Imperva SecureSphere solution.

Nevertheless, it’s a good idea to set all WAF rules to “Block IP” or if you prefer a less aggressive approach, set to “Block User” to prevent the attacker from sending subsequent requests easily. The adversary will need to attack from a new proxy/IP address if more aggressive settings are implemented which would discourage them from continuing due to the inconvenience.

The user’s ability to determine a threat response in Incapsula’s WAF to the various OWASP vulnerabilities is powerful and definitely one of my most favorite features. Setting all threat responses in the WAF to “Block IP” will block any hacker’s IP and frustrate them from continuing. This is a feature that I haven’t seen offered by many other WAF competitors like Cloudflare and Sucuri for instance. The feature alone is worth considering Incapsula

A multi-layered approach to security is critical, and Incapsula is a SaaS which assists in achieving that.

Security Advantage When Incapsula Is Implemented And Properly Configured

When the attacker fails to access the site directly via the site’s public IP address, Incapsula poses a big security challenge for the adversary. Since the properly configured origin server rejects HTTP/HTTPS requests not coming from Incapsula, the hacker cannot directly exploit the web application. Any hacker using widely available off-the-shelf hacking tools like SQLmap, Havij, and Acunetix is easily defeated by Incapsula’s WAF protection. It’s a fact that most hackers are utilizing those tools to probe and exploit a site’s web application security.

One of the interesting things I have discovered is that if you attempt to put in any OWASP attack vectors in a blog post without having your IP whitelisted in Incapsula’s GUI, you’ll be instantly blocked by the WAF. For example, if I’m writing an ethical hacking tutorial on XSS and I write in XSS code in a blog post, I’ll be blocked when I’m not whitelisted. I haven’t seen this happen when using Sucuri and Cloudflare’s WAF. Thus, Incapsula is sensitive to these kinds of user behaviors which is great as it reminds the customer the level of security the WAF provides. After all, the cyber environment is constantly growing to become more complex and uncertain.


As web-based attacks cannot be entirely eliminated, the precariousness of thriving exploits and intrusions may be diminished by enforcing WAFs, 2FA, and cybersecurity training.

Imperva Incapsula should be considered if an individual or organization requires a WAF to be deployed on the edge and when application security is the highest priority and concern. Incapsula combines strong WAF security, swift CDN, and DDoS mitigation solutions into one appealing package at reasonable and flexible prices.

Incapsula is ideal for individuals and enterprises when their threat landscape consists of highly motivated, sophisticated adversaries that are tasked with stealing data and defacing websites. Incapsula helps mitigate those risks drastically, provided that clients appropriately follow the Incapsula customer checklist.


Related Posts