Major Gaps In Enterprise WAF Coverage Identified

Uploaded on 2025-09-09 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A new study by CyCognito, a leading provider of external attack surface management solutions, has revealed significant deficiencies in web application firewall (WAF) protection across major enterprises. Released on 9 September 2025, the research highlights how more than half of external assets remain unprotected, including those handling sensitive personal data.

Drawing from an analysis of over 500,000 internet-exposed assets belonging to Forbes Global 2000 companies, the findings challenge assumptions about baseline security measures and call for improved visibility and consistency in deployments. Traffic volume indicators were used in the manual sample to gauge usage, providing a layered view of exposure.

Widespread Absence Of WAF Protection

The report paints a concerning picture of uneven WAF coverage, which is often regarded as a fundamental layer of defence against common threats like credential stuffing and injection attacks. CyCognito's analysis found that 52.3% of cloud-hosted assets lack any WAF protection, while the figure rises to 66.4% for assets not hosted in the cloud.

This disparity suggests that traditional on-premises systems are particularly vulnerable, potentially due to legacy management practices.

Researchers attribute these gaps to organisational challenges, including fragmented teams and the absence of a centralised inventory of assets. Many enterprises overlook "unknown unknowns" - assets that exist outside official records - making it difficult to apply protections uniformly.

The study emphasises that without comprehensive visibility, even well-resourced organisations leave critical systems exposed, providing attackers with straightforward entry points.

Vulnerabilities in PII-Handling Assets

Particularly alarming is the exposure of assets that collect personally identifiable information (PII), such as login forms, registration pages, and checkout portals. These high-value targets are prime for reconnaissance and exploitation, yet the research shows substantial lapses.

In cloud environments, 39.3% of PII-collecting assets operate without WAF safeguards, while 63.4% of off-cloud equivalents are similarly unprotected.

This inconsistency heightens risks to data privacy and compliance, as unprotected PII pages could lead to breaches compromising customer trust and regulatory standing. The report notes that these gaps persist despite the critical nature of such assets, often because security configurations are not standardised across an organisation's sprawling digital footprint.

Fragmented WAF Deployments Across Vendors

Adding to the complexity, the study reveals that enterprises typically manage an average of 12 different WAF products, with a median of 11 and some using over 30. This multiplicity stems from historical procurements, regional variations, and siloed operations, resulting in a patchwork of defences that are hard to coordinate.

Far from enhancing security, this vendor diversity complicates policy enforcement and increases operational costs. Each WAF has unique configurations, leading to inconsistencies that allow assets to fall through the cracks. The report argues that abundance does not equate to effectiveness; instead, it fosters blind spots where protection is assumed but not verified.

In-Depth Analysis Of Global Enterprises

To assess real-world implications, CyCognito conducted a manual review of traffic patterns across a dozen prominent global enterprises in sectors like aviation, retail, finance, and media. The findings were stark: even these industry leaders exhibited unprotected high-traffic applications alongside fully secured flagship systems.

This manual validation separated hypothetical risks from operational realities, confirming that gaps are not merely theoretical. In several instances, unprotected assets handled significant user interactions, demonstrating that the issue lies in execution rather than availability of technology.

Such inconsistencies in large-scale organisations illustrate the pervasive nature of the problem and its potential for widespread impact.

Recommendations For Security Leaders

In response to these findings, the report offers practical guidance for addressing deficiencies. Security executives are urged to conduct thorough reviews of external asset inventories using discovery tools to identify shadow IT and overlooked systems. Once uncovered, assets should be prioritised: protected, remediated, or decommissioned based on business relevance.

Leaders should also evaluate WAF deployments for consolidation, aiming to reduce vendor sprawl and establish unified standards. Treating coverage as an ongoing process - rather than a one-time setup - can help maintain defences amid evolving attack surfaces. The emphasis is on proactive verification to ensure high-value assets, especially those involving PII, receive consistent protection.

Implications For Cyber Security

The report concludes by stressing the importance of shared knowledge in building resilience. WAFs are vital, but their value depends on informed, uniform application. CyCognito's insights highlight the ongoing battle against dynamic threats, where continuous discovery and community collaboration are key.

As attack surfaces expand, collective efforts to close gaps will be essential in safeguarding data and operations. This research serves as a timely reminder that assumptions about security can be costly, prompting organisations to prioritise visibility and consistency in their strategies.

Image: Ideogram

You Might Also Read:

Do You Need Security That Starts With “Prove It”?:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.