Web Application Firewall

Incapsula's enterprise-grade PCI-certified Web Application Firewall (WAF) ensures that your website or application is always secure and available. Based on Imperva’s industry-leading technology and experience and using a "Security as a Service" approach, Incapsula's security experts manage and update the WAF 24x7 to ensure that you are always protected against new and emerging threats. Incapsula's WAF can be set up and configured within a matter of minutes by changing your website's DNS setting.

Web Application Firewall, PCI DSS compliance


Protection against OWASP Vulnerabilities

Incapsula’s Enterprise-level WAF protects against the Open Web Application Security Project (OWASP) most critical Web Application Security risks, as:

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability in the database layer of an application.

Cross-Site Scripting (XSS)

Cross-site scripting is a web application attack that exploits vulnerabilities on a visitor's browser, often leading to data theft and potential installation of malicious software on visitors computers.

Illegal Resource Access

Illegal resource access is a web application attack used to access restricted resources and sensitive pages on your web server.

Remote File Inclusion

Remote file inclusion allows an attacker to include a remote file usually through a script on the web server. Attackers use this type of attacks to steal information and even crash your web site.

PCI-Certification & Reporting

Incapsula’s WAF is certified by the PCI Security Standards Council. It delivers cost-effective compliance with PCI DSS requirement 6.6 without any hardware or software installation and without changes to your web application.

Incapsula protects you from liabilities and non-compliance penalties, while protecting your customers' sensitive data from exposure on your site.

Incapsula’s PCI compliance report audits security rules configuration changes and periodically reports on your compliance with PCI 6.6 requirements.

Web Application Firewall, PCI-certification & reporting 6.6

Customer-Specific Threat Policy Management

Each security rule can be configured specifically according to the customer’s blocking policy (block request, block IP, block session or block log only).

Web Application Firewall: SQL Injection

Exception Handling and False Positive Tuning

The security policy can be fine-tuned to address specific URLs, fields, IP addresses and countries. Powerful access control capabilities enable you to define exceptions and minimize false-positives.

Web Application Firewall: Remote File Inclusion

Detailed Threat Analysis

Incapsula provides customers with a detailed analysis of every threat that was posed to your website including: IP address, user agent, location, and other pertinent session information.

Web Application Firewall: Threat Analysis

IncapRules - Custom Security Rules

Incapsula’s custom security rules allow you to apply your organization’s security policy within Incapsula’s Web Application Firewall, by configuring a variety of rule triggers and adding different rule actions.


Incapsula uses crowdsourcing techniques to improve the security of the entire network of websites on the service. Any attack against a website protected by Incapsula is recorded and published throughout the network. All other websites are immediately protected from the malicious source and the attack technique.

Why online businesses choose Incapsula's Web Application Firewall

Enterprise-grade security

Incapsula’s unmatched security capabilities, customization options and reporting analytics are used by the world's most security-conscious businesses, such as financial institutions, government agencies and trading platforms.

Security as a service

Incapsula monitors and detects threats for thousands of websites, is subjected to hundreds of penetration tests and millions of attacks every day, and constantly updates the WAF with the latest threat vectors and vulnerability remediation.

Decades of experience

As a spin-off of Imperva, Incapsula’s WAF threat detection models leverage Imperva’s vast experience and best practices, gained over the past eight years of leading the WAF market.

Activated by simple DNS change

No hardware or software installation, integration or changes to the website.

Dedicated Security Research Team

Continuous monitoring and policy tuning by world-class security experts.

Business Continuity

Dynamic profiling and application-aware technologies minimize false positives and protect against emerging threats.